Menu
How your anonymized Tor/VPN traffic can be used to track you down

How your anonymized Tor/VPN traffic can be used to track you down

Tor and VPNs are not silver bullets. Many advanced techniques have been developed and studied to de-anonymize encrypted Tor traffic over the years. Most of those techniques are Correlation attacks that will correlate your network traffic in one way or another to logs or datasets. Here are some examples:

Correlation Fingerprinting Attack: As illustrated (simplified) below, this attack will fingerprint your encrypted Tor traffic (like the websites you visited) based on the analysis of your encrypted traffic without decrypting it. Some of those methods can do so with a 96% success rate in a closed-world setting. The efficacy of those methods in a real open-world setting has not been demonstrated yet and would probably require tremendous resources computing power making it very unlikely that such techniques would be used by a local adversary in the near future. Such techniques could however hypothetically be used by an advanced and probably global adversary with access to your source network to determine some of your activity. Examples of those attacks are described in several research papers as well as their limitations. The Tor Project itself published an article about these attacks with some mitigations: https://blog.torproject.org/new-low-cost-traffic-analysis-attacks-mitigations [Archive.org].

Correlation Timing Attacks: As illustrated (simplified) below, an adversary that has access to network connection logs (IP or DNS for instance, remember that most VPN servers and most Tor nodes are known and publicly listed) at the source and the destination could correlate the timings to de-anonymize you without requiring any access to the Tor or VPN network in between. A real use case of this technique was done by the FBI in 2013 to de-anonymize a bomb threat hoax at Harvard University.

Correlation Counting Attacks: As illustrated (simplified) below, an adversary that has no access to detailed connection logs (cannot see that you used Tor or Netflix) but has access to data counting logs could see that you have downloaded 600MB on a specific time/date that matches the 600MB upload at the destination. This correlation can then be used to de-anonymize you over time.

There are ways to mitigate these such as:

  • Do not use Tor/VPNs to access services that are on the same network (ISP) as the destination service. For example, do not connect to Tor from your University Network to access a University Service anonymously. Instead, use a different source point (such as a public Wi-Fi) that cannot be correlated easily by an adversary.
  • Do not use Tor/VPN from an obviously heavily monitored network (such as a corporate/governmental network) but instead try to find an unmonitored network such as a public Wi-Fi or a residential Wi-Fi.
  • Consider the use of multiple layers (such as what will be recommended in this guide later: VPN over Tor) so that an adversary might be able to see that someone connected to the service through Tor but will not be able to see that it was you because you were connected to a VPN and not the Tor Network.

Be aware again that this might not be enough against a motivated global adversary with wide access to global mass surveillance. Such an adversary might have access to logs no matter where you are and could use those to de-anonymize you. Usually, these attacks are part of what is called a Sybil Attack. These adversaries are out of the scope of this guide.

Be also aware that all the other methods described in this guide such as Behavioral analysis can also be used to deanonymize Tor users indirectly (see further Your Digital Fingerprint, Footprint, and Online Behavior).

I also strongly recommend reading this very good, complete, and thorough (and more detailed) guide on most known Attack Vectors on Tor: https://github.com/Attacks-on-Tor/Attacks-on-Tor [Archive.org] as well as this recent research publication https://www.researchgate.net/publication/323627387_Shedding_Light_on_the_Dark_Corners_of_the_Internet_A_Survey_of_Tor_Research [Archive.org]

As well as this great series of blog posts: https://www.hackerfactor.com/blog/index.php?/archives/906-Tor-0day-The-Management-Vulnerability.html [Archive.org]

Recently, one of these attacks was attempted on the Tor Network with more information here: https://arstechnica.com/information-technology/2014/07/active-attack-on-tor-network-tried-to-decloak-users-for-five-months/ [Archive.org]

Lastly, do remember that using Tor can already be considered suspicious activity, and its use could be considered malicious by some.

This guide will later propose some mitigations to such attacks by changing your origin from the start (using public wi-fi’s for instance). Remember that such attacks are usually carried by highly skilled, highly resourceful, and motivated adversaries and are out of scope from this guide.

Disclaimer: it should also be noted that Tor is not designed to protect against a global adversary. For more information see https://svn-archive.torproject.org/svn/projects/design-paper/tor-design.pdf [Archive.org]

Source: The Hitchhiker’s Guide to Online Anonymity, written by AnonyPla © CC BY-NC 4.0