[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #18552 [Tor Browser]: timing oracle for rendezvouz circuits

Subject: [tor-bugs] #18552 [Tor Browser]: timing oracle for rendezvouz circuits
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Tue, 15 Mar 2016 05:16:16 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 15 Mar 2016 01:16:27 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#18552: timing oracle for rendezvouz circuits
-----------------------------+--------------------------------
     Reporter:  cypherpunks  |      Owner:  tbb-team
         Type:  defect       |     Status:  new
     Priority:  Very Low     |  Milestone:
    Component:  Tor Browser  |    Version:
     Severity:  Trivial      |   Keywords:  timing performance
Actual Points:               |  Parent ID:
       Points:               |   Reviewer:
      Sponsor:               |
-----------------------------+--------------------------------
 The ''performance'' and ''XMLHTTPRequest'' javascript APIs provide a
 toolset sufficient enough to measure for the existence of previously
 established rendezvous circuits.

 Since CORS headers can only be determined after a request is performed, by
 measuring the time to failure on a series of cross-domain requests and
 observing the difference between the time-to-failure on the first and
 subsequent requests we could determine if a user has an already
 established circuit with a given rendezvous website.

 While the timing on ''performance'' is quite coarse, it is sufficient to
 detect the build time of a rendezvous circuit. If the subsequent requests
 consistently take the same time as the initial request it could be
 inferred that the user already had a circuit established to the onion
 address being tested by the ''XMLHTTPRequest''.

 The measurement capabilities are very weak given that the sample set of
 the initial connection can only be 1, as such this attack is not very
 reliable.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18552>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: [tor-bugs] #18551 [EFF-HTTPS Everywhere]: Duolingo speach recognition fails to load
Next by Author: Re: [tor-bugs] #18370 [Tor]: Apparmor prevents last tor build from starting
Previous by thread: [tor-bugs] #18551 [EFF-HTTPS Everywhere]: Duolingo speach recognition fails to load
Next by thread: Re: [tor-bugs] #18370 [Tor]: Apparmor prevents last tor build from starting
Index(es):
- Author
- Thread