# HW 8 SS
# 1
### Brief step to installing Tor:
- `sudo apt install tor` # to install tor
-  Change some configuration
- `sudo systemctl restart tor` to apply changes and restart service
-  to make sure that our installation is working as expected.
- `pip3 install pysocks requests`
### Wireshark
#### Normal
#### Torified
Torified request has a lot of jumps
### Analysis
Save request time and get the mean, median, max, min time in microseconds for both otrified and normal request.
```python
import os
import sys
import datetime
from subprocess import Popen, PIPE
import pandas as pd
from pprint import pprint
import matplotlib.pyplot as plt
def get_without_tor(sites):
f2 = open("Without_TOR_RESULT.txt", "w+")
dataset = {}
# dataset.update({'domain': []})
for domain in sites:
dataset[domain] = []
for i in range(1,31):
current_milli_time = datetime.datetime.now()
result = Popen(["wget","--timeout=10","-t","1", domain, '-P', 'hw-res/'],stdout = PIPE).communicate()[0]
new_milli_time = datetime.datetime.now()
timeTaken = new_milli_time - current_milli_time
res = f"[ Domain : {domain} ][ Time Take : {str(timeTaken.microseconds)} microseconds ]\n"
dataset[domain].append(timeTaken.microseconds)
f2.write(f'{res}\n')
df = pd.DataFrame.from_dict(dataset)
new_df = {domain: {'max': 0, 'min' : 0, 'mean': 0, 'median': 0} for domain in sites}
for head, values in dataset.items():
max = df[head].max()
min = df[head].min()
mean = df[head].mean()
median = df[head].median()
new_df[head].update({'max': max, 'min' : min, 'mean': mean, 'median': median})
df2 = pd.DataFrame.from_dict(new_df)
os.makedirs('hw/normal', exist_ok=True)
df2.to_csv('hw/normal/no-tor-statistics.csv')
f2.close()
def get_with_tor(sites):
f2 = open("TOR_RESULT.txt", "w+")
dataset = {}
# dataset.update({'domain': []})
for domain in sites:
dataset[domain] = []
for i in range(1,31):
current_milli_time = datetime.datetime.now()
result = Popen(["torify", "wget","--timeout=10","-t","1", domain, '-P', 'hw-res/'],stdout = PIPE).communicate()[0]
new_milli_time = datetime.datetime.now()
timeTaken = new_milli_time - current_milli_time
res = f"[ Domain : {domain} ][ Time Take : {str(timeTaken.microseconds)} microseconds ]\n"
dataset[domain].append(timeTaken.microseconds)
f2.write(f'{res}\n')
df = pd.DataFrame.from_dict(dataset)
new_df = {domain: {'max': 0, 'min' : 0, 'mean': 0, 'median': 0} for domain in sites}
for head, values in dataset.items():
max = df[head].max()
min = df[head].min()
mean = df[head].mean()
median = df[head].median()
new_df[head].update({'max': max, 'min' : min, 'mean': mean, 'median': median})
df2 = pd.DataFrame.from_dict(new_df)
os.makedirs('hw/tor', exist_ok=True)
df2.to_csv('hw/tor/tor-statistics.csv')
f2.close()
def main():
with open("top-20.txt", 'r') as f:
sites = [line.strip() for line in f.readlines()]
# get_with_tor(sites)
# get_without_tor(sites)
df_normal = pd.read_csv('hw/normal/no-tor-statistics.csv')
df_tor = pd.read_csv('hw/tor/tor-statistics.csv')
df_normal.plot.bar()
plt.xticks( color='orange', rotation=45, fontweight='bold', fontsize='17', horizontalalignment='right')
plt.title('Normal Request')
plt.xlabel('Max (0), Min (1), Mean (2), Median (3) Timings')
plt.ylabel('Normal REquest Time taken in microseconds')
plt.show()
plt.close()
df_tor.plot.bar()
plt.xticks( color='orange', rotation=45, fontweight='bold', fontsize='17', horizontalalignment='right')
plt.title('Torified Request')
plt.xlabel('Max (0), Min (1), Mean (2), Median (3) Timings')
plt.ylabel('Torified REquest Time taken in microseconds')
plt.show()
plt.close()
```
#### Nrmal
#### Torified
From the above graphs, we can easily derive that ToR introduces massive latency (and occasional time-outs) as compared to direct wget, so in order to enforce anonymity and privacy using ToR the user has to sacrifice on the performance part of the portal i.e. latency.
# 2
Misconfiguration such that the applications use **native** Internet connection to conduct DNS Resolution. This is called a DNS leak where the clients' DNS requests are reveald to the ISP DNS servers, which may be the result of the the result of the ISP forcing policy (ISP forcing is when the ISPs use transparent DNS proxies). This misconfiguration will result win clients' DNS request foing to the ISP DNS servers instead of going through the Tor network.
#### Possible Causes of DNS Leak
1. An misconfigured network
2. An ineffective VPN service
3. No Internet Protocol version 6 (IPv6) support: IP addresses were originally 32-bit Internet Protocol version 4 (IPv4) addresses with four sets of three digits. But 128-bit IPv6 addresses have been created to extend the pool of IP addresses and accommodate more devices. The internet is still transitioning, and some VPNs may not support IPv6, which may push a user’s DNS request outside of the encrypted tunnel.
4. Transparent DNS proxies: ISPs may forced customers to use their DNS servers even when they change their settings to a third-party VPN. If the ISP detects DNS setting changes, it uses a transparent proxy that forces a DNS leak by redirecting the user’s web activity to its own DNS servers.
5. Windows smart features: Microsoft introduced a feature known as Smart Multi-Homed Name Resolution (SMHNR) in devices using operating systems from Windows 8 onwards. The feature submits DNS requests to available servers and accepts whichever DNS server responds first. This can cause a DNS leak and leave users open to spoofing attacks
This introduces the following privacy and anonymity risks introduced by misconfiguration of ToR:
### DNS Resolution:
As the DNS resolution is still performed by the native network, it still provides information about which website the user is trying to contact hence giving out information about the requestor’s IP and destination portal FQDN and IP.
### Tor Exit Node Eavesdropping
Exit nodes are the point in the network where an encrypted communication leaves the network for the target server. Attackers identifying nodes can then monitor the traffic and inject malicious code in presumably safe, encrypted transmissions.
### Circuit Fingerprinting Attacks: Passive Deanonymization
The attacker sends crafted signals to speed up discovery of entry guards, which are first-hop routers on circuits, or use congestion attacks to bias entry guard selection towards colluding entry guards. Furthermore, all previous attacks require a malicious client to continuously attempt to connect to the hidden service.
### "Relay Early" traffic confirmation attack
A traffic confirmation attack is possible when the attacker controls or observes the relays on both ends of a Tor circuit and then compares traffic timing, volume, or other characteristics to conclude that the two relays are indeed on the same circuit. If the first relay in the circuit (called the "entry guard") knows the IP address of the user, and the last relay in the circuit knows the resource or destination he/she is accessing, then together they can deanonymize him/her.
### Mouse fingerprinting:
The way you move your mouse while lazily browsing the internet could be unique enough to be used to track you and even to identify and unmask you.
In March 2016 a security researcher based in Barcelona, demonstrated laboratory techniques using time measurement via JavaScript at the 1-millisecond level could potentially identify and correlate a user's unique mouse movements provided the user has visited the same "fingerprinting" website with both the Tor browser and a regular browser. This proof of concept exploits the "time measurement via JavaScript" issue which has been an open ticket on the Tor Project for ten months.
### Traffic Analysis Attack
Although the sender and messaging information propagated through the network is encrypted, there are ways to use what’s called “timing analysis” to monitor traffic, anticipate it flows through the network, and break the anonymity of the chain as it reaches an exit node.
### Bad apple attack
The "bad apple attack" exploits Tor's design and takes advantage of insecure application use to associate the simultaneous use of a secure application with the IP address of the Tor user in question. One method of attack depends on control of an exit node or hijacking tracker responses, while a secondary attack method is based in part on the statistical exploitation of distributed hash table tracking.
The results presented in the bad apple attack research paper are based on an attack launched against the Tor network by the authors of the study. The attack targeted six exit nodes, lasted for twenty-three days, and revealed a total of 10,000 IP addresses of active Tor users. This study is significant because it is the first documented attack designed to target P2P file-sharing applications on Tor.
# 3
## Opera GX
### Normal
### Incognito
## Edge
### Normal
### Incognito
## Brave
### Normal
### Incognito
## 3.1
The Brave browser appears to be the most secure (it blocks ads and trackers) based on its ad-stripping strategy. Brave strip online ads from its websites. However what it does is the browser replace the stripped advertisements with their advertisements from its own network. These advertisements are not individually targeted but are aimed at an anonymous aggregate of the browser’s user base.
Additionally, Brave has an inbuilt extension for incognito with Tor which allows for a more secure way to browse.
## 3.2
### Enumerate browser bookmarks
Adversaries may enumerate browser bookmarks to
(a) learn more about compromised hosts
(b) get personal information about users ( ex sites visited, social media)
(c) details about internal network resources such as servers, tools/dashboards, or other related infrastructure.
(d) highlight additional targets after an adversary has access to valid credentials, especially Credentials In Files associated with logins cached by a browser.
To protect against browser bookmark enumeration, Brave browser uses Sync Chains to syncs bookmarks, apps, extension, browser history. User data is packed and encrypted through a 24-word seed phrase and the browser does not have access to your synced data at any given point in time.
### Private Browsing Mode
With Private Browsing Mode, a temporary session is created. Thus with private browsing modes are designed primarily to prevent data and history associated with a particular browsing session from persisting on the device, or being discovered by another user of the same device.
Brave’s Private Browsing with Tor has all the standard private browsing mode features, like no cookie and browser history storage, but in addition it also uses Tor as a web proxy so that your IP address is hidden when browsing the web.
### Browser Extension and Plugs-in
A browser extension is a small software application that adds a capacity or functionality to a web browser. A browser extension, also called a plug-in, can take advantage of the same application program interfaces (APIs) that JavaScript can on a web page, but the extension can do more because it also has access to its own set of APIs.
Brave offers support for nearly all extensions that are compatible with chromium. In addition to Brave's compatibility with third party extensions, the browser comes with several extensions already installed such as :
(a) Brave wallet
(b) WebTorrent
(c) Hangouts
Implications of these changes
Brave business model is different from the many other rival browser: it strips out ads from websites, replaces them with its own ads, then allows users to send money to sites they like.
Brave presence has made mainstream browsers adopt various anti-tracking defenses. Thus improving the privacy and awareness of browser behaviour.
For better anonymity, a user may also install a tracker blocker for fingerprinting protection. Privacy Badger is a browser extension developed by Electronic Frontier Foundation (EFF) that “stops advertisers and other third-party trackers from secretly tracking” the webpages visited on the browser. However, most of third-party trackers are advertisements. So, a likely implication is that most (but not all) advertisements become blocked when using Privacy Badger.
#### References
https://attack.mitre.org/techniques/T1217/
https://en.wikipedia.org/wiki/Private_browsing
https://support.brave.com/hc/en-us/articles/360035025231-What-extensions-are-built-into-Brave-
https://www.computerworld.com/article/3292619/the-brave-browser-basics-what-it-does-how-it-differs-from-rivals.html
Google Drive
Gist
Clipboard
Sign in with Wallet
