[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: General anonimity/privacy question when using TOR



On Thu, Feb 02, 2006 at 09:01:03AM -0500, force44@xxxxxxxxxxxxx wrote:
> I copy below a part of the FAQ of JAP, my question is "Does it apply
> also to TOR?". In other words, what is better to improve a TOR
> user's anonymity: Stay connected a long time (or never disconnect,
> if he uses a cable, DSL etc connection), or often disconnect (to
> change his IP, for example) ?

Actually, I think that the JAP FAQ answer is incorrect.  I'll explain.

Low-latency anonymity networks are vulnerable to end-to-end
timing attacks: an attacker who sees both ends of the circuit can
notice similarities in packet timing and volume, and thus match up the
client to the exit.

This attack is more powerful than the kind of long-term intersection
attack that is described below.  In a long-term intersection attack,
you notice that Bob, on average, receives more when Alice is sending
than when she is not.  But if you can tell when Alice is sending and
when Bob is receiving, you are presumably watching Alice and Bob, and
so you can do a correlation attack instead.

Defenses against correlation attacks are generally incompatible with
affordable low-latency anonymity networks.  If anybody has a defense
which can be demonstrated to make these attacks appreciably harder
without making the network unusable, they haven't demonstrated it to
be so.

The only circumstances I can think of where an intersection attack is
possible but a correlation attack isn't are those where the attacker
hasn't been collecting fine-grained data, but wants to track users
after the fact; or where an attacker can't watch Alice and Bob
directly, but can tell through indirect means when they are active
(such as by pinging Alice's IP and noticing when her posts show up on
Bob's blog.)

So, to answer your question: I don't think it's particularly harmful
or helpful for a client to stay online all the time.  Tor will rotate
your outgoing IP regularly either way, and the increased defense
against intersection attacks probably isn't your biggest security
concern.

> >From http://anon.inf.tu-dresden.de/fragen/konzept_en.html#K7
> 
> Why does frequent connecting and disconnecting of the internet
> connection reduce the level of anonymity?
> 
> Someone observing your computer would know when you are connected to
> the internet or to the anonymization service. If this observer also
> observes the first mix in the anonymization service, he would see
> connections and disconnections there as well. He could then draw
> conclusions as to which user is visiting which website.
> 
> Let us assume the following example:
> 
>     * It is known that a user is downloading a large file (for example, 50MB).
>     * It is also known that another user is only surfing.
> 
> The observer also sees that one of them frequently connects and
> disconnects from the internet while the other is constantly
> connected. Then it's clear that the one who is constantly connected
> is downloading the file and the other one is the one surfing. Somit
> ist klar, wer von beiden die Datei herunterl??dt und wer nur surft.
> 
> The problem remains even with many users. Statistical averages can
> be made of people who were logged in at the same time. Thus it
> becomes relatively easy to determine who did what at what time.


yrs,
-- 
Nick Mathewson

Attachment: pgp757JgSQPTB.pgp
Description: PGP signature