[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Potential attack by associating onymous & anonymous traffic

On Fri, Dec 24, 2004 at 03:20:52PM -0800, Nick Nolan wrote:
> An example:
> An attacker knows that I use the AIM account malglico. I am doing this 
> through Tor (to hide my location or just out of ethusiasm for tsocks). I 
> am also using Tor to transmit something else that I do not want to be 
> revealed as the sender of.
> This attacker is able to observe all or some endpoints to the network. 
> They notice that some traffic from malglico is coming from a particular 
> Tor exit. At the same time they notice that the sensitive information I 
> am transmitting is also exiting from there. They can immediately narrow 
> the sender to me or one of the other users exiting from that OR. They 
> have my identify, and the 1 over the number of users exiting from that 
> OR probability that I sent it. This is considerably better than all 
> users on tor who sent message close to that size out.

Yes, this is a potential problem. Tor tries to find a balance between
opening a new circuit for every TCP stream (slow and cpu-intensive)
and using the same circuit for all your streams. More generally, Tor
does not yet support "pseudonyms" as the old Freedom network (from
Zero-Knowledge Systems) did.

I'm not sure of the right interface for doing this. Perhaps Tor should
have some config options for various ports or IPs that should never be
used on the same circuit? Maybe the GUI interface should have a set
of profiles that you can click on, and Tor will make sure never to use
a stream from one profile on the same circuit as a stream from another

To some extent you're screwed, because your various profiles will only
be active when Nick Nolan is online, and never otherwise. But Tor can
certainly improve a great deal from where it is currently.

Nick, would you like to help specify and/or build this stuff? We've got
our hands full for now just building the basic anonymous transport layer,
without dealing with pseudonymity yet. I'll add support for it in the
back-end if you figure out how to display it to the user and how to
phrase it in the config.

> The simplest solution would be to send all my onymous traffic unproxied, 
>    but maybe I want to hide my location. I can't in the current 
> implementation. If the Tor daemon were able to group the traffic, ie 
> this this and this can be sent down the same circuit, but this must be 
> seperated, I would be able to hide my location in some cases and my 
> entire identity in others.
> Do I have a potential privacy concern here or did I miss something? I've 
> only RTFS'd briefly.