Abstract
Tor constitutes one of the pillars of anonymous online communication. It allows its users to communicate while concealing from observers their location as well as the Internet resources they access. Since its first release in 2002, Tor has enjoyed an increasing level of popularity with now commonly more than 2,000,000 simultaneous active clients on the network. However, even though Tor is widely popular, there is only little understanding of the large-scale behavior of its network clients. In this paper, we present a longitudinal study of the Tor network based on passive analysis of TLS traffic at the Internet uplinks of four large universities inside and outside of the US. We show how Tor traffic can be identified by properties of its autogenerated certificates, and we use this knowledge to analyze characteristics and development of Tor’s traffic over more than three years.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
For the remainder of this paper, we will refer to either SSL or TLS as “TLS.”.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
Not counting Tor and Grid Computing certificates.
- 10.
- 11.
Since we have extended our data collection script over time, information about older connections does not contain all the listed attributes.
- 12.
- 13.
References
Amann, J., Vallentin, M., Hall, S., Sommer, R.: Extracting Certificates from Live Traffic: A Near Real-Time SSL Notary Service. Technical report TR-12-014, International Computer Science Institute, November 2012
Biryukov, A., Pustogarov, I., Weinmann, R.-P.: TorScan: Tracing long-lived connections and differential scanning attacks. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 469–486. Springer, Heidelberg (2012)
Bos, J.W., Halderman, J.A., Heninger, N., Moore, J., Naehrig, M., Wustrow, E.: Elliptic curve cryptography in practice. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 156–174. Springer, Heidelberg (2014)
Bro Network Monitoring System. https://www.bro.org
Chaabane, A., Manils, P., Kaafar, M.A.: Digging into anonymous traffic: a deep analysis of the tor anonymizing network. In: Proceedings of NSS (2010)
Christin, N.: Traveling the silk road: a measurement analysis of a large anonymous online marketplace. In: Proceedings of WWW (2013)
Dhungel, P., Steiner, M., Rimac, I., Hilt, V., Ross, K.: Waiting for anonymity: understanding delays in the tor overlay. In: Proceedings of P2P (2010)
Dingledine, R., Mathewson, N.: Tor Protocol Specification. https://gitweb.torproject.org/torspec.git/tree/tor-spec.txt
Enable Elliptical Curve Diffie-Hellman (ECDHE) in Linux, July 2013. https://www.internetstaff.com/enable-elliptical-curve-diffie-hellman-ecdhe-linux/
Hopper, N.: Challenges in protecting tor hidden services from botnet abuse. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 312–321. Springer, Heidelberg (2014)
Hopper, N., Vasserman, E.Y., Chan-TIN, E.: How much anonymity does network latency leak? ACM Trans. Inf. Syst. Secur. 13(2), 13: 1–13: 28 (2010)
Hurley, R., Prusty, S., Soroush, H., Walls, R.J., Albrecht, J., Cecchet, E., Levine, B.N., Liberatore, M., Lynn, B., Wolak, J.: Measurement and analysis of child pornography trafficking on P2P networks. In: Proceedings of WWW (2013)
Le Blond, S., Manils, P., Chaabane, A., Kaafar, M.A., Castelluccia, C., Legout, A., Dabbous, W.: One bad apple spoils the bunch: exploiting P2P applications to trace and profile tor users. In: Proceedings of LEET (2011)
Loesing, K.: Measuring the Tor Network, Evaluation of Client Requests to the Directories to Determine total Numbers and Countries of Users. Technical report 2009–06-002, The Tor Project, June 2009
Loesing, K.: Measuring the Tor Network from Public Directory Information. Technical report 2009–08-002, The Tor Project, August 2009
Manils, P., Abdelberi, C., Blond, S.L., Kâafar, M.A., Castelluccia, C., Legout, A., Dabbous, W.: Compromising Tor Anonymity Exploiting P2PInformation Leakage. CoRR abs/1004.1461 (2010). http://arxiv.org/abs/1004.1461
McCoy, D., Bauer, K., Grunwald, D., Kohno, T., Sicker, D.C.: Shining light in dark places: understanding the tor network. In: Borisov, N., Goldberg, I. (eds.) PETS 2008. LNCS, vol. 5134, pp. 63–76. Springer, Heidelberg (2008)
Overlier, L., Syverson, P.: Locating hidden servers. In: Proceedings of IEEE S&P (2006)
Paxson, V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31(23–24), 2435–2463 (1999)
Tang, C., Goldberg, I.: An improved algorithm for tor circuit scheduling. In: Proceedings of CCS (2010)
Tor Wiki – TLS History. https://trac.torproject.org/projects/tor/wiki/org/projects/Tor/TLSHistory
Tor Directory Protocol, Version 3. https://gitweb.torproject.org/torspec.git/tree/dir-spec.txt
Acknowledgments
We thank Phillip Winter and David Fifield for their feedback during the writing of this paper. This work was supported by the National Science Foundation under grant numbers CNS-1528156 and ACI-1348077. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the NSF.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Amann, J., Sommer, R. (2016). Exploring Tor’s Activity Through Long-Term Passive TLS Traffic Measurement. In: Karagiannis, T., Dimitropoulos, X. (eds) Passive and Active Measurement. PAM 2016. Lecture Notes in Computer Science(), vol 9631. Springer, Cham. https://doi.org/10.1007/978-3-319-30505-9_1
Download citation
DOI: https://doi.org/10.1007/978-3-319-30505-9_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-30504-2
Online ISBN: 978-3-319-30505-9
eBook Packages: Computer ScienceComputer Science (R0)