I’m enroute to Palo Alto for the Metaverse Roadmap conference, using the plane flights as a chance to catch up on papers I hadn’t previously had a chance to read. One of the best in the pile I’m working through is “Internet Geolocation and Evasion” by James Muir and P.C. van Oorschot at Carleton University in Ottawa. The authors address the question of how easy or hard it is to avoid being geolocated – i.e., having a web server make a credible guess as to your physical location based on information transmitted by your web browser when you access a webpage.
This problem is closely related to a problem I’m concerned about – how do you ensure a user can access a webpage without revealing her real-world identity? (This is obviously an important problem to consider when you’re advising people on how to blog without revealing their identity.) The conclusion the authors come to: it’s quite difficult to geolocate a person determined to conceal their identity… but if you’re really committed to the proposition and can get people to visit specific URLs, it’s possible to geolocate quite well, even if the person is using Tor.
The Tor vulnerability is one I knew about in theory, but hadn’t seen documented in detail. The paper’s authors make the point that Tor’s promotional materials don’t dwell on this vulnerability, despite the fact that it’s got serious implications for Tor’s effectiveness. (I plan on reviewing the tor.eff.org site to determine whether I agree with the authors’ assesment about the marketing materials. And I should make it clear that I was aware of the vulnerability because Roger Dingledine, one of Tor’s authors, told me the vulnerability was a major concern for him given the users I’m advocating for.)
Here’s how the vulnerability works:
Tor disguises your IP address from the server you’re accessing by routing your traffic through three intermediate proxy servers. Each of these proxy servers only knows its nearest neighbors – the first proxy server in the chain knows the IP of your home computer and of the second proxy, but not of the web server you’re accessing; the second knows only the identity of the first and third proxies, and the final, exit node knows the second proxy and the server you’re accessing, but not your identity.
Surfing the web through Tor, webservers see you as the final node you’re exiting from. This leads to all sorts of clever tricks – access Google through Tor and refresh a few times, and it will change language as Tor randomly spits you out through nodes in Japan, Germany and Poland. From the user’s perspective, this is what we want – I don’t want anyone to know I’m posting from Zimbabwe.
Unfortunately, a Java applet specially designed to detect your real IP, rather than your disguised IP, can discover it all too easily. A constructor on the class:Socket added in the Java 1.5 API lets a Java programmer instruct your Java Runtime Environment to ignore any proxy settings you’ve made on your machine: Socket N = new Socket(Proxy.NO_PROXY);
What this means is this: If someone wants your IP and can lure you to a page where they’ve got this applet embedded, they can get your IP so long as Java is enabled in your browser. This doesn’t neccesarily change the recipe I’ve been recommending to users trying to blog anonymously – Tor + WordPress.com + Hushmail – but it means that this recipe now relies on a certain amount of trust in those two websites not to use this technique to log your IP. If you don’t trust those two sites – or if you’re going to use Tor to surf beyond those websites – and you’re really concerned about concealing your identity, you need to disable Java when using Tor.
It’s unspeakably stupid that the new Java API supports this constructor. (In my ever-so-neutral opinion as a privacy advocate and non-Java programmer… :-) One of the fundamental design principles of Java is (or should be) that the user controls her own security on her machine – overriding the user’s proxy settings is anathema to more or less any sane user-centric security model. I’ve got an email into friends at Sun to see if they’re a) aware of the privacy concerns of the new “feature” and b) planning on removing the function in 1.51… I’ll keep you posted.
This is what’s so frustrating about Internet security – there’s nothing that even resembles an easy answer. I’ve had to give nuanced answers about the suitability of Tor for users in countries where they’re likely to be the only user. (If it’s dangerous to be caught trying to circumvent censorship in your country and you’re one of the few Tor users in your country, it’s dangerous to use Tor. If you’re one of the few people in your country using Tor, it can be dangerous to publish through Tor without taking steps to protect timestamp attacks on your identity – i.e., changing timestamps on all your posts.) Now I need to explain why you might consider disabling Java. “It’s hard out here for a cyberdissident…”