Comment by bawolff
That is why in tor it picks a specific guard node and sticks with it. To prevent this kind of attack where you change nodes until you hit a bad one.
That is why in tor it picks a specific guard node and sticks with it. To prevent this kind of attack where you change nodes until you hit a bad one.
technicly this is the only comment in this chain that is relevant to the featured article, but it's technicly so incomplete that it's almost wrong, I can tell from having read the thread and knowing next to nothing else about how TOR works.
They don't have plausible evidence to subpoena the guard node if a middle node only sees encrypted traffic. They would also need to control the exit nodes which communicate with the target's host or they simply control the host as a honeypot.
assuming the guard node connects to the host when the host communicates with the client, this makes a little more sense. If I understand correctly you are saying that they did not seize a boat load of unrelated nodes and have rather fluxcompensated it with "timing correlation" and infinite funds.
Ad hominem: your username spells out MIB, Men in Black, surely you are joking.
The server connects to the guard node and tells it to connect to the middle node and tells the middle node to connect to the final node and tells the final node to connect to the rendezvous point, which already has a connection in the other direction from the client and splices them together at this point.
All Tor hosts use a small set of "guard" nodes as their first hops, because it's considered that directly connecting to a compromised node immediately reveals your IP address, in most cases. Using a small set of first hops reduces the probability that at least one of them is compromised. In older versions of Tor, the middle node is completely random, which means sometimes it is compromised. The German government is thought to have used statistical methods to identify when their compromised node was the middle node, and log the address of the node before it - the guard node. Then, they used legal methods to sniff the traffic on the guard node to find the server's IP address.
In newer versions of Tor, this is more difficult because onion servers use two layers of guard nodes - they use a small infrequently-rotated set of entry guard nodes, and a larger more-frequently-rotated set of middle guard nodes, and the third is still random.
The attack Germany is thought to have actually used was to flood the network with middle nodes and wait until the victim connects to their middle node. Then, it knows the guard node's IP. Then, it went to an ISP and got logs for everyone who connected to that IP.