On Fri, 2020-02-21 at 05:41 -0500, Roger Dingledine wrote: > On Thu, Feb 20, 2020 at 07:25:32AM +0100, Robin Lee wrote: > > I'm wondering how hidden a hidden service actually is? Because last > > week charges were brought against Flugsvamp, a Swedish darknet drug > > shop. In the documents made public for the court case the police > > states > > that is was able to trace the actual ip-addresses of the onion- > > addresses. Flugsvamp had two onion-addresses and the the police > > gave > > different probabilities that a certain ip-address was behind each. > > > > Is it just a function of time and amount of traffic, i.e. the > > longer > > you are online and the more traffic you generate, the more probable > > it > > is to discover the true ip-address? > > It's complicated. > > I should start out with saying I'd never heard of Flugsvamp until > your > email, and I have no notion of whether they used Tor or what. That > said: > > Services on the internet are inherently harder to make safe than > clients, > (a) because they stay at the same place for long periods of time, and > (b) because the attacker can induce them to generate or receive > traffic, > in a way that's harder to reliably do to clients. > > Most identification problems with Tor users, and with onion services, > have turned out to be opsec mistakes, or flaws in the application > software at one end or the other. That is, nothing to do with the Tor > protocol at all. But of course in the "layers of conspiracy" world we > live in nowadays, you can never be quite sure, because maybe "they" > used a complex attack on Tor and then covered it up by pointing to an > opsec flaw. One hopefully productive way forward is to point out that > even if we don't know how every successful attack really started, we > know that opsec flaws are sufficient to explain most of them. > > When I'm doing talks about Tor these days, I list these four areas > of concern, ordered by how useful or usable they are to attackers in > practice: (1) Opsec mistakes, (2) Browser metadata fingerprints / > proxy > bypass bugs, (3) Browser / webserver exploits, and (4) Traffic > analysis. > > See e.g. the original story about Farmer's Market: > https://blog.torproject.org/trip-report-october-fbi-conference > where at first people worried about a vulnerability in Tor, but then > it > turned out that the operators had been identified and located far > before > they even switched to using Tor. > > To make this thread more productive and more concrete: can you point > us > to these "documents made public for the court case"? Even if they're > in > Svenska, they would still be useful to look at. The ones talking > about > probabilities of IP address I mean.
These documents are available at https://minfil.com/bbu3q0Y4ne/FUP_B_13010-18_zip Page 103 in the file 'Stockholms TR B 13010-18 Aktbil 202.pdf' contains a short PM about the tracing. It is a vast set of documents, but as far I've been able to tell identifying the VPS-servers behind the onion-addresses was the first step. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
