Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Protecting Onion Service Users Against Phishing

Benjamin Güldenring, Volker Roth

TL;DR

This paper addresses phishing threats targeting Tor onion services by proposing privacy-preserving recognizers that avoid leaving traces of visited sites. Building on hash visualization and PAKE, the authors formalize recognizers, prove security notions for collisions and disclosure, and implement a prototype browser extension for the Tor Browser that uses short, human-memorable fingerprints. They show that existing protections either leak traces or rely on centralized trust, and demonstrate how recognizers can provide phishing detection without compromising user privacy. The work suggests practical directions for usable, trace-free phishing protection with future work on dynamic sets, user studies, and more compact visual representations. The approach has potential to improve user safety in privacy-focused environments while reducing reliance on centralized infrastructure.

Abstract

Phishing websites are a common phenomenon among Tor onion services, and phishers exploit that it is tremendously difficult to distinguish phishing from authentic onion domain names. Operators of onion services devised several strategies to protect their users against phishing. But as we show in this work, none protect users against phishing without producing traces about visited services - something that particularly vulnerable users might want to avoid. In search of a solution we review prior research addressing this problem, and find that only two known approaches, hash visualization and PAKE, are capable of solving this problem. Hash visualization requires users to recognize large hash values. In order to make hash visualization more practical we design a novel mechanism called recognizer, which substantially reduces the amount of information that users must recognize. We analyze the security and privacy properties of our system formally, and report on our prototype implementation as a browser extension for the Tor web browser.

Protecting Onion Service Users Against Phishing

TL;DR

This paper addresses phishing threats targeting Tor onion services by proposing privacy-preserving recognizers that avoid leaving traces of visited sites. Building on hash visualization and PAKE, the authors formalize recognizers, prove security notions for collisions and disclosure, and implement a prototype browser extension for the Tor Browser that uses short, human-memorable fingerprints. They show that existing protections either leak traces or rely on centralized trust, and demonstrate how recognizers can provide phishing detection without compromising user privacy. The work suggests practical directions for usable, trace-free phishing protection with future work on dynamic sets, user studies, and more compact visual representations. The approach has potential to improve user safety in privacy-focused environments while reducing reliance on centralized infrastructure.

Abstract

Phishing websites are a common phenomenon among Tor onion services, and phishers exploit that it is tremendously difficult to distinguish phishing from authentic onion domain names. Operators of onion services devised several strategies to protect their users against phishing. But as we show in this work, none protect users against phishing without producing traces about visited services - something that particularly vulnerable users might want to avoid. In search of a solution we review prior research addressing this problem, and find that only two known approaches, hash visualization and PAKE, are capable of solving this problem. Hash visualization requires users to recognize large hash values. In order to make hash visualization more practical we design a novel mechanism called recognizer, which substantially reduces the amount of information that users must recognize. We analyze the security and privacy properties of our system formally, and report on our prototype implementation as a browser extension for the Tor web browser.
Paper Structure (64 sections, 2 theorems, 9 equations, 4 figures, 4 tables)

This paper contains 64 sections, 2 theorems, 9 equations, 4 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Threat Model and Requirements
  3. Established countermeasures
  4. Data Collection
  5. Results
  6. TLS Certificates
  7. Clearnet Trust Anchors
  8. Onion Mirror Guidelines
  9. Anti-Phishing Captchas
  10. Login Customization
  11. Two-Factor Authentication
  12. Address Verification Service
  13. Security Evaluation
  14. TLS Certificates
  15. Clearnet Trust Anchors
  16. ...and 49 more sections

Key Result

lemma 1

Let $x_1, \dots, x_{N} \in \mathop{\mathrm{GF}}\nolimits(2^m)$ be $N<2^m$ distinct field elements. The polynomial over $\mathop{\mathrm{GF}}\nolimits(2^m)$ has the following properties:

Figures (4)

  • Figure 1: Shows a phishing protection mechanism that combines solving a Captcha with the verification of a domain name. The Captcha serves as trusted path between the server and the user, communicating the correct domain name.
  • Figure 2: Another phishing protection mechanism based on a Captcha. Users enter the missing characters of the domain name as shown in the URL bar, thereby verifying parts of it.\ref{['fn:wangimages']}
  • Figure 3: Our browser extension prototype calculates a domains' recognizer fingerprint and shows it as visual hash.
  • Figure 4: Illustrates the recognizer from Definition \ref{['def:recogdb']}. A $(N+q)$-universal hash function $h$ shortens the input of $x$ to a value $\hat{x} = h_{\mathrm{db}}(x)$. The result is then fed into a polynomial $p$ that returns the same value for every stored item.

Theorems & Definitions (11)

  • definition 1
  • definition 2: strongly $k$-universal
  • definition 3: Recognizer
  • definition 4
  • definition 5: Security against Disclosure
  • definition 6
  • lemma 1
  • proof
  • definition 7
  • theorem 1
  • ...and 1 more