How the Tor Traffic Confirmation Attack Affects SecureDrop Users
Runa A. Sandvik
July 30, 2014
On Wednesday morning, the Tor Project published a security advisory detailing an attack against the Tor network that appears to have been trying to deanonymize users. SecureDrop, our open-source whistleblower submission system, is heavily reliant on Tor and uses the anonymity network to facilitate communication between whistleblowers, journalists, and news organizations. For this reason, we wanted to clarify how the attack affects users of SecureDrop.
According to the advisory, the attackers appear to have been targeting people who operate or access Tor hidden services. SecureDrop uses hidden services to, among other things, host the website that sources access when submitting documents to journalists and the website that journalists access when downloading the information.
By running a number of relays in the Tor network and modifying the traffic that these relays send, the attackers attempted to learn who was using Tor to do what. Unfortunately, it is still unclear how much information the attackers were able to learn. Users who operated or accessed hidden services between January 30 and July 4, when the attacking relays were taken out of the Tor network, should assume they were affected.
Threats to press freedom around the world are at an all-time high. Sign up to stay up to date and take action to protect journalists and whistleblowers everywhere.
Thanks for signing up for our newsletter. You are not yet subscribed! Please check your email for a message asking you to confirm your subscription.
The Tor Project says the attackers were able to identify users visiting hidden services, but were likely not able to see what pages were loaded or what kind of information was submitted or downloaded. The attackers were probably also able to learn the location of those hidden services. The Tor Project has found no evidence to suggest the attackers attempted to learn which websites users were visiting on the open Internet. We recommend that you read the full advisory if you are interested in the technical details.
What does this mean for journalists and SecureDrop users?
There is a possibility that the attackers could have learned the physical location of a server running SecureDrop. There are other ways attackers can learn this information, and we have always recommended that news organizations not rely solely on hidden services to conceal where in the world their servers are located. There is also a possibility the attackers could have learned the location of individual Tor users, including sources in the process of submitting documents to a journalist organization, if the users were connected to one of the Tor relays controlled by the attackers.
It is for this very specific reason that we recommend sources use the Tails operating system, restrict their usage to SecureDrop related functions as long as Tails is running, and never visit SecureDrop sites while at home or at work. While this does not completely remove the threat of a correlation attack, it limits the information an attacker will be able to learn.
The Tor Project will soon have a new version of the Tor Browser out that takes a step towards reducing the damage from future attacks like this one. We strongly recommend you upgrade as soon as the new version becomes available.
This episode is just the latest example of why it is so important that we continue to support free software projects such as the Tor Project, so they can identify and prevent these types of attackers quickly. We are currently crowd-funding for four such free and open-source tools, including Tor and the Tails operating system that many journalists and sources rely on to communicate securely. Please consider donating to support these tools that can better protect the communications of journalists and sources.
If you have any questions, please email [email protected].