[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Traffic Obfuscation

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Traffic Obfuscation
From: Mansour Moufid <mansourmoufid@xxxxxxxxx>
Date: Wed, 4 Sep 2013 23:40:21 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 04 Sep 2013 23:40:41 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date :content-transfer-encoding:message-id:references:to; bh=9WK0PSqjtMDxZLWRZXGF+bjZqkqVEiHXmFqpNpmyzN4=; b=P/fBRv4sdd7mK5I6ZvZI8S7kLGPsdL5wMfsriLtZwDUqhRF08nm7nzt8cW2UutewUK +yMmOFOrKTIcCVlwFqklu3Ciouvc61Hf3+M9JcSi0Ua471UrA5hNg1WMjEfsxpBHhjBI 7P5avA+goGWHst0vhgT9MQ6GeYTx1MfKX0p4Xp236WDgTFBVfnYQdaQBZRkDKR/n/hKW YYAiIs4MkEayliCJdR2mWcLUjun9iHNUazMSLivppi2mOijr5L0YBKJPxYDbF+gcObgS HRJ/aZkFPIbztf810PrgSSwnRG9DR08slgstMXku2+cnblEquKpzU66vCqtBq94wV1ZA ucTw==
In-reply-to: <trinity-1cf7f97f-d7d1-407c-b4d1-76018991407f-1378339750477@3capp-webde-bs30>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <trinity-1cf7f97f-d7d1-407c-b4d1-76018991407f-1378339750477@3capp-webde-bs30>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

On 2013-09-04, at 8:09 PM, josef.winger@xxxxxxxx wrote:

> Can a developer please explain to me why something like the 
> following obfuscation of 'torified traffic' is exploitable?
> 
> Suppose a scenario where a collective of authorities is able
> to observe large parts of the www. Then observing traffic
> correlation can unreveal a connection through the network.
> 
> But why can't we just alter the pattern inside the network,
> such that there is no correlation between 'incomming' and
> 'outgoing' data anymore?

Regardless of what goes on inside the network, the traffic must be in-
order at the points of entrance and exit to the network (a property of
TCP). Those are the points of interest to an observer doing traffic
correlation.

Compounding that problem is the low latency of the network: the relative
timing within any given stream is preserved.

The first problem might be mitigated with packet padding; the second
problem might be mitigated with random packet delays. My understanding
is that these two approaches are being studied at the moment.

Modifying the behaviour of traffic within the network does not help.

It has also been suggested that cover traffic is a solution, based on a
Bayesian argument with (IMHO) incorrect assumptions. I think it will be
proven wrong as attacks get better.

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

References:
- [tor-dev] Traffic Obfuscation
  - From: josef . winger

Prev by Author: [tor-dev] tor-bundle:How to extend the firefox context menu?
Next by Author: [tor-dev] Quickly testing TOR using Chutney and Fluxcapacitor
Previous by thread: Re: [tor-dev] Traffic Obfuscation
Next by thread: [tor-dev] Torsocks tests
Index(es):
- Author
- Thread