[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor and HTTPS graphic



Thus spake Mike Perry (mikeperry@xxxxxxxxxxxxxx):

> > But passive correlation is adequate anyway, even at very low sampling
> > rates (cf. Murdoch and Zielinski, PETS 2007). This is long known and
> > well understood. It's why we have always said that onion routing
> > resists traffic analysis not traffic confirmation.
> 
> I have to agree with the Raccoon here. I actually don't think Murdoch's
> work demonstrated that sampling adversaries can adequately correlate
> web-sized traffic.
> 
> It seems pretty clear to me that the typical sampling rate of 1/2048 did
> not become effective until you were around O(100MB) in transfer. He
> wrote that 1/500 became effective at around O(1MB) in transfer, but that
> is still a bit above most web page sizes.
> 
> There is also the question of an extremely low concurrent flow count
> compared to reality today. He used only 500 flows/hour to correlate,
> where as at any given *second* O(10k) TCP connections are opened through
> every gbit Tor node in operation today. He also used an artificial prior
> distribution on connection sizes. Both of these properties alter the
> event rate and thus the overall accuracy in the experimental results as
> compared to reality.

You know, in hindsight, I don't want to sound like I'm hating on Steven
or his work. His work was quite clear along all of the dimensions I am
talking about, and was excellent research.

He in fact did even compare 500 flows/hour to 50 flows/hour and found
that the success rate did drastically improve, implicitly acknowledging
and measuring the relationship between event rate and accuracy.

I just think that web traffic on the Tor network today is *waaaaaay*
outside the bounds of where you can take his attack and say with any
certainty it would work, both in terms of traffic quantity (much smaller
than his success range) and flows per hour (much larger than his success
range).

And I think the same applies to general correlation, especially in the
face of things like Tor-obfuscated-as-http. Your event rate at the first
NSA guy in the graphic goes waaaay up then, too. Of course, there will
likely have to be a long arms race with the censors before that actually
happens.



-- 
Mike Perry

Attachment: signature.asc
Description: Digital signature

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk