Browser-Based Attacks on Tor

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4776)


This paper describes a new attack on the anonymity of web browsing with Tor. The attack tricks a user’s web browser into sending a distinctive signal over the Tor network that can be detected using traffic analysis. It is delivered by a malicious exit node using a man-in-the-middle attack on HTTP. Both the attack and the traffic analysis can be performed by an adversary with limited resources. While the attack can only succeed if the attacker controls one of the victim’s entry guards, the method reduces the time required for a traffic analysis attack on Tor from O(nk) to O(n + k), where n is the number of exit nodes and k is the number of entry guards. This paper presents techniques that exploit the Tor exit policy system to greatly simplify the traffic analysis. The fundamental vulnerability exposed by this paper is not specific to Tor but rather to the problem of anonymous web browsing itself. This paper also describes a related attack on users who toggle the use of Tor with the popular Firefox extension Torbutton.


Malicious Node Rendezvous Point Exit Node Entry Node Malicious Server 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Chaum, D.: Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM 24(2) (February 1981)Google Scholar
  2. 2.
    Christensen, A., et al.: Practical Onion Hacking: Find the real address of Tor clients. FortConsult (October 2006),
  3. 3.
    Clark, D.: Design Philosophy of the DARPA Internet Protocols. In: Proceedings of the ACM Special Interest Group on Data Communications, pp. 106–114. ACM Press, New York (1988)Google Scholar
  4. 4.
    Dingledine, R.: Tor: anonymity (November 2006),
  5. 5.
    Dingledine, R., Mathewson, N., Syverson, P.: Tor: The Second-Generation Onion Router. In: Proceedings of the 13th USENIX Security Symposium (August 2004)Google Scholar
  6. 6.
    Douceur, J.: The Sybil Attack. In: Druschel, P., Kaashoek, M.F., Rowstron, A. (eds.) IPTPS 2002. LNCS, vol. 2429, Springer, Heidelberg (2002)Google Scholar
  7. 7.
    Hintz, A.: Fingerprinting Websites Using Traffic Analysis. In: Proceedings of Privacy Enhancing Technologies workshop (April 2002)Google Scholar
  8. 8.
    Levine, B.N., Reiter, M., Wang, C., Wright, M.: Timing Attacks in Low-Latency Mix Systems (extended abstract). In: Proc. Financial Cryptography, pp. 251–265 (February 2004)Google Scholar
  9. 9.
    Liberatore, M., Levine, B.N.: Inferring the source of encrypted HTTP connections. In: Proceedings of the 13th ACM conference on Computer and communications security, ACM Press, New York (2006)Google Scholar
  10. 10.
    Martin, K.: AOL search data identified individuals. SecurityFocus (August 2006),
  11. 11.
    Murdoch, S.J., Danezis, G.: Low-Cost Traffic Analysis of Tor. In: Proceedings of the 2005 IEEE Symposium on Security and Privacy (May 2005)Google Scholar
  12. 12.
    Øverlier, L., Syverson, P.: Locating Hidden Servers. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy (May 2006)Google Scholar
  13. 13.
    Raymond, J.: Traffic Analysis: Protocols, Attacks, Design Issues, and Open Problems. In: Proceedings of Designing Privacy Enhancing Technologies: Workshop on Design Issues in Anonymity and Unobservability, pp. 10–29 (July 2000)Google Scholar
  14. 14.
    Serjantov, A., Sewell, P.: Passive Attack Analysis for Connection-Based Anonymity Systems. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 116–131. Springer, Heidelberg (2003)Google Scholar
  15. 15.
    Syverson, P., Tsudik, G., Reed, M., Landwehr, C.: Towards an Analysis of Onion Routing Security. In: Workshop on Design Issues in Anonymity and Unobservability (July 2000)Google Scholar
  16. 16.
    Wright, M., Adler, M., Levine, B.N., Shields, C.: An Analysis of the Degradation of Anonymous Protocols. In: Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS), pp. 38–50 (February 2002)Google Scholar
  17. 17.
    Wright, M., Adler, M., Levine, B.N., Shields, C.: Defending Anonymous Communication Against Passive Logging Attacks. In: Proceedings of the 2003 IEEE Symposium on Security and Privacy (May 2003)Google Scholar
  18. 18.
    Wright, M., Adler, M., Levine, B.N., Shields, C.: The predecessor attack: An analysis of a threat to anonymous communications systems. In: ACM Trans. Inf. Syst. Secur., pp. 489–522 (2004)Google Scholar
  19. 19.
    Squires, S.: Firefox Add-ons: Torbutton (February 2007),
  20. 20.
    TheOnionRouter/TorFAQ (November 2006),

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  1. 1.No Affiliation 

Personalised recommendations