Comment by posterboy

Comment by posterboy 10 months ago

3 replies

View on Hacker News

technicly this is the only comment in this chain that is relevant to the featured article, but it's technicly so incomplete that it's almost wrong, I can tell from having read the thread and knowing next to nothing else about how TOR works.

They don't have plausible evidence to subpoena the guard node if a middle node only sees encrypted traffic. They would also need to control the exit nodes which communicate with the target's host or they simply control the host as a honeypot.

immibis 10 months ago

Because the victim was an onion server, they could make it generate new connections at will. They used timing correlation to determine their node was the middle node for their connection.

Reply View 2 replies
  • posterboy 10 months ago

    assuming the guard node connects to the host when the host communicates with the client, this makes a little more sense. If I understand correctly you are saying that they did not seize a boat load of unrelated nodes and have rather fluxcompensated it with "timing correlation" and infinite funds.

    Ad hominem: your username spells out MIB, Men in Black, surely you are joking.

    Reply View 1 reply
    • immibis 10 months ago

      The server connects to the guard node and tells it to connect to the middle node and tells the middle node to connect to the final node and tells the final node to connect to the rendezvous point, which already has a connection in the other direction from the client and splices them together at this point.

      All Tor hosts use a small set of "guard" nodes as their first hops, because it's considered that directly connecting to a compromised node immediately reveals your IP address, in most cases. Using a small set of first hops reduces the probability that at least one of them is compromised. In older versions of Tor, the middle node is completely random, which means sometimes it is compromised. The German government is thought to have used statistical methods to identify when their compromised node was the middle node, and log the address of the node before it - the guard node. Then, they used legal methods to sniff the traffic on the guard node to find the server's IP address.

      In newer versions of Tor, this is more difficult because onion servers use two layers of guard nodes - they use a small infrequently-rotated set of entry guard nodes, and a larger more-frequently-rotated set of middle guard nodes, and the third is still random.

      Reply View 0 replies