[tor-talk] Results of experiment on distinguishing tor from normal SSL traffic

Subject: [tor-talk] Results of experiment on distinguishing tor from normal SSL traffic

From: John Barker <jebarker@xxxxxxxxx>

Date: Mon, 14 Mar 2011 13:09:41 +0800

Delivery-date: Mon, 14 Mar 2011 01:10:01 -0400

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type; bh=MdITWMsbXmPKFz7HqZPwKmugnPDINaw1B3OnJYjIGQ0=; b=RBM9zTT0WdddjZ43nbfUr9KbyJkjTE0ZF64vdII0/TPlk5ptPGUXg0qCPcTY7a12iH /MbWj2mlbW00K1dBEgokdIClcv4HW8UFpaCUU1XbWHPzaYtAvuiWeOfeM8hY4w5p2Dpf RJ+meM94LN3b3Z3fRZZL+67bQBZkeBk5UYNrY=

Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=WXTnDXYqhXZ6EMchfbGneizeKdMJ9dfdi11Dj02YfxvweJCpBi42xmw1yqe7f3Ps5v JtYQXc3Yi+daDinIM1wkGiUkfOMP964qZBSe4zDC8YQ2oh1qVjqHY6cg/ZIdqAsZzm0Z 3CzhslUrFMMvAd6hJWJyTSvVOJ7WmwqMIn8y8=

List-archive: <http://lists.torproject.org/pipermail/tor-talk>

List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>

List-id: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk.lists.torproject.org>

List-post: <mailto:tor-talk@lists.torproject.org>

List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>

List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>

Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx

Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx

Beginning of last year I took on an Honours course at uni and began a thesis, I wanted to try and attempt to answer some of the questions being asked here:

Our censorship-resistance goals include preventing an attacker who's looking at Tor traffic on the wire fromdistinguishing it from normal SSL traffic. Obviously we can't achieve perfect steganography and still remain usable, but for a first step we'd like to block any attacks that can win by observing only a few packets. One of the remaining attacks we haven't examined much is that Tor cells are 512 bytes, so the traffic on the wire may well be a multiple of 512 bytes. How much does the batching and overhead in TLS records blur this on the wire? Do different buffer flushing strategies in Tor affect this? Could a bit of padding help a lot, or is this an attack we must accept?

Being an honours project conducted part time amongst otherÂresponsibilities, the scope of my research has been quite limited but I've made some progress.

The experiment was conducted with a small physically isolated test network, 15 test relays on a single pc and about 30 different sample websites with different network characteristics. I sniffed traffic from a number of Selenium test examples connecting over HTTPS, using HTTP over Tor and using HTTPS over Tor.

My initial analysis has just been plugging the packet traces into Weka and seeing what happened. This is what the matchers come up with so far (sorry about the formatting, I've just replaced the & characters in the latex table):

ÂTrue Positive Rate False Positive Rate ROCÂ