Thus spake Mike Perry (mikeperry@xxxxxxxxxx): > Thus spake Robert Ransom (rransom.8774@xxxxxxxxx): > > > On Thu, 23 Jun 2011 10:10:35 -0700 > > Mike Perry <mikeperry@xxxxxxxxxx> wrote: > > > > > Thus spake Georg Koppen (g.koppen@xxxxxxxxx): > > > > > > > > If you maintain two long sessions within the same Tor Browser Bundle > > > > > instance, you're screwed -- not because the exit nodes might be > > > > > watching you, but because the web sites' logs can be correlated, and > > > > > the *sequence* of exit nodes that your Tor client chose is very likely > > > > > to be unique. > > > > > > I'm actually not sure I get what Robert meant by this statement. In > > > the absence of linked identifiers, the sequence of exit nodes should > > > not be visible to the adversary. It may be unique, but what allows the > > > adversary to link it to actually track the user? Reducing the > > > linkability that allows the adversary to track this sequence is what > > > the blog post is about... > > > > By session, I meant a sequence of browsing actions that one web site > > can link. (For example, a session in which the user is authenticated > > to a web application.) If the user performs two or more distinct > > sessions within the same TBB instance, the browsing actions within > > those sessions will use very similar sequences of exit nodes. > > > > The issue is that two different sites can use the sequences of exit > > nodes to link a session on one site with a concurrent session on > > another. > > Woah, we're in the hinterlands, tread carefully :). > > I still think Tor should just do this, though. Every app should be > made unlinkable by a simple policy there by default, and we should > just rate limit it if it gets to intense (similar to NEWNYM rate > limiting). Arg. The demons in my head just told me that there exists a stupid mashup web-app out there just waiting to ruin our day if we do this in Tor without browser interaction. The demons tell me at least one stupid banking or shopping-cart site checks to make sure both the IP address and the cookies match for all pieces of the app to work together across domains. I think the demons are right. I think this is why we created TrackHostExits, but the demons just laugh and tell me that the hosts are not the same in this case. So perhaps Torbutton controlled per-tab proxy username+password is the best option? Oh man am I dreading doing that... (The demons laugh again.) -- Mike Perry Mad Computer Scientist fscked.org evil labs
Attachment:
pgps7SrwrZRP2.pgp
Description: PGP signature
_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev