Mix+TB Test: > dhanlin: >> Sebastian G. <bastik.tor>: >>> 04.01.2014 09:05, dhanlin: >>> It also depends on where and who your adversary is. >> >> The adversary I had in mind was a malicious exit node administrator. If >> all e-mail accounts are accessed using the same circuit, it seems the >> exit node would see the near simultaneous connections (assume encrypted) >> to various e-mail servers, and even with one occurrence suspicion could >> be developed that the accounts accessed are linked. >> >> Suppose I check simultaneously: >> - john....@yandex.com >> - jane....@gmail.com >> - my.actual.n...@my.server.org >> >> If the adversary wants to create a database linking many e-mail accounts >> accessed over Tor using secure connections, they could collect >> simultaneous e-mail account accesses from their exit node. When the >> combination of the servers accessed simultaneously is distinct (e.g. >> yandex.com + gmail.com + my.server.org), the accounts can be linked, >> even if their account names are unknown. (The actual account names >> could be found out retrospectively, for example by subpoena of gmail.com >> accounts accessed at a certain time.) > > The exit node admin should only be able to see which email services you > are talking to, not the address you are using (assuming end-to-end > encryption). An even then they are only going to see it when you exit > through that node, which should not be all the time. > > So worst case is that they can see three simultaneous connections to > different providers, not which addresses are in use.
Yes, but with cooperation between the e-mail provider(s) and the malicious exit node, pseudonymous accounts can be connected to accounts using a real identity. For example, if the NSA runs a malicious exit node and wants to know the identity of jane....@gmail.com, they can take from Google all the access times for that account. Then they can look at the logs of their exit node, and find possible accesses to that account, and link them to other e-mail provider accesses. If one of these providers is say a personal e-mail server at a domain with valid WHOIS, jane....@gmail.com is deanonymized. I see your point that an malicious exit node cannot itself deanonymize by connecting accounts (unless the e-mail providers themselves would deanonymize the user, which is possible). So the attack is a little harder than I initially thought. There seems to be no technological impediment to an e-mail provider and a malicious exit node cooperating, though. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
