On 10/16/21, Peter Fairbrother <peter@tsto.co.uk> wrote:
except an observer can see when you are sending real traffic, somewhere within the burst. And maybe correlate that with some other network i/o
No, all a network tap can see is that you are moving encrypted packets, they can't see inside them as to chaff/wheat/content, can't time count or characterize match them with any other node's traffic or perturb you across the cloud because you've already negotiated strict perform-or-die link contracts out your NIC with all your nexthop nodes, and them out their own NIC to their peers thus breaking discoverable network ripples ("bursts"), etc.
assuming there is some other traffic on the network, how does the attacker know that A's solitary traffic is to onoin1 and not to someone else?
Doesn't matter if or where the rest of the net is saturated, only A and onion1 need matched up, and if you're not doing fulltime TA defenses then opportunities will exist to match, so they tap A, run or tap onion1... including just tapping as much net as they can from any sufficient vantage points such as Tier-N ISPs, cablecorp landings, top secret cable taps... dump all the nodes traffic into the pattern matcher, run matches lining up all the bursts bumps waves megabytes jitters mouseclicks sessions coffee breaks etc that they can see, game over. As NSA said, you're probably not going to deanon every stream every time upon demand, but... - You don't have to, users will emit more chances for you. - Matching engines software and hardware have advanced light years ahead of where they were 10++ years ago when those slides were generated, while tor has remained static [1]. The Tor Project and its people knew of the traffic analysis problem since day one 20+ years ago, and have done almost nothing since then to attempt to defeat it to any magnitude of reduction, and have refused to prominently disclaim the problem to their funders and users, instead choosing to bury it, taking down such warnings and "bricking up" and censoring all their public comms channels against such embarassing truths and points of consideration. That's fraudulent, dispicable, hypocritical, stifling development, etc. You decide. But most importantly, and eventually, if not already, some unsuspecting users who were tricked into buying the glossy sales flyers are going to get fucked by it. [1] More or less same for most nets in current use, and nets in R&D, but subject is about big whale Tor, and its influence on the space.