Anonymity and You, Firefox 17 Edition
by l0cke
I want to address this recent thing going on with the Firefox exploit used to break Tor's anonymity.
Anonymity is important to have. Privacy is a right, if not a privilege, and definitely not a privilege that can be taken away for an arbitrary reason.
Someone had asked me years ago about how to track someone down over the Internet at one point and I said, "Just get someone to click a link or use an exploit like the Chinese were using with Flash to track down dissidents." I'm not surprised. I've made my opinion on it well known to many parties and I've kept my mouth shut about it because at every turn privacy activists or programmers tell me that "Tor isn't broken and your attempts to point out our flaws are asshattery," whether motivated by wanting to keep things like that secret or to comfort themselves and others who use the service. There are many means one could use to break Tor's protection, including taking advantage of OS and software components or by using analysis to make educated guesses about the location of both Tor users and Tor services.
There is no such thing as true anonymity, though one might be able to set up a Virtual Private Network (VPN) or proxy like JonDonym, or another instance of Tor, or maybe even chain them without much, if any, technical knowledge whatsoever to prevent vulnerabilities like this from hitting. One could also make Tor the operating proxy for all of one's Internet traffic on a machine or entire network via firewall, or by using a special app that only allows traffic through that proxy and/or VPN and disconnects any traffic outside of it before it reaches the physical network connection - or via software on the router/firewall that drops anything not going to Tor or whatever anonymity service.
I've pointed out to many security software developers that the security of the Tor software just isn't there. I suggested that either there was something in the code or something the code interacts with that was exploitable. What it was, I don't know. But take everything that's connected to software you use as an extension of that software. This recent event proves that even more. I know people who think there are magic services that make one anonymous. There aren't. And with our knowledge now of PRISM - if someone can see the traffic on both ends and just match up timestamps and file size transfers, then guess what? You're on candid camera, a lead to be pursued by someone wanting to track down who received or transferred those files or both. By files, I mean even web traffic.
Five things to take into account that aren't being done right now in any anonymity service:
1.) No Real-Time Communication A true anonymous service would be like old FTPmail. It will send a request at a randomized time that has nothing to point it back at the user. An even smarter one will send or receive traffic at a time that's generated based upon human psychology, i.e., no porn requests at night or on weekends.
2.) Fabricate Clues to Location Create blocks of downtime that have no reason because one's downtime can show one's location.
3.) Do Like UPS Make the anonymity node perform the request - it sends and receives all data so that it's not parsed by the web browser directly. Think the way a parcel service delivers mail.
4.) Sterilize All Content Perform transforms on text - the easiest is to translate text from an original language through several others. I'd go one step further because this can be reversed and use a mathematically generated dictionary or array using dictionaries, thesauri, and the like to add even more randomness. Plus it'd look kinda crazy and reminiscent of leetspeak. "Thee hast better not g0nn4 speek dat 2 dem, boy" for "You'd better not tell them that," etc.
Sterilize images, audio, video, and the like as well - at least insofar as what created the container, any information in the images, etc. Killing lighting and replacing it with a solid color would be good too - filters so that someone can't use the sunlight or stars to tell where one is based through an image or video. Also, creating blocks over all people in images and blocks over any visible text in any language.
Sterilize all hypertext and code - any kind of code or markup or uncommon phrasing that might be found if reposted as a fingerprint (i.e., using "hast" a lot in text instead of "has") or processed by a computer like the code that created the GET request.
5.) Use or Adapt Third-Party Tools For now, use whatever you can on top of your anonymity services. Use NoScript and make sure that DNS requests don't leak. Make sure that whatever IP protocol you use is stable and doesn't send information to servers you request to. Don't take a program author's word for anything, ever. Test against tools that benchmark and look for those things or figure out how to test them yourself. Also, be wary of services that may contact another server for certificates or verification - HTTPS ends up connecting to an index to verify the certificate a site gives. If you're not careful, some tools can contact DNS servers you already use. Use a plugin that makes sure that a proxy (like Tor) is always enabled if connecting to a site. Some services, even when working, have a big flaw: the operator. If you forget to turn on the anonymity service or ensure that it's running, that's on you.
I believe that's why Torbutton is no longer a standard option in Tor. Become a programmer in spirit if not in mind. To do any less is to invite disaster. Learn how these things work and chances are if you think of some new way to do something, someone else has or you can figure out how to adapt their work to your own use.
I'd go so far as to make it impossible to easily upload or download images via Tor, even if it means you have to kill all forms of compression or make them readable by a "processing node" that handles the no-real-time rule as well as sanitizing the stuff, killing all content that isn't text or isn't hypertext to be sanitized and shown as a special local only-viewing-markup in JSON or XML.
That might not stop people from creating new versions of uuencode out of text or hypertext, but it would make easy access to sending and receiving child porn harder.