Actions

Tor Entry Guards

About this Tor Entry Guards Page
Support Status stable
Difficulty easy
Maintainer 0brand
Support Support

Introduction[edit]

What are Tor Entry Guards? If this is an unfamiliar term, please press on Expand on the right.

Current practical, low-latency, anonymity designs like Tor fail when the attacker can see both ends of the communication channel. For example, suppose the attacker controls or watches the Tor relay a user chooses to enter the network, and also controls or watches the website visited. In this case, the research community is unaware of any practical, low-latency design that can reliably prevent the attacker from correlating volume and timing information on both ends.

Mitigating this threat requires consideration of the Tor network topology. Suppose the attacker controls, or can observe, C relays from a pool of N total relays. If a user selects a new entry and exit relay each time the Tor network is used, the attacker can correlate all traffic sent with a probability of (c/n)2. For most users, profiling is as hazardous as being traced all the time. Simply put, users want to repeat activities without the attacker noticing, but being noticed once by the attacker is as detrimental as being noticed more frequently. [...]

The solution to this problem is "entry guards". Each Tor client selects a few relays at random to use as entry points, and only uses those relays for the first hop. If those relays are not controlled or observed, the attacker can't use end-to-end techniques and the user is secure. If those relays are observed or controlled by the attacker, then they see a larger fraction of the user's traffic — but still the user is no more profiled than before. Thus, entry guards increase the user's chance of avoiding profiling (on the order of (n-c)/n), compared to the former case.

You can read more at An Analysis of the Degradation of Anonymous Protocols, Defending Anonymous Communication Against Passive Logging Attacks, and especially Locating Hidden Servers.

Restricting entry nodes may also help to defend against attackers who want to run a few Tor nodes and easily enumerate all of the Tor user IP addresses. [1] However, this feature won't become really useful until Tor moves to a "directory guard" design as well.

Source and License, see footnote: [2]

Many well known enhanced anonymity designs such as Tor, Whonix and the Tor Browser Bundle (TBB) use persistent Tor guards. This decision is attributable to community-based research which demonstrates that persistent Tor entry guards benefit security and lower the probability of an adversary profiling a user.[3]


In general, users should not interfere with Tor guard persistence or the natural rotation of entry guards every few months. At the time of writing, the Tor client selects one guard node, but previously used a three-guard design. Guards have a primary lifetime of 120 days.[4] [5] [6]

Guard Fingerprinting[edit]

While natural guard rotation is recommended, there are some corner cases in which an adversary could fingerprint the entry guards [7] and de-anonymize a user. For instance:

  • The same entry guards are used across various physical locations and access points.
  • The same entry guards are used after permanently moving to a different physical location.

For details on how this is possible, press Expand on the right.

Consider the following scenario. A user connects to Tor via a laptop at their home address. An advanced adversary has observed the client-to-guard-node network path to discover the user's entry point to the Tor network.

Soon afterwards, the same user attends a prominent event or protest in a nearby city. At that location, the user decides to anonymously blog about what transpired using the same laptop. This is problematic for anonymity, as the Tor client is using the same entry guard normally correlated with the user’s home address.

To understand the potential threat, consider the following:

  • There are only around 2,500 Tor guards in 2018. [8]
  • By design, Tor is picking one primary guard and using it for a few months. Since the Tor user base is relatively small, it is possible that a guard might only be used by one person in an entire region.
  • As the IP address of Tor entry guards is static and Tor network traffic is easily distinguishable, this information becomes public knowledge.
  • It is feasible that if a user-guard relationship is unique in a city location, and that user moves, it is likely (but not certain) that there was a location change.
  • At the event, the user might be the only one using Tor (or among a handful).
  • If the user posts about the event and an adversary who is passively monitoring network traffic conducts the same successful observation of the client-to-guard network path, then it’s likely the "anonymous" posts will be linked with the same person who normally connects to that guard at home.

The relative uncommonness of Tor usage simply exacerbates the potential for de-anonymization.

There are several ways to mitigate the risk of guard fingerprinting across different physical locations. In most cases, the original entry guards can also be re-established after returning home:

Forum discussion:
https://forums.whonix.org/t/persistent-tor-entry-guard-relays-can-make-you-trackable-across-different-physical-locations/2090

[9]

Manual Rotation of Tor Guards[edit]

Anonymity and Performance-related Issues[edit]

Users may be tempted to create a new Whonix-Gateway (sys-whonix) in the following circumstances:

  • Bootstrapping is slow or regularly fails.
  • Tor logs show warnings suggestive of route manipulation attacks or other oddities.
  • System logs reveal attempted attacks on Whonix or Tor processes, for example in AppArmor logs.
  • Current Tor performance is very slow or unreliable due to collapsing circuits or other factors.
  • The user is concerned about the amount of Tor data that could be revealed if Whonix-Gateway is infected, particularly after a long period of use.

Creating a new Whonix-Gateway (sys-whonix) will likely lead to a new set of Tor entry guards, which is proven to degrade anonymity.

Manual Guard Rotation Threats[edit]

Forcing the rotation of guards more often than Tor’s default is dangerous for several reasons:

  • It increases the likelihood of a compromised or malicious Tor guard being selected. This raises the chance of a successful correlation attack if the adversary runs Tor exit relays in the network.
  • The user is more likely to traverse a given set of Internet infrastructure links that are under the adversary's control, such as Autonomous Systems (ASes) or Internet Exchange Points (IXPs).
  • Every Tor guard change acts like a fingerprinting mechanism, since other users are less likely to pick the same set. If the adversary is able to enumerate a user's Tor guards and later observes someone with the same set, the chance is high the two observations stem from the same person.

For these reasons the Tor design changed in 2014 to establish a solitary primary guard node, while also increasing the set period for guard rotation. Also, do not discount the possibility that an adversary might purposefully cause poor Tor throughput, in the hope Tor guards are manually changed: [10]

We should also consider whether an adversary can *induce* congestion or resource exhaustion to cause a target user to switch away from her guard. Such an attack could work very nicely coupled with the guard enumeration attacks discussed above.

In one sense, slow Tor entry guards should be welcomed - “honeypot” operators on the Tor network are unlikely to have constrained bandwidth which might chase away intended targets.

Recommendations[edit]

If users feel compelled in their circumstances to proceed despite the anonymity risks, then it may be safer to first try:

The safest decision is to persist with poor performance and wait for normal guard rotation.

Mitigate the Threat of Guard Fingerprinting[edit]

If guard fingerprinting across different locations is a legitimate concern, there are several ways to mitigate the threat. Viable options include: bridges, temporarily rotating guards or cloning Whonix-Gateway (sys-whonix) with new guards.

Clone Whonix-Gateway (sys-whonix) with New Entry Guards[edit]

It is possible to clone the current Whonix-Gateway (sys-whonix) and regenerate the Tor state file. Once the VM is cloned, it is important that the original is not unintentionally used for any anonymous activities. To negate this threat, disable networking in the original Whonix-Gateway until returning home.


Create a Whonix-Gateway (sys-whonix) clone and name it Whonix-Gateway-temp (sys-whonix-temp):

Regenerate the Tor State After Saving the Tor State Folder[edit]


Before arriving at the remote location, the Whonix-Gateway Tor state folder is moved to the $HOME directory and the Tor state file is regenerated. Perform all the following steps in Whonix-Gateway konsole.

1. Stop Tor.

sudo systemctl stop tor@default

2. Remove the temporary Tor state folder.

sudo rm -r /var/lib/tor

3. Restore the Tor state folder.

sudo mv ~/tor /var/lib

4. Restart Tor.

sudo systemctl restart tor@default

Before returning home, the Tor state folder is restored to its original settings.

1. Stop Tor.

sudo systemctl stop tor@default

2. Move the Tor state folder to the $HOME directory.

sudo mv /var/lib/tor ~/

3. Restart Tor.

sudo systemctl restart tor@default

Alternating Bridges[edit]

If Bridges are already configured, alternate bridges are recommended for different locations. If bridges are not being used, consider using entry guards in your primary location and relying on alternate bridges in different locations.

Complete the following steps in Whonix-Gateway (sys-whonix).

1. Disable Tor using whonix-setup-wizard (safest option).

Start whonix-setup-wizard.

If you are using Qubes-Whonix, complete the following steps.

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named 'sys-whonix') -> Whonix Setup

If you are using a graphical Whonix-Gateway, complete the following steps.

Start Menu -> Applications -> System -> Whonix Setup Wizard

If you are using a terminal-only Whonix-Gateway, complete the following steps.

sudo whonixsetup

Choose the Disable Tor option. Press next.

2. Configure Tor to use bridges. Refer to the Bridges documentation.

3. Enable Tor using whonixsetup / whonix-setup-wizard at the new location.

4. Before leaving this location, disable Tor. If traveling to a different area, add a different bridge address. To revert to the usual Tor guards used at home, remove the torrc bridge settings before enabling the network or rollback to a VM snapshot created at home.

Copy Tor Configuration files and Settings to Another sys-whonix Instance[edit]


Sometimes Qubes-Whonix users will want to copy the Tor state and custom configuration options from an existing sys-whonix ProxyVM to another sys-whonix instance. For example, this is useful for testing later Whonix releases without aiding deanonymization attempts by advanced adversaries [12] or when creating an identical backup that does not share any other persistent data, except for Tor state and custom torrc options.

Copy Tor State Files to Another sys-whonix Instance[edit]

The following instructions copy the Tor state from sys-whonix-old to sys-whonix-new.

1. In sys-whonix-new, stop Tor.

sudo systemctl stop tor@default

2. In sys-whonix-new, remove the Tor state file.


sudo su

sudo rm /var/lib/tor/*

3. In sys-whonix-old, stop Tor.

sudo systemctl stop tor@default

4. In sys-whonix-old, copy the Tor state file across to sys-whonix-new.

sudo qvm-copy /var/lib/tor sys-whonix-new

If the following error appears, it can be safely ignored (hit "OK" when prompted).

qfile-agent: Fatal error: stat “VM” (error type: No such file or directory)

5. In sys-whonix-new, list the QubesIncoming directory to ensure the Tor state file was copied over successfully.

ls ~/QubesIncoming/sys-whonix-old/tor

The output should include the files below.

  cached-certs cached-microdescs lock
  cached-microdesc-consensus cached-microdescs.new state

6. In sys-whonix-new, move the newly copied Tor state file to /var/lib/tor

sudo mv ~/QubesIncoming/sys-whonix-old/tor/* /var/lib/tor

7. In sys-whonix-new, change ownership of all files in the Tor state folder to debian-tor

sudo chown -R debian-tor:debian-tor /var/lib/tor

8. In sys-whonix-new, start Tor.

sudo systemctl start tor@default

9. In sys-whonix-new, run whonixcheck to verify Tor is functioning properly. [13]

whonixcheck

Copy Tor Configuration Options (torrc) to Another sys-whonix[edit]


These instructions copy custom Tor configuration options (torrc) from sys-whonix-old to sys-whonix-new.

1. In sys-whonix-old, copy the torrc options across to sys-whonix-new.

qvm-copy /usr/local/etc/torrc.d/50_user.conf sys-whonix-new

If the following error appears, it can be safely ignored (hit "OK" when prompted).

 qfile-agent: Fatal error: stat “VM” (error type: No such file or directory)

2. In sys-whonix-new, list the QubesIncoming directory to ensure the torrc options were copied over successfully.

cat ~/QubesIncoming/sys-whonix-old/50_user.conf

3. In sys-whonix-new, move the 50_user.conf options from the QubesIncoming directory to the 50_user.conf file.

sudo mv ~/QubesIncoming/sys-whonix-old/50_user.conf /usr/local/etc/torrc.d/50_user.conf

4. In sys-whonix-new, change ownership of the Tor configuration file.

sudo chown -R root:root /etc/tor

5. In sys-whonix-new, restart Tor so the newly copied Tor config options take effect.

sudo systemctl restart tor@default

6. In sys-whonix-new, run whonixcheck to verify Tor is functioning properly. [16]

whonixcheck

Unsafe Guard Rotation Methods[edit]

Fresh Tor Entry Guards by Regenerating the Tor State File[edit]


The following instructions manually change a user's Tor entry guards. One use case for this action is before permanently relocating to a new area.

Complete the following steps in Whonix-Gateway (Qubes-Whonix: sys-whonix).

1. Disable Tor using whonix-setup-wizard (safest option).

Start whonix-setup-wizard.

If you are using Qubes-Whonix, complete the following steps.

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named 'sys-whonix') -> Whonix Setup

If you are using a graphical Whonix-Gateway, complete the following steps.

Start Menu -> Applications -> System -> Whonix Setup Wizard

If you are using a terminal-only Whonix-Gateway, complete the following steps.

sudo whonixsetup

Choose the Disable Tor option. Press next.

2. Delete Tor's state file.

sudo rm /var/lib/tor/state

3. Enable Tor using whonixsetup / whonix-setup-wizard at the new location.

Configure Non-Persistent Entry Guards[edit]

Some users might consider configuring non-persistent entry guards so they constantly change. In almost all cases this is inadvisable, because persistent entry guards are a critical anonymity feature. A far more secure alternative is Alternating Bridges, although this requires a considerable time investment.

To proceed in spite of the warning, press on Expand on the right.

Complete these steps in Whonix-Gateway (sys-whonix).

1. Disable Tor using whonix-setup-wizard (safest option).

Start whonix-setup-wizard.

If you are using Qubes-Whonix, complete the following steps.

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named 'sys-whonix') -> Whonix Setup

If you are using a graphical Whonix-Gateway, complete the following steps.

Start Menu -> Applications -> System -> Whonix Setup Wizard

If you are using a terminal-only Whonix-Gateway, complete the following steps.

sudo whonixsetup

Choose the Disable Tor option. Press next.

2. Modify Tor settings.


Open /usr/local/etc/torrc.d/50_user.conf.

If you are using Qubes-Whonix, complete the following steps.

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named sys-whonix) -> Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway, complete the following steps.

Start Menu -> Applications -> Settings -> /usr/local/etc/torrc.d/50_user.conf

If you are using a terminal-only Whonix-Gateway, complete the following steps.

sudo nano /usr/local/etc/torrc.d/50_user.conf

Add.

DataDirectory /var/run/tor

Save.

3. Enable Tor using whonixsetup / whonix-setup-wizard at the new location.

4. Before leaving this location, disable Tor and repeat the above steps if traveling to a different area. To revert to the usual guard nodes at home, remove the torrc setting before enabling the network or rollback to a VM snapshot that was created there.

Notes[edit]

The proposed Tails solutions towards AdvGoalTracking have disadvantages [17] [18] and are not suitable options for Whonix. The reason is Whonix does not connect directly to a user's internet LAN, so trying to remember a network based on its SSID will not work. Unlike wireless access points, physical or virtual wired networks lack SSIDs and cannot be "remembered" that way.

Even if it were possible, it is best to avoid letting adversaries influence guard changes in any way. Spoofing MAC addresses or SSIDs would trigger the use of the alternative entry guard recorded for another "location profile". Global networks also have generic characteristics that cannot be differentiated from the point of view of a connecting device, resulting in the same guards being used on different networks.

Developers/Auditors-only: The development discussion related to this documentation chapter can be found here.

Footnotes[edit]

  1. Even though the attacker can't discover the user's destinations in the network, they still might target a list of known Tor users.
  2. Source:
    torproject.org What are Entry Guards? (w)
    license (w):
    Content on this site is Copyright The Tor Project, Inc.. Reproduction of content is permitted under a Creative Commons Attribution 3.0 United States License (w). All use under such license must be accompanied by a clear and prominent attribution that identifies The Tor Project, Inc. as the owner and originator of such content. The Tor Project Inc. reserves the right to change licenses and permissions at any time in its sole discretion.
  3. The risk of guard fingerprinting is less severe now that upstream (The Tor Project) has changed its guard parameters to decrease the de-anonymization risk.
  4. Prop 291 indicates a 3.5 month guard rotation.
  5. The Tor Project is currently considering shifting to two guards per client for better anonymity, instead of having one primary guard in use.
  6. https://github.com/torproject/torspec/blob/master/proposals/291-two-guard-nodes.txt
  7. The entropy associated with one, two or three guards is 9, 17 and 25 bits, respectively.
  8. https://metrics.torproject.org/relayflags.html
  9. As concluded in ticket research non-persistent Tor directory guards, these are covered by the following instructions.
  10. https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters
  11. If an alternative command is used to remove the Tor state folder, this can result in broken file persistence across reboots. This relates to the Qubes-Whonix design, which uses bind-dirs file persistence for the Tor folder and other select directories. At the very least, users would need to mount and then unmount the Tor folder in the same way as bind-dirs does. This is likely a complicated and time-consuming task.
  12. As the same Tor entry guard is used.
  13. If Tor fails to start, verify the Tor folder has the proper file permissions with the following command sudo ls -l /var/lib/tor
  14. When users reach step 3 in the instructions, move the torrc options from the QubesIncoming directory to the torrc file sudo mv ~/QubesIncoming/sys-whonix-old/torrc /usr/local/etc/torrc.d/50_user.conf
  15. Users should revise instructions as follows:
    Step 1 qvm-copy /usr/local/etc/torrc.d/50_user.conf sys-whonix-new
    Step 2 cat ~/QubesIncoming/sys-whonix-old/50_user.conf
    Step 3 sudo mv ~/QubesIncoming/sys-whonix-old/50_user.conf /usr/local/etc/torrc.d/50_user.conf
    Step 4 sudo chown -R root:root /usr/local/etc/torrc.d
  16. If Tor is not running after restart, it is possible to verify the newly migrated torrc options are valid with the following command anon-verify - the output should be similar to the following.
    /===================================================================\ | Report Summary | \===================================================================/ No error detected in your Tor configuration.
  17. https://tails.boum.org/blueprint/persistent_Tor_state/
  18. https://blog.torproject.org/blog/tor-weekly-news-%E2%80%94-june-17th-2015#A_persistent_Tor_state_for_Tails

License[edit]

Whonix Tor Entry Guards wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix Tor Entry Guards wiki page Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>

This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.


Random News:

We are looking for help in managing our social media accounts. Are you interested?


https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)