On Mon, Jun 09, 2014 at 05:09:31PM +0200, Martin Kepplinger wrote: > So assuming that people here > https://www.blackhat.com/us-14/briefings.html#you-dont-have-to-be-the-nsa-to-break-tor-deanonymizing-users-on-a-budget > are serious and do a "straight-forward", yet clever passive-observer > attack on Users; Given that they are listening *really* well and > knowingly manage to become Guard + Exit of Users in order to deanonymize > them: I really don't think you need to be Guard+Exit for that. They talk about "successful real-world de-anonymization case studies, ranging from attribution of botnet command and control servers, to drug-trading sites, to users of kiddie porn places". Those are cases in which they should be able to get law enforcement assistance, even more so given that they work for CERT. And with law enforcement assistance, you can do lots of fancy attacks. As far as I can see, you don't need to be the guard to deanonymize someone, it's enough to find out who the guard is, get a court order and sniff the guard's traffic. And finding out who the guard is doesn't sound terrifyingly hard to me - you could flood Tor relays with traffic and measure whether there is any impact on the user's connection speed, you could measure IP ID increses for all the windows boxes that send out globally monotonic IP IDs and are still allowed on the Tor network (see these posts on tor-relays by me: https://lists.torproject.org/pipermail/tor-relays/2014-March/004199.html https://lists.torproject.org/pipermail/tor-relays/2014-April/004205.html https://lists.torproject.org/pipermail/tor-relays/2014-April/004208.html ), heck, maybe you'd even be able to use the bandwidth stats that relays publish to trace stuff to the guard. So I think that being a malicious exit might well be sufficient to trace a user. Of course, all this stuff should work even better against hidden services because it shouldn't matter if your attack takes a month to complete as long as the entry guards stay the same. > 2. Would some kind of "web-noise" generation in Torbrowser help? like so > https://addons.mozilla.org/en-US/firefox/addon/white-noise-generator Heh, never. In particular not because the exit or the server at the other end might attack you with something like this open-source PoC I built for tracing connections through Tor with an active end-to-end-correlation attack: http://git.thejh.net/?p=detour.git;a=blob;f=README http://git.thejh.net/?p=detour.git;a=tree To prevent that attack traffic from being measurable, you'd need so much cover traffic that the Tor network couldn't handle it anymore, I think.
Attachment:
signature.asc
Description: Digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk