Holding all the ASes: Identifying and Circumventing the Pitfalls of AS-aware Tor Client Design

Traffic correlation attacks to de-anonymize Tor users are possible when an adversary is in a position to observe traffic entering and exiting the Tor network. Recent work has brought attention to the threat of these attacks by network-level adversaries (e.g., Autonomous Systems). We perform a historical analysis to understand how the threat from AS-level traffic correlation attacks has evolved over the past five years. We find that despite a large number of new relays added to the Tor network, the threat has grown. This points to the importance of increasing AS-level diversity in addition to capacity of the Tor network. We identify and elaborate on common pitfalls of AS-aware Tor client design and construction. We find that succumbing to these pitfalls can negatively impact three major aspects of an AS-aware Tor client – (1) security against AS-level adversaries, (2) security against relay-level adversaries, and (3) performance. Finally, we propose and evaluate a Tor client – Cipollino– which avoids these pitfalls using state-ofthe-art in network-measurement. Our evaluation shows that Cipollino is able to achieve better security against networklevel adversaries while maintaining security against relaylevel adversaries and performance characteristics comparable to the current Tor client.