On Sat, Mar 19, 2016 at 04:02:53AM +0100, coderman wrote: > On 3/19/16, Oskar Wendel <o.wen...@wp.pl> wrote: > >... > > Let's set up a service in a way that it will modulate the traffic, so the > > download would look like: > > [ some distinct signaling here...] > > yes; it's a traffic confirmation attack, and by interrupting the flow > you confirm that the endpoints in question are involved in that flow.
Right. This general idea of a traffic confirmation attack is an issue to consider for any low-latency system. One of the questions to ask is how many points you need to watch in order to be in a position to launch the attack. This is where Tor fares better than centralized approaches like VPNs or single-hop proxies, and it's Tor's best line of defense here. Another question to ask is whether there will be false positives in the statistics, i.e. how often your analysis says "yes, match" when actually it's mistaken. In your scenario, the adversary is doing an active attack on the traffic, so while I think it's legitimate to speculate about how false positive rates maybe get high when you're looking at many Tor flows across many relays (the NSA scenario -- and we even have a document from an NSA analyst being frustrated by the false positives), I think it's fair to say that if you generate the signals clearly enough, false positives will be much less of a worry. The third question you might ask is: can I inject these signals in a way that they're still recognizable to me, but observers don't realize that anything weird is going on with the traffic? That is, can I do this active traffic modulation attack but still be undetectable? For that topic, check out these papers: http://freehaven.net/anonbib/#ndss09-rainbow http://freehaven.net/anonbib/#ndss11-swirl http://freehaven.net/anonbib/#pets13-flow-fingerprints --Roger -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
