{"id":141,"date":"2016-08-21T11:21:05","date_gmt":"2016-08-21T06:21:05","guid":{"rendered":"http:\/\/www.chmosama.com\/blog\/?p=141"},"modified":"2017-12-24T15:08:35","modified_gmt":"2017-12-24T10:08:35","slug":"hazards-of-tor-entrance-guards","status":"publish","type":"post","link":"https:\/\/www.chmosama.com\/blog\/hazards-of-tor-entrance-guards\/","title":{"rendered":"Hazards of TOR Entrance Guards"},"content":{"rendered":"

In recent time, Tor has made the decision to use semi-persistent entry nodes which they call this feature \u201cEntry Guards.\u201d \u201cEntry Nodes\u201d are simply the first node you connect with to join the Tor Network, but an Entry Guard<\/a> refers to the feature of pinning the entry nodes across sessions. The Tor Project asked the question \u201cIs it safer to constantly change the first node you connect to or should that remain the same.\u201d The conclusion was by choosing a static entry node, you statistically have a much lower risk of one your circuits being compromised in the case of resourceful state actors.<\/p>\n

I\u2019ll skip over the whole debate about why they did this. If you\u2019d like to read more information about why they did this, you can read the article here<\/a>. For the sake of discussion, let’s just accept this as truth and use this to highlight a situation that it creates:<\/p>\n

\n

1. Instance Leakage<\/h2>\n

In the case that you are running multiple instances of Tor because each instance uses a static guard, that means that passive adversaries are able to identify exactly the number of tor nodes you\u2019re running on your network.<\/p>\n

For example, you have a laptop, a relay, and some arm device that are all running Tor. In every instance, the tor binary is making a choice about its guard nodes to use. In every instance, it will (probably) make a different decision. This means that passive adversaries (ISP or the like) can take known guards, and watch your connections to them, and deduce how many tor instances are on your network.<\/p>\n

\"guard_static\"<\/p>\n

One of the risks I\u2019ve talked about in the past was the issues with the Harvard Bomb Threat where the campus network simply attributed the user because they built a list of all the people on campus using Tor. I think we should be sensitive to this attack because it\u2019s very low resource even for local law enforcement. In the case that your ISP is logging your actions, and an event happened in your area, the first people they are going to start tracking are the people using tor. If they can see that you\u2019re not only running Tor at a given point in time but 7 instances all the time, they might be knocking on your door first.<\/p>\n

This issue alone is not as big as the bigger threat when you talk about traffic correlation attacks.<\/p>\n

\n

2. Traffic Correlation Weaknesses<\/h2>\n

In the past, Tor Project has recommended that you run relay <\/a>alongside a client to increase your protection against traffic analysis. This recommendation is now wrong. The idea at the time was it would be hard to differentiate your traffic from relay traffic because you would be jumping around across circuits.<\/p>\n

Because of the static guard nodes, it is much easier to differentiate between the traffic of each different instance. The relay that you\u2019re running will connect to Guard A and the tor client that you\u2019re running will connect to Guard B. From a traffic correlation perspective, it\u2019s very easy to associate traffic of an individual tor instance to its traffic.<\/p>\n

Here\u2019s an attack example: You run a tor relay that uses Guard A. You have a tor client that uses guard B. Your adversary is able to watch traffic at your ISP and at the website you visit, www.nsa.gov, that you frequently visit with your client. If we did not use entry guards, the passive adversary would see lots of traffic going out over the tor network all the time including the traffic sent out by the client. It\u2019s nearly impossible to differentiate between your client traffic and your relay.<\/p>\n

\"guard_dynamic\"<\/p>\n

But now that we have entry guards, a passive adversary watches the traffic of relay connecting to Guard A and sees that it\u2019s a lot of consistent traffic. It then watches the traffic connecting to Guard B which is infrequent, the burst of traffic. It\u2019s easy to tell that this is, in fact, a tor client. When you visit www.nsa.gov with your client, the passive adversary can easily correlate the time and size of the request with the one on the website.<\/p>\n

\"guard_correlation\"<\/p>\n

\n

What can we do?<\/h2>\n

My point is, for every network you use, you should be using the same guard nodes. If you are at a home network with 10 instances of tor, they should all be configured to use the same one.<\/p>\n

\n

Option 1: EntryNode in Torrc<\/h3>\n

If you want to specifically set what your guard nodes are, you can use the EntryNodes<\/strong> configuration option in your torrc file. Simple edit \/etc\/torrc with something like this:<\/p>\n

EntryNodes FFFFINGERPRINTOFNODE1, FFFFFFFFINGERPRINTOFNODE2, FFFFFFFFFFFFINGERPRINTNODE3<\/pre>\n
This, unfortunately, has some costs. When you do it this way, you stop using tor\u2019s intelligent guard selection algorithm that will choose guards for you based on a lot of properties of the Tor Network as a whole. You might want to change this on a regular basis or just have a long list of entry nodes that you use.<\/p>\n
\n
Option 2: Whonix<\/h3>\n
Whonix<\/a> is a distro designed to be a tor gateway. It will manage a single instance of tor at the edge of your network and rather than have multiple instances of tor. Simply running a Whonix Gateway and routing your other clients connect into (ideally with the Whonix Client) will alleviate this issue. (You\u2019ll have to choose if you trust the Whonix distro as a whole, though.)<\/p>\n
\n
Option 3: Tor Proxy Server<\/h3>\n
Don\u2019t forget that tor runs as an SOCKS5 proxy. Although you\u2019ve probably configured it to only listen on localhost, you can also configure it to be accessible on your internal network. When you setup all of the other instances of tor on your network, configure them to use the proxy server instead of 127.0.0.1:9050.<\/p>\n
SOCKSPort 0.0.0.0:9050<\/pre>\n
I wouldn\u2019t really do this for a variety of reasons. If you want to actually do this and put some protection on this service, see the TORRC details about SOSKPort flags<\/a> so you don\u2019t get yourself in trouble. Don\u2019t forget, SOCKS is a cleartext protocol.<\/p>\n
\n
Option 4: Bridges<\/h3>\n
If you aren\u2019t running a Relay, and you\u2019re simply concerned about your standard traffic analysis attacks or counting tor instances you have on your network, you can configure your tor clients to use a bridge service<\/a>. This will make it more difficult to detect that you\u2019re using tor in the first place and skip around the issue completely.<\/p>\n
185.100.84.187:57092 158A7DD6EDCA9041D7FA6ED7593E7BB43F82BD84\r\n88.198.74.99:9001 3D6269A43BB28423D1127008A182EB07DBB39C00\r\n199.231.94.203:443 0872E07DE33BEE2EB5D6A9941EBF30885A5D80D7<\/pre>\n
\n
Option 5: Disable Entry Guards<\/h3>\n
The tor configuration file allows you to not use entry guards at all. If for some reason you\u2019ve come to the conclusion that using a guard makes you less secure in your environment, dump them completely. This means that whenever a circuit is built, it will likely have a completely different entry node.<\/p>\n
UseEntryGuard 0<\/pre>\n
\n
Warnings<\/h2>\n
All of this being said, let me add the warning that making these configuration changes may cause more damage than when you started. It\u2019s important to understand what the threats are and you can determine if this is important to your operation. If you are a standalone tor client user, there\u2019s probably no reason for you to make customizations.<\/p>\n
You should also note that if you somehow make your entry nodes static and you are on a mobile device, this could be a way of tracking you across sessions. If you take your laptop from your apartment to a coffee shop and there is somehow a way of collecting the traffic of both of them, they could correlate your entry guard usage across connections.<\/p>\n","protected":false},"excerpt":{"rendered":"
In recent time, Tor has made the decision to use semi-persistent entry nodes which they call this feature \u201cEntry Guards.\u201d \u201cEntry Nodes\u201d are simply the first node you connect with to join the Tor Network, but an Entry Guard refers to the feature of pinning the entry nodes across sessions. […]<\/p>\n","protected":false},"author":1,"featured_media":145,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[36,39,35],"class_list":["post-141","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-article","tag-anonimity","tag-threats","tag-tor"],"yoast_head":"\nHazards of TOR Entrance Guards - Blog - Choudhary Muhammad Osama<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.chmosama.com\/blog\/hazards-of-tor-entrance-guards\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Hazards of TOR Entrance Guards - Blog - Choudhary Muhammad Osama\" \/>\n<meta property=\"og:description\" content=\"In recent time, Tor has made the decision to use semi-persistent entry nodes which they call this feature \u201cEntry Guards.\u201d \u201cEntry Nodes\u201d are simply the first node you connect with to join the Tor Network, but an Entry Guard refers to the feature of pinning the entry nodes across sessions. […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.chmosama.com\/blog\/hazards-of-tor-entrance-guards\/\" \/>\n<meta property=\"og:site_name\" content=\"Blog - Choudhary Muhammad Osama\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/chmosama\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/chmosama\" \/>\n<meta property=\"article:published_time\" content=\"2016-08-21T06:21:05+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2017-12-24T10:08:35+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.chmosama.com\/blog\/wp-content\/uploads\/2017\/09\/tor-p.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"908\" \/>\n\t<meta property=\"og:image:height\" content=\"641\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Choudhary Muhammad Osama\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ChMuhammadOsama\" \/>\n<meta name=\"twitter:site\" content=\"@ChMuhammad\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Choudhary Muhammad Osama\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.chmosama.com\/blog\/hazards-of-tor-entrance-guards\/\",\"url\":\"https:\/\/www.chmosama.com\/blog\/hazards-of-tor-entrance-guards\/\",\"name\":\"Hazards of TOR Entrance Guards - Blog - Choudhary Muhammad Osama\",\"isPartOf\":{\"@id\":\"https:\/\/www.chmosama.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.chmosama.com\/blog\/hazards-of-tor-entrance-guards\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.chmosama.com\/blog\/hazards-of-tor-entrance-guards\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.chmosama.com\/blog\/wp-content\/uploads\/2017\/09\/tor-p.jpg\",\"datePublished\":\"2016-08-21T06:21:05+00:00\",\"dateModified\":\"2017-12-24T10:08:35+00:00\",\"author\":{\"@id\":\"https:\/\/www.chmosama.com\/blog\/#\/schema\/person\/1e5073e7a2fb381ec0503b87b16ba4c7\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.chmosama.com\/blog\/hazards-of-tor-entrance-guards\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.chmosama.com\/blog\/hazards-of-tor-entrance-guards\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.chmosama.com\/blog\/hazards-of-tor-entrance-guards\/#primaryimage\",\"url\":\"https:\/\/www.chmosama.com\/blog\/wp-content\/uploads\/2017\/09\/tor-p.jpg\",\"contentUrl\":\"https:\/\/www.chmosama.com\/blog\/wp-content\/uploads\/2017\/09\/tor-p.jpg\",\"width\":908,\"height\":641,\"caption\":\"tor-p\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.chmosama.com\/blog\/hazards-of-tor-entrance-guards\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.chmosama.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Hazards of TOR Entrance Guards\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.chmosama.com\/blog\/#website\",\"url\":\"https:\/\/www.chmosama.com\/blog\/\",\"name\":\"Blog - Choudhary Muhammad Osama\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.chmosama.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.chmosama.com\/blog\/#\/schema\/person\/1e5073e7a2fb381ec0503b87b16ba4c7\",\"name\":\"Choudhary Muhammad Osama\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.chmosama.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/3d3ebe72135073f739b9d6cc1c93ea0a0f40e9393eb5305a78f0d70435ad2f6c?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/3d3ebe72135073f739b9d6cc1c93ea0a0f40e9393eb5305a78f0d70435ad2f6c?s=96&d=mm&r=g\",\"caption\":\"Choudhary Muhammad Osama\"},\"description\":\"This is Choudhary Muhammad Osama, a highly accomplished Penetration Tester, Security Analyst and Linux Administration enthusiast, with extensive experience in implementing, maintaining, securing and pentesting web applications and networks.\",\"sameAs\":[\"https:\/\/www.chmosama.com\",\"https:\/\/www.facebook.com\/chmosama\",\"https:\/\/x.com\/ChMuhammadOsama\"],\"url\":\"http:\/\/www.chmosama.com\/blog\/author\/chmosama\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Hazards of TOR Entrance Guards - Blog - Choudhary Muhammad Osama","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.chmosama.com\/blog\/hazards-of-tor-entrance-guards\/","og_locale":"en_US","og_type":"article","og_title":"Hazards of TOR Entrance Guards - Blog - Choudhary Muhammad Osama","og_description":"In recent time, Tor has made the decision to use semi-persistent entry nodes which they call this feature \u201cEntry Guards.\u201d \u201cEntry Nodes\u201d are simply the first node you connect with to join the Tor Network, but an Entry Guard refers to the feature of pinning the entry nodes across sessions. […]","og_url":"https:\/\/www.chmosama.com\/blog\/hazards-of-tor-entrance-guards\/","og_site_name":"Blog - Choudhary Muhammad Osama","article_publisher":"https:\/\/www.facebook.com\/chmosama","article_author":"https:\/\/www.facebook.com\/chmosama","article_published_time":"2016-08-21T06:21:05+00:00","article_modified_time":"2017-12-24T10:08:35+00:00","og_image":[{"width":908,"height":641,"url":"https:\/\/www.chmosama.com\/blog\/wp-content\/uploads\/2017\/09\/tor-p.jpg","type":"image\/jpeg"}],"author":"Choudhary Muhammad Osama","twitter_card":"summary_large_image","twitter_creator":"@ChMuhammadOsama","twitter_site":"@ChMuhammad","twitter_misc":{"Written by":"Choudhary Muhammad Osama","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.chmosama.com\/blog\/hazards-of-tor-entrance-guards\/","url":"https:\/\/www.chmosama.com\/blog\/hazards-of-tor-entrance-guards\/","name":"Hazards of TOR Entrance Guards - Blog - Choudhary Muhammad Osama","isPartOf":{"@id":"https:\/\/www.chmosama.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.chmosama.com\/blog\/hazards-of-tor-entrance-guards\/#primaryimage"},"image":{"@id":"https:\/\/www.chmosama.com\/blog\/hazards-of-tor-entrance-guards\/#primaryimage"},"thumbnailUrl":"https:\/\/www.chmosama.com\/blog\/wp-content\/uploads\/2017\/09\/tor-p.jpg","datePublished":"2016-08-21T06:21:05+00:00","dateModified":"2017-12-24T10:08:35+00:00","author":{"@id":"https:\/\/www.chmosama.com\/blog\/#\/schema\/person\/1e5073e7a2fb381ec0503b87b16ba4c7"},"breadcrumb":{"@id":"https:\/\/www.chmosama.com\/blog\/hazards-of-tor-entrance-guards\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.chmosama.com\/blog\/hazards-of-tor-entrance-guards\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.chmosama.com\/blog\/hazards-of-tor-entrance-guards\/#primaryimage","url":"https:\/\/www.chmosama.com\/blog\/wp-content\/uploads\/2017\/09\/tor-p.jpg","contentUrl":"https:\/\/www.chmosama.com\/blog\/wp-content\/uploads\/2017\/09\/tor-p.jpg","width":908,"height":641,"caption":"tor-p"},{"@type":"BreadcrumbList","@id":"https:\/\/www.chmosama.com\/blog\/hazards-of-tor-entrance-guards\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.chmosama.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Hazards of TOR Entrance Guards"}]},{"@type":"WebSite","@id":"https:\/\/www.chmosama.com\/blog\/#website","url":"https:\/\/www.chmosama.com\/blog\/","name":"Blog - Choudhary Muhammad Osama","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.chmosama.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.chmosama.com\/blog\/#\/schema\/person\/1e5073e7a2fb381ec0503b87b16ba4c7","name":"Choudhary Muhammad Osama","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.chmosama.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/3d3ebe72135073f739b9d6cc1c93ea0a0f40e9393eb5305a78f0d70435ad2f6c?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3d3ebe72135073f739b9d6cc1c93ea0a0f40e9393eb5305a78f0d70435ad2f6c?s=96&d=mm&r=g","caption":"Choudhary Muhammad Osama"},"description":"This is Choudhary Muhammad Osama, a highly accomplished Penetration Tester, Security Analyst and Linux Administration enthusiast, with extensive experience in implementing, maintaining, securing and pentesting web applications and networks.","sameAs":["https:\/\/www.chmosama.com","https:\/\/www.facebook.com\/chmosama","https:\/\/x.com\/ChMuhammadOsama"],"url":"http:\/\/www.chmosama.com\/blog\/author\/chmosama\/"}]}},"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/www.chmosama.com\/blog\/wp-json\/wp\/v2\/posts\/141","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.chmosama.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.chmosama.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.chmosama.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.chmosama.com\/blog\/wp-json\/wp\/v2\/comments?post=141"}],"version-history":[{"count":4,"href":"https:\/\/www.chmosama.com\/blog\/wp-json\/wp\/v2\/posts\/141\/revisions"}],"predecessor-version":[{"id":189,"href":"https:\/\/www.chmosama.com\/blog\/wp-json\/wp\/v2\/posts\/141\/revisions\/189"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.chmosama.com\/blog\/wp-json\/wp\/v2\/media\/145"}],"wp:attachment":[{"href":"https:\/\/www.chmosama.com\/blog\/wp-json\/wp\/v2\/media?parent=141"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.chmosama.com\/blog\/wp-json\/wp\/v2\/categories?post=141"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.chmosama.com\/blog\/wp-json\/wp\/v2\/tags?post=141"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}