Researchers from the Massachusetts Institute of Technology (MIT) have discovered a vulnerability in Tor that, if exploited, could reveal hidden services of the application with up to 88% accuracy.
Researchers from MIT and Qatar Computing Research Institute (QCRI) κατάφεραν να παραβιάσουν την ανωνυμία του δικτύου Tοr. Η μελέτη τους θα παρουσιαστεί στο Usenix Security Symposium to be held this summer.
Researchers have shown that an attacker can sneak into the server, or obtain access στις πληροφορίες ενός συγκεκριμένου χρήστη του Tor. Αυτό είναι δυνατό σύμφωνα με τους ερευνητές με την ανάλυση των προτύπων κίνησης των κρυπτογραφημένων data that pass through a computer located on the Tor network.
Tor comes from the initials of "The Onion Router." Onion, meaning onion, is a parabolic word used to indicate how the service works, wrapping each communication in various layers of encryption (like the onion). This supposedly does not allow information to be disclosed without going through all the layers of encryption.
Hidden services now are websites that use the Tor network to protect itself in a similar way that the network protects users.
For Tor network to work, computers need to exchange a large amount of data when creating a connection to a hidden service.
The researchers showed that by simply looking for the patterns of the number of packets passing in each direction through a secret "guard" service, a machine learning algorithm could determine the circuit with 99% accuracy. ”
So the researchers were able to decipher data through the association of traffic.
In addition, they were able to connect with a number of different hidden services proving that with a similar analysis of traffic streams they could locate these services with 88% accuracy.
David Goulet, developer of the ToR project, said:
"At the moment we are considering countermeasures for a possible improvement of the secret services, but I think we need more concrete evidence to determine the issue."
The full press release of the MIT for the study of MIT and QCRI is available from the link below.