On 2/29/16, Georgi Guninski <guninski@guninski.com> wrote:
Searching the web for "tor timing attacks" (without quotes) returns too many hits.
Short summary and PoC is at [1].
At [2] Tor (and/or DoD) confess:
These quote active attacks.
The Tor design doesn't try to protect against an attacker who can see or measure both traffic going into the Tor network and also traffic coming out of the Tor network.
"Timing", "seeing", and "measuring" are passive attacks. There is a difference.
NSA and the like definitely can "see" traffic almost everywhere, so Tor doesn't protect against the NSA, right? (some people learnt this the hard way).
"Where" they can see just constrain probability of having you in that set. Can the NSA passively pair up "your" comms endpoints therein, or find "hidden services", I'd say the chance is definitely yes, with some usage patterns and opsec being easier or more difficult than others. Enhanced by passively running certain node types. "Users Get Routed" "Trawling for Tor Hidden Services" "TorScan" Further enhanced by actively attacking traffic or protocols via nodes or fiber. "The Sniper Attack" $25mil or less to most onions and ~25% users, who gives odds?
IMHO the first fucking thing Tor must do is to make the user click at least three times on the above disclaimer.
Disclaimers confuse and ward off users, and aren't popular in marketing departments.
[1] http://seclists.org/fulldisclosure/2014/Mar/414 PoC: End-to-end correlation for Tor connections using an active timing attack [2] https://blog.torproject.org/blog/one-cell-enough