Researcher finds new methods of deanonymizing Tor users

Mar 10, 2016 23:00 GMT  ·  By

Independent security researcher Jose Carlos Norte has discovered a set of new methods of fingerprinting Tor users, which can be used to deanonymize them later on during abusive law enforcement investigations or cyber-surveillance campaigns.

The process of "user fingerprinting" refers to ways of tracking non-standard operations and details about a user's behavior. While analytics services track a bunch of such details, the TOR Browser provides protection against some of these actions in order to keep the user's identity a secret.

Fingerprinting is especially dangerous to Tor users because data recorded while they surf the Web via Tor browsers can then be compared to data logged while the user was surfing the same website with their regular browser.

The data that is usually logged in fingerprinting schemes is not 100% reliable or accurate for that matter, but it provides a starting point for future investigations.

If a user who has legitimate reasons to keep their anonymity online is unmasked by an oppressive regime, the consequences of fingerprinting techniques can be more dangerous than just having your name and online identity attached to a database entry in an analytics service.

Mouse movements give you away

Mr. Norte has published on his blog a series of fingerprinting techniques that are effective against Tor Browser users, along with a page demonstrating his research.

The first technique that he identified refers to the speed at which users scroll through a page using their mouse wheel. Even if for all mice the scroll speed is the same, an attacker could still identify patterns in the scroll events based on each individual's idiosyncrasies.

Additionally, attackers can log the speed at which users move the mouse cursor across a page. Since each user has their own OS mouse sensitivity preferences and their set of gestures when using the device, this technique is more accurate than the previous one.

If the user is using a trackpad to navigate the page, the fingerprinting technique is even more precise, adding accurate speed metrics to the already-recorded scrolling and movement patterns.

Damn you, JavaScript! Damn you forever!

The researcher also discovered that he could fingerprint a user's machine, not just the person. By running a CPU-intensive JavaScript operation in the browser, he could record the time needed to execute the task and use this information later on to pin suspects to a certain computer from where a Tor browser has been used.

Another low-level technique also uses the getClientRects JavaScript function, which returns details about a DOM element's rectangular box. The details that this function returns have a different value and accuracy level based on the user's screen resolution, font configuration, and various other settings. This technique can be used to identify users by their hardware and software settings.

The researcher says that all these methods depend on the attacker's ability to measure time in a Tor Browser at the 1-millisecond level.

The Tor Browser includes protection against such scenarios, limiting the Date.getTime() JavaScript function to measurements no smaller than 100ms.

Mr. Norte says that there are two methods of getting around this limitation, which, apparently, the Tor Project had been notified of ten months ago.

In another similar study conducted a few weeks earlier, Mr. Norte also discovered that some misconfigured Apache servers could leak the general location of a Tor user if the server is running under a certain configuration.