\begin{frame} \mktitle{Tor crash course} \centering\includegraphics[width=.8\textwidth]{img/tor/overview} \footnotetext[1]{\tiny{Credit: figure created by Tobias Pulls}} \footnotetext[2]{\tiny{Design: \burl{https://murdoch.is/papers/tor14design.pdf}}} \end{frame} \begin{frame} \mktitle{Tor Browser} \begin{columns} \begin{column}{0.6\textwidth} \begin{itemize} \item Firefox derivative \item Route all traffic through Tor \item Prevent user activity on one site from being linked to activity on another \item \alert<2->{Do not write any state to disk} \item ... \end{itemize} \end{column} \begin{column}{0.4\textwidth} \includegraphics[width=.67\columnwidth]{img/tor/tb} \end{column} \end{columns} \footnotetext[1]{\tiny{Credit: Tom Ritter, see \burl{https://ritter.vg/p/tor-v1.6.pdf}}} \footnotetext[2]{\tiny{Design: \burl{https://2019.www.torproject.org/projects/torbrowser/design/}}} \end{frame} \begin{frame} \centering \includegraphics[width=.75\textwidth]{img/ctor/paper} \vfill \includegraphics[width=.75\textwidth]{img/ctor/blog} \end{frame} \begin{frame} \mktitle{Problem statement} \begin{columns} \begin{column}{0.6\textwidth} \begin{itemize} \item Tor Browser does not enforce CT \item Guard against prominent threats \begin{itemize} \item DigiNotar style attacks \item Interception to deanonymize \end{itemize} \item Go beyond ``just CT compliance'' \end{itemize} \end{column} \begin{column}{0.4\textwidth} \centering \includegraphics[width=.67\columnwidth]{img/tor/tb} \end{column} \end{columns} \vfill\pause \alert{Attacker in Tor's threat model + controls a CA and two CT logs} \end{frame} \begin{frame} \mktitle{Incremental deployment} \begin{enumerate} \item Catch up with CT compliant browsers \floatright{\emph{pairs of logs} are trusted blindly} \item Steps towards decentralized verification \floatright{\emph{some log} is trusted blindly} \item Fully decentralized verification \floatright{\emph{no log} is trusted blindly} \end{enumerate} \end{frame} \begin{frame} \mktitle{Full design} \centering\includegraphics[height=.5\textheight]{img/ctor/full} \vfill \pause \alert{Security? Difficult to interfere without detection in any phase} \end{frame} \begin{frame} \mktitle{Why not just...?} \begin{columns} \begin{column}{.5\textwidth}\centering \includegraphics[width=.9\columnwidth]{img/ctor/tb-to-log}\\\vspace{.25cm} Fetch an inclusion proof \end{column} \begin{column}{.5\textwidth}\centering \includegraphics[width=.77\columnwidth]{img/ctor/tb-to-auditor}\\\vspace{.25cm} Rely on a centralized party \end{column} \end{columns} \end{frame} \begin{frame} \mktitle{Phase 1: Submission} \centering\includegraphics[width=.75\textwidth]{img/ctor/phase-1} \vfill \begin{columns} \begin{column}{.2\textwidth}\centering \end{column} \begin{column}{.3\textwidth}\centering \alert{1.} Probabilistic submit \end{column} \begin{column}{.3\textwidth}\centering \alert{2.} Random CTR \end{column} \begin{column}{.2\textwidth}\centering \end{column} \end{columns} \pause \vfill \alert{Best attack: quickly take control over Tor Browser} \end{frame} \begin{frame} \mktitle{Phase 2: Buffering} \begin{columns} \begin{column}{.5\textwidth} \begin{enumerate} \item Buffer until logging is required \item Add a random delay to leak less \item Cache audited SFOs to leak less \end{enumerate} \end{column} \begin{column}{.5\textwidth} \centering \includegraphics[width=.45\columnwidth]{img/ctor/phase-2} \end{column} \end{columns} \pause \vfill\centering \alert{Best attack: network-wide flush} \end{frame} \begin{frame} \mktitle{Phase 3: Auditing} \begin{columns} \begin{column}{.4\textwidth} \begin{enumerate} \item Fetch inclusion proof \item STH from Tor's consensus \item Collaborate with a watchdog \begin{itemize} \item CTR identification \item ``Tagging'' \end{itemize} \end{enumerate} \end{column} \begin{column}{.6\textwidth} \centering \includegraphics[width=\columnwidth]{img/ctor/phase-3} \end{column} \end{columns} \pause \vfill\centering \alert{Best attack: quickly take control over CTR} \end{frame} \begin{frame} \mktitle{Phase 4: Reporting} \centering\includegraphics[width=.4\textwidth]{img/ctor/phase-4} \vfill \alert{1.} Report SFO on timeout \pause \vfill \alert{Best attack: n/a} \end{frame} \begin{frame} \vfill \mktitle{This is quite the leap from ``just CT compliance''} \end{frame} \begin{frame} \mktitle{Incremental design} \centering\includegraphics[height=.33\textheight]{img/ctor/incremental} \vfill \pause \alert{Use the log ecosystem against the attacker}\\ \end{frame} \begin{frame} \vfill \begin{columns} \begin{column}{.41\textwidth} \mktitle{Conclusion} \begin{itemize} \item Tor's setting is quite different \item Delegated audiding is key here \item Roadmap from start to finnish \end{itemize} \end{column} \begin{column}{.25\textwidth} \mktitle{Resources} \begin{itemize} \item PETS paper\footnotemark[1] \item PETS talk\footnotemark[2] \item Tor blog post\footnotemark[3] \end{itemize} \end{column} \begin{column}{.35\textwidth} \mktitle{Next steps} \begin{itemize} \item Torspec proposal(s) \item Browser implementation \item Relay implementation \end{itemize} \end{column} \end{columns} \footnotetext[1]{\burl{https://petsymposium.org/2021/files/papers/issue2/popets-2021-0024.pdf}} \footnotetext[2]{\burl{https://www.youtube.com/watch?v=f7yDJOd6g3U}} \footnotetext[3]{\burl{https://blog.torproject.org/tor-certificate-transparency/}} \end{frame} \begin{frame} \vfill \mktitle{Halftime} \end{frame}