Re: Effect of Tor window size on performance

["Steven J. Murdoch" <tor+Steven.Murdoch@xxxxxxxxxxxx>]

On Fri, Feb 13, 2009 at 05:23:41PM -0500, Roger Dingledine wrote:
> I've heard from a few people studying the "website fingerprinting"
> attack (see #1 on https://www.torproject.org/volunteer#Research) that
> Tor's directory fetches confuse their statistics. Whether it's something
> that could be easily distinguished and removed from their statistics is
> an open question.

Currently, directory fetches are trivial to remove from traffic dumps,
with high probability.

Firstly, directory fetches don't use guards. So if you watch for a
little while, the guards become obvious and the remainder can be
eliminated. 

Secondly, the directory fetches use very large TLS application
records. I assume this is because the mirror can serve the document
straight out of memory, rather than having to wait for cells to
trickle in.

Both these issues could be fixed, but then some more subtle traffic
analysis techniques could be used (e.g. using latency of round-trips
to see circuit extension and count hops). Making them hard to
distinguish would be a difficult problem.

Steven.

-- 
w: http://www.cl.cam.ac.uk/users/sjm217/