The recently published June 2016 OnionScan Report contains some pretty pictures and discusses the impact of Identity Correlation attacks on onion services.

On Wednesday I posted a some thoughts about thwarting identity correlation attacks - but the recommendations there are simply a band-aid on a wound that as already bled out.

Where We Are

OnionScan costs less than $100 a month not including the time of myself and the volunteers who write code and provide input.

With this level of resources, the mission of OnionScan is to find out information about anonymous communities. To this end OnionScan can be seen as a non-funded (or relatively low-funded) adversary.

OnionScan also adheres to a strict set of ethical guidelines designed to protect the identities and data of the sites scanned.

On the other end of the scale, yhere are many attacks a dedicated, well funded adversary could do - especially with little regard for ethics.

To illustrate, here are the things OnionScan does not do:

  • We don't set up malicious hidden services directories to harvest new addresses.
  • We don't exploit vulnerabilities in the services we scan
  • We don't store the information we find - each month we start a fresh and only correlate information that we scan from that months run. We don't track changes in status of nodes over time.
  • We don't publish, reveal or follow information which may lead to deanonymization past the first hop e.g. We may look up an SSH public key in Shodan, but we will not follow or log any resulting IP Addresses or servers that we find.

Even with this limited scope and zero funding OnionScan has been able to demonstrate consistent failings in security in a large number of onion services.

This should worry you if you value privacy and anonymity. Our current technologies are not up to the bar that they need to be to protect people when they need it the most.

To put it bluntly, if an unsophisticated attacker can achieve moderate success with $100 and an internet connection; imagine what a dedicated adversary could do.

We Can Do Better

We need more investment, fresh ideas and better models if we want to live in a world where privacy is possible.

I believe this includes:

  • More privacy & anonymity systems built in a decentralized manner. For an excellent case study see Ricochet
  • Better software, including web servers, that are built with privacy & anonymity in mind.
  • Solutions to developing and maintaining long lasting pseudonyms that are trivial for people to use without a technical background.
  • Usable Authentication models to allow people to know when they are using the site that they think they are; imagine a Certificate Authority for hidden services (but hopefully much better)

I'll be writing more about these areas over the next few weeks. But, for now, I want to start a conversation about these areas so that in a few years time we are not still stuck with people failing to disable mod_status and leaking their identity.