Tor Entry Guards
What are Tor Entry Guards? If this is an unfamiliar term, please press on Expand on the right.
Many well-known, enhanced anonymity designs like Tor, Whonix ™ and the Tor Browser Bundle (TBB) use persistent Tor guards. This decision is attributable to community-based research which demonstrates that persistent Tor entry guards benefit security and lower the probability of an adversary profiling a user. 
In general, users should not interfere with Tor guard persistence or the natural rotation of entry guards every few months. At the time of writing, the Tor client selects one guard node, but previously used a three-guard design. Guards have a primary lifetime of 120 days.   
While natural guard rotation is recommended, in some situations it is safer to not use the usual guard relay! There are some corner cases in which an adversary could fingerprint the entry guard(s)  and de-anonymize a user. For instance:
- The same entry guards are used across various physical locations and access points.
- The same entry guards are used after permanently moving to a different physical location.
For details on how this is possible, press Expand on the right.
Consider the following scenario. A user connects to Tor via a laptop at their home address. An advanced adversary has observed the client-to-guard-node network path to discover the user's entry point to the Tor network.
Soon afterwards, the same user attends a prominent event or protest in a nearby city. At that location, the user decides to anonymously blog about what transpired using the same laptop. This is problematic for anonymity, as the Tor client is using the same entry guard normally correlated with the user’s home address.
To understand the potential threat, consider the following:
- There are only around 3,000 Tor guards in 2019. 
- By design, Tor is picking one primary guard and using it for a few months. Since the Tor user base is relatively small, it is possible that a guard might only be used by one person in an entire region.
- As the IP address of Tor entry guards is static and Tor network traffic is easily distinguishable, this information becomes public knowledge.
- It is feasible that if a user-guard relationship is unique in a city location, and that user moves, it is likely (but not certain) that there was a location change.
- At the event, the user might be the only one using Tor (or among a handful).
- If the user posts about the event and an adversary who is passively monitoring network traffic conducts the same successful observation of the client-to-guard network path, then it’s likely the "anonymous" posts will be linked with the same person who normally connects to that guard at home.
The relative uncommonness of Tor usage simply exacerbates the potential for de-anonymization.
- Clone Whonix-Gateway ™ (sys-whonix) with New Entry Guards.
- Regenerate the Tor State File after Saving the Current Tor State.
- Configure Tor to use Alternating Bridges.
If moving to a new location permanently, create Fresh Tor Entry Guards by Regenerating the Tor State File.
Increase Protection from Malicious Entry Guards: One Guard per Application
Whonix ™ developer HulaHoop recently approached Tor researcher, Tariq Elahi, to discuss how exposure to malicious guards in multi-Workstation scenarios could be measured. It was discovered that 1 guard/client per internet-connected program (not identity!) is the safest possible configuration. In fact, the probability of a network adversary observing a user's activities is lower than the default scenario, whereby one Tor Entry Guard is relied upon for all applications. This advice is meant to mitigate the damage from end-to-end correlation attacks that occur when simultaneously using malicious Entry guards + Exits and should not be confused with Website Fingerprinting attacks. 
To apply this Increase Protection from Malicious Entry Guards configuration, follow these steps:
- Import a Whonix-Gateway ™ into the hypervisor that has never been started.
- Take a snapshot and name it "Original".
- Start Whonix-Gateway ™ and wait for Tor to finish bootstrapping (connecting).
- After Tor has connected, shutdown Whonix-Gateway ™ and take another snapshot - the naming convention should match the intended activity, such as "Email".
- This snapshot should be used with all Whonix-Workstation ™ snapshots related to/called "Email", whether it is identity "John Doe", "Jane Doe" and so on. Note the Workstations should also be generated separately from a clean baseline.
When a separate activity is required such as IRC, users should revert to the Whonix-Gateway ™ snapshot (labelled "Original"), then repeat the same steps. That is, allow it to boot and connect to Tor, shut it down, then take a snapshot entitled "IRC". Note that if a webpage IRC chat client is used, then this should be done from "Browsing" snapshot.
If you need to run multiple applications at the same time, then consider cloning the VMs. 
- Do not start the application on the Workstation before taking the Gateway snapshot. This is to prevent it from generating data on the Gateway -- such as Onion Service descriptors -- that can be linked across sessions or detected in the event of the Workstation being infected. 
- If you use multiple instances of the same application concurrently -- email accounts John Doe and Jane Doe in the example above -- make sure each gets its own Gateway VM (cloned from the "Email" snapshot for example) and its own isolated network. They should never share the same Gateway because a malicious Workstation can:
- Sniff data on the shared isolated network; and
- Also manipulate the common Tor client into divulging information belonging to the other application.
Manual Rotation of Tor Guards
Users may be tempted to create a new Whonix-Gateway ™ (
sys-whonix) in the following circumstances:
- Bootstrapping is slow or regularly fails.
- Tor logs show warnings suggestive of route manipulation attacks or other oddities.
- System logs reveal attempted attacks on Whonix ™ or Tor processes, for example in AppArmor logs.
- Current Tor performance is very slow or unreliable due to collapsing circuits or other factors.
- The user is concerned about the amount of Tor data that could be revealed if Whonix-Gateway ™ is infected, particularly after a long period of use.
Manual Guard Rotation Threats
Forcing the rotation of guards more often than Tor’s default is dangerous for several reasons:
- It increases the likelihood of a compromised or malicious Tor guard being selected. This raises the chance of a successful correlation attack [archive] if the adversary runs Tor exit relays in the network.
- The user is more likely to traverse a given [archive] set [archive] of Internet infrastructure links [archive] that are under the adversary's control, such as Autonomous Systems (ASes) [archive] or Internet Exchange Points (IXPs) [archive].
- Every Tor guard change acts like a fingerprinting mechanism, since other users are less likely to pick the same set. If the adversary is able to enumerate a user's Tor guards and later observes someone with the same set, the chance is high the two observations stem from the same person.
For these reasons the Tor design changed in 2014 to establish a solitary primary guard node, while also increasing the set period for guard rotation. Also, do not discount the possibility that an adversary might purposefully cause poor Tor throughput, in the hope Tor guards are manually changed: 
We should also consider whether an adversary can *induce* congestion or resource exhaustion to cause a target user to switch away from her guard. Such an attack could work very nicely coupled with the guard enumeration attacks discussed above.
In one sense, slow Tor entry guards should be welcomed -- “honeypot” operators on the Tor network are unlikely to have constrained bandwidth which might chase away intended targets.
If users feel compelled in their circumstances to proceed despite the anonymity risks, then it may be safer to first try:
- One of the fallback primary entry guards.
- A configured bridge.
- Chaining other tunnels with Tor.
- Creating a fresh Whonix-Gateway ™ (
sys-whonix) and copying across the Tor state file.
The safest decision is to persist with poor performance and wait for normal guard rotation.
Mitigate the Threat of Guard Fingerprinting
Note: Weigh the fingerprinting risks outlined earlier before proceeding. In most cases the decision to not rotate guards (even temporarily) is the correct one.
If guard fingerprinting across different locations is a legitimate concern, there are several ways to mitigate the threat. Viable options include: bridges, temporarily rotating guards or cloning Whonix-Gateway ™ (
sys-whonix) with new guards.
Clone Whonix-Gateway ™ (sys-whonix) with New Entry Guards
It is possible to clone the current Whonix-Gateway ™ (
sys-whonix) and regenerate the Tor state file. Once the VM is cloned, it is important that the original is not unintentionally used for any anonymous activities. To negate this threat, disable networking in the original Whonix-Gateway ™ until returning home.
Create a Whonix-Gateway ™ (
sys-whonix) clone and name it Whonix-Gateway ™-temp (
- Virtualbox: follow these instructions [archive] to create a VM snapshot.
Qubes-Whonix ™: In Qube Manager,
Right-click on sys-whonix→
- Regenerate the Tor State File.
Regenerate the Tor State After Saving the Tor State Folder
Before arriving at the remote location, the Whonix-Gateway ™ Tor state folder is moved to the
$HOME directory and the Tor state file is regenerated. Perform all the following steps in Whonix-Gateway ™ konsole.
Before returning home, the Tor state folder is restored to its original settings.
If Bridges are already configured, alternate bridges are recommended for different locations. If bridges are not being used, consider using entry guards in your primary location and relying on alternate bridges in different locations.
Wording clarification: There is no such thing as "Alternating-Bridges". It's not it's own word. It means "a bridge to alternate". As in "use different bridges".
Complete the following steps in Whonix-Gateway ™ (
Copy Tor Configuration files and Settings to Another sys-whonix Instance
In some circumstances Qubes-Whonix ™ users might want to copy the Tor state and custom configuration options from an existing
sys-whonix ProxyVM to another
sys-whonix instance. For example, this is useful for testing later Whonix ™ releases without aiding deanonymization attempts by advanced adversaries  or when creating an identical backup that does not share any other persistent data, except for Tor state and custom torrc options.
Copy Tor State Files to Another sys-whonix Instance
The following instructions copy the Tor state from
Copy Tor Configuration Options (torrc) to Another sys-whonix
These instructions copy custom Tor configuration options (torrc) from
Unsafe Guard Rotation Methods
Fresh Tor Entry Guards by Regenerating the Tor State File
The following instructions manually change a user's Tor entry guards. One use case for this action is before permanently relocating to a new area.
Configure Non-Persistent Entry Guards
Some users might consider configuring non-persistent entry guards so they constantly change. In almost all cases this is inadvisable, because persistent entry guards are a critical anonymity feature. A far more secure alternative is Alternating Bridges, although this requires a considerable time investment.
To proceed in spite of the warning, press on Expand on the right.
The proposed Tails solutions towards AdvGoalTracking have disadvantages   and are not suitable options for Whonix ™. The reason is Whonix ™ does not connect directly to a user's internet LAN, so trying to remember a network based on its SSID will not work. Unlike wireless access points, physical or virtual wired networks lack SSIDs and cannot be "remembered" that way.
Even if it were possible, it is best to avoid letting adversaries influence guard changes in any way. Spoofing MAC addresses or SSIDs would trigger the use of the alternative entry guard recorded for another "location profile". Global networks also have generic characteristics that cannot be differentiated from the point of view of a connecting device, resulting in the same guards being used on different networks.
- Even though the attacker can't discover the user's destinations in the network, they still might target a list of known Tor users.
torproject.org What are Entry Guards? [archive] (w [archive])
license [archive] (w [archive]):
Content on this site is Copyright The Tor Project, Inc.. Reproduction of content is permitted under a Creative Commons Attribution 3.0 United States License [archive] (w [archive]). All use under such license must be accompanied by a clear and prominent attribution that identifies The Tor Project, Inc. as the owner and originator of such content. The Tor Project Inc. reserves the right to change licenses and permissions at any time in its sole discretion.
- The risk of guard fingerprinting is less severe now that upstream (The Tor Project) has changed its guard parameters to decrease the de-anonymization risk.
- Prop 291 indicates a 3.5 month guard rotation.
- The Tor Project is currently considering shifting to two guards per client for better anonymity, instead of having one primary guard in use.
- https://github.com/torproject/torspec/blob/master/proposals/291-two-guard-nodes.txt [archive]
- The entropy associated with one, two or three guards [archive] is 9, 17 and 25 bits, respectively.
- https://metrics.torproject.org/relayflags.html [archive]
- As concluded in ticket research non-persistent Tor directory guards [archive], these are covered by the following instructions.
The Tor blog post speaks about website fingerprinting, which is done without the cooperation of a malicious guard or compromising any other Tor infrastructure. Defending against a malicious guard is the attack you have considered. The two are independent and have different properties and usefulness as an adversarial tool. I describe each here to fix our descriptions of the two things. A malicious guard can compromise all circuits that go through it, _if_ the honest client also picks (or is somehow manipulated into picking) a malicious exit. Then all traffic on this circuit is compromised with certainty. The rate of success for the adversary is proportional to how much bandwidth she can afford and deploy. A website fingerprinting adversary can observe and try to identify all Tor traffic flowing out of the client's machine on the way to the guard. The rate of success for the adversary is proportional to how good the website classifier she has. The first attack is straight forward. Deploy nodes and enjoy the compromises. The second attack is not so clear. For the former, the compromised guard node can separate out the different flows since it can inspect Tor application level information. For the latter, the problem is that the adversary only has network level information and must do the work of first separating out the flows into individual website accesses. Otherwise WF does not work. The advice that the Tor blog post is giving is to make this separation job harder for the adversary and hence render the WF less effective (i.e. very low accuracy). In the case that the app is a web browser then the Tor blog post makes sense, but you could take their advice and _also_ do the 1 app per 1 guard proposal, and get the best of both worlds. There is another consideration, WF works because there is a stable fingerprint to learn (in this case the website that does not change too much _and_ the adversary can generate training data by accessing this website). Is this the case of the apps (other than web browser) you have in mind? Will there be a stable traffic pattern for the adversary to learn? Do you want to hide the fact that the app is being used versus the party that is being communicating with? I think that the blog post is talking about a very narrow problem. Furthermore, there is not yet side consensus on 1) how well WF is actually working in the real world (versus very well known effectiveness or malicious guards) and 2) what the best and practical defences are (where randomly doing lots of stuff at once sounds mostly impractical if not automated and expensive in bandwidth). Tariq
From: Tariq Elahi Subject: Re: Fwd: Re: Tor revised guard behavior & chances of malicious guard To: HulaHoop, email@example.com Hi, I have replied inline below. On 27/09/18 17:22, HulaHoop wrote: > [snip] > > Thanks for getting back to us. With your permission I'd like to quote your reply on our wiki. Sure, but I would to take a look at what the context and quote is if that is alright, please. > IIRC Tor is currently using a 2 guard per client config but will be moving to 1 because of research showing it's safer. Should we force the use of one guard even if it's not the standard configuration of most Tor users at the moment? I thought Tor was using one guard and thinking of moving to two. Is it the other way around? Forcing some users to do something different from other users partitions the user base and this is considered not a good thing to do in general. > With 1G/A being the best option it would translate to cloning the Tor VM (for as many separate Apps desired) before first run - to ensure they don't share the same guard correct? They could share the same guard if it gets picked randomly. The likelihood of this happening at random depends on the bandwidth of the guard so it might not be as rare. The trick is making sure you don't pick an already used guard without needing to divulge information about all other apps' guards. > *** > > I'm trying to think how the different Tor instances can look at each other's guard lists across different VMs. Probably through using inter-VM communication or something similar. > > Spawning multiple Tor instances on the same Gateway VM would be easier but getting each instance to use only it's own internal network that connects to its unique App VM is not as straight forward as the separate VM approach. Indeed, communication between the VMs is needed. Perhaps a mediation agent that could help facilitate the list matching process? I am quite interested in this now. Perhaps we should talk more about this over chat if that will help. Tariq
- https://lists.torproject.org/pipermail/tor-dev/2016-November/011636.html [archive]
- https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters [archive]
- If an alternative command is used to remove the Tor state folder, this can result in broken file persistence across reboots. This relates to the Qubes-Whonix ™ design, which uses
bind-dirsfile persistence for the Tor folder and other select directories. At the very least, users would need to mount and then unmount the Tor folder in the same way as
bind-dirsdoes. This is likely a complicated and time-consuming task.
- As the same Tor entry guard is used.
- If Tor fails to start, verify the Tor folder has the proper file permissions with the following command:
sudo ls -l /var/lib/tor
- Note: From Whonix ™ 14 onward, all unique Tor configurations (torrc) options must be stored in
/usr/local/etc/torrc.d/50_user.confand nowhere else.
- If Tor is not running after restart, it is possible to verify the newly migrated torrc options are valid with the following command:
anon-verify. The output should be similar to the following.
/===================================================================\ | Report Summary | \===================================================================/ No error detected in your Tor configuration.
- https://tails.boum.org/blueprint/persistent_Tor_state/ [archive]
- https://blog.torproject.org/blog/tor-weekly-news-%E2%80%94-june-17th-2015#A_persistent_Tor_state_for_Tails [archive]
Whonix ™ Tor Entry Guards wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix ™ Tor Entry Guards wiki page Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <firstname.lastname@example.org>
This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.
Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)