[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #10451 [Tor]: Allow me to have a short HeartBeatPeriod
#10451: Allow me to have a short HeartBeatPeriod
-------------------------+-------------------------------------------------
Reporter: | Owner:
cypherpunks | Status: new
Type: defect | Milestone: Tor: 0.2.???
Priority: normal | Version: Tor: 0.2.4.18-rc
Component: Tor | Keywords: tor-relay, easy, heartbeat, needs-
Resolution: | research
Actual Points: | Parent ID:
Points: |
-------------------------+-------------------------------------------------
Comment (by badon):
To correlate vague statistics in a de-anonymizing way requires time. In
short, the more time the logged statistics cover, the more time is
required to use them to de-anonymize someone. Off the top of my head, this
appears to be mostly limited to bulk traffic analysis, because that's what
the heartbeat statistics contain. The traffic analysis scenario is fairly
well studied, so I think we have a basis for insight into the risk
involved here.
Firstly, an attacker must have access to the heartbeat statistics over a
long period of time. I don't know how long, but let's make a wild guess
that to successfully de-anonymize someone, you would need to observe at
least 10'000 heartbeats. I suspect the true minimum number could be far
higher, and it might be a non-linear relationship where the number of
heartbeats required increases faster for longer heartbeat periods.
Here's a very simple totally made-up hypothetical example, without a non-
linear increase in observation time:
If heartbeats occur every 1 second, then the attacker would need to
observe for 10'000 seconds, or 2.78 hours. If heartbeats occur every 300
seconds (5 minutes), then I will make a wild guess that the attacker would
need to observe for 10'000 * 300 seconds, which is 833.33 hours, or 34.72
days. All of this assumes the attacker has access to the Tor logs, which
probably means log correlation via traffic analysis is less of a problem
than other things the attacker might be able to do. Oh, and another thing,
it probably also assumes that the logs are being written to disk, which
isn't normally done.
I hope this thought experiment gives you further ideas for judging the
risks that might come from implementing this idea. I think it would be
very helpful and enlightening to have more status information available.
The end result might be increased security, due to insights people have
while observing the status information. Either way, I think it should be
at least possible to configure rapid heartbeats, even if it is insecure,
if only for research purposes.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10451#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs