TY - GEN
T1 - On the Challenges of Geographical Avoidance for Tor
AU - Kohls, Katharina
AU - Jansen, Kai
AU - Rupprecht, David
AU - Holz, Thorsten
AU - Pöpper, Christina
N1 - Publisher Copyright:
© NDSS 2019.All rights reserved.
PY - 2019
Y1 - 2019
N2 - Traffic-analysis attacks are a persisting threat for Tor users. When censors or law enforcement agencies try to identify users, they conduct traffic-confirmation attacks and monitor encrypted transmissions to extract metadata—in combination with routing attacks, these attacks become sufficiently powerful to de-anonymize users. While traffic-analysis attacks are hard to detect and expensive to counter in practice, geographical avoidance provides an option to reject circuits that might be routed through an untrusted area. Unfortunately, recently proposed solutions introduce severe security issues by imprudent design decisions. In this paper, we approach geographical avoidance starting from a thorough assessment of its challenges. These challenges serve as the foundation for the design of an empirical avoidance concept that considers actual transmission characteristics for justified decisions. Furthermore, we address the problems of untrusted or intransparent ground truth information that hinder a reliable assessment of circuits. Taking these features into account, we conduct an empirical simulation study and compare the performance of our novel avoidance concept with existing approaches. Our results show that we outperform existing systems by 22 % fewer rejected circuits, which reduces the collateral damage of overly restrictive avoidance decisions. In a second evaluation step, we extend our initial system concept and implement the prototype TrilateraTor. This prototype is the first to satisfy the requirements of a practical deployment, as it maintains Tor’s original level of security, provides reasonable performance, and overcomes the fundamental security flaws of existing systems.
AB - Traffic-analysis attacks are a persisting threat for Tor users. When censors or law enforcement agencies try to identify users, they conduct traffic-confirmation attacks and monitor encrypted transmissions to extract metadata—in combination with routing attacks, these attacks become sufficiently powerful to de-anonymize users. While traffic-analysis attacks are hard to detect and expensive to counter in practice, geographical avoidance provides an option to reject circuits that might be routed through an untrusted area. Unfortunately, recently proposed solutions introduce severe security issues by imprudent design decisions. In this paper, we approach geographical avoidance starting from a thorough assessment of its challenges. These challenges serve as the foundation for the design of an empirical avoidance concept that considers actual transmission characteristics for justified decisions. Furthermore, we address the problems of untrusted or intransparent ground truth information that hinder a reliable assessment of circuits. Taking these features into account, we conduct an empirical simulation study and compare the performance of our novel avoidance concept with existing approaches. Our results show that we outperform existing systems by 22 % fewer rejected circuits, which reduces the collateral damage of overly restrictive avoidance decisions. In a second evaluation step, we extend our initial system concept and implement the prototype TrilateraTor. This prototype is the first to satisfy the requirements of a practical deployment, as it maintains Tor’s original level of security, provides reasonable performance, and overcomes the fundamental security flaws of existing systems.
UR - http://www.scopus.com/inward/record.url?scp=85096172458&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85096172458&partnerID=8YFLogxK
U2 - 10.14722/ndss.2019.23402
DO - 10.14722/ndss.2019.23402
M3 - Conference contribution
AN - SCOPUS:85096172458
T3 - 26th Annual Network and Distributed System Security Symposium, NDSS 2019
BT - 26th Annual Network and Distributed System Security Symposium, NDSS 2019
PB - The Internet Society
T2 - 26th Annual Network and Distributed System Security Symposium, NDSS 2019
Y2 - 24 February 2019 through 27 February 2019
ER -