When performing an online search for sensitive topics, one may wish to remain unobserved. Millions of people use the Tor network for that purpose, even though it does not provide perfect anonymity. Computer scientists from the Saarland University have now developed a program that can measure the anonymity of a user's connection within the Tor network. The scientists used real-time data from the Tor network, and examined a wide range of possible attackers (Hall 9, Booth E13).
Anonymity on the Internet is possible only up to a certain degree. Therefore, it is possible that others may see who is visiting an online advice site on sexual abuse, or who frequently looks up information about a certain disease, for example. Seeing that this kind of private information can be linked to their identity, users will often resort to special online anonymization services. One of the most popular tools is Tor. Since the beginning of the year, alone more than two million users have used it to anonymize their Internet connection data. These services will not only conceal browsing behavior, but also the identity of the user, and that of any other recipients. These will usually be other websites, but could also be another person. Tor works in a way that allows users to establish a connection that is then upheld through its own network. The Tor network comprises up to 6,000 servers, mostly run by volunteers, which computer scientists refer to as "nodes". And since every node only receives the minimal amount of data necessary to relay the information in question, it becomes far more difficult to de-anonymize both the transmitter and the recipient of the data.
"The Tor network isn't perfect, however," says Esfandiar Mohammadi, a researcher at the Research Center for IT Security, CISPA, and a doctoral candidate at the Graduate School for Computer Science in Saarbrücken. "For one, unanticipated attacks at a network level can endanger anonymity. Also, the degree of anonymity the network achieves is highly variable, since volunteers don't necessarily operate their nodes continually or regularly," says Mohammadi.
In collaboration with CISPA researcher Sebastian Meiser, who is also a postgraduate at the Saarbrücken Graduate School for Computer Science, Mohammadi developed a program that can provide an accurate assessment of the level of anonymity an individual user achieves, even while basing the estimate on the fluctuations of the Tor network. According to the researchers, this feature is a worldwide first.
"An attacker that compromises Tor servers can derive the identity of a user with a certain probability. This is exactly what our system calculates," Sebastian Meiser explains. The two Saarbrücken researchers based their technique, which they named "MATor", on a mathematical model that they extended to include different categories of possible attacks. "In order to indicate the probability of de-anonymization, our program performs its calculations using data that is aggregated once an hour and published on the network immediately. MATor also takes the specifics of the respective Internet connection into account, as well as the individual configurations of the Tor software," Meiser says. This feature is also intended as a basis for a so-called plugin, a small extension program for the software "Tor Browser" that the researchers now want to develop. Integrated into the Tor software, this could run in the background and simply notify users as soon as their connection became too unsafe.