Once again: Tor timing attacks and a Tor confession

grarpamp grarpamp at gmail.com
Mon Feb 29 01:58:14 PST 2016

On 2/29/16, Georgi Guninski <guninski at guninski.com> wrote:
> Searching the web for "tor timing attacks" (without quotes)
> returns too many hits.
> Short summary and PoC is at [1].
> At [2] Tor (and/or DoD) confess:

These quote active attacks.

>> The Tor design doesn't try to protect against an attacker who can see
>> or measure both traffic going into the Tor network and also traffic
>> coming out of the Tor network.

"Timing", "seeing", and "measuring" are passive attacks.

There is a difference.

> NSA and the like  definitely can "see" traffic almost everywhere,
> so Tor doesn't protect against the NSA, right? (some people learnt
> this the hard way).

"Where" they can see just constrain probability of having you in that set.

Can the NSA passively pair up "your" comms endpoints therein,
or find "hidden services", I'd say the chance is definitely yes, with
some usage patterns and opsec being easier or more difficult than others.
Enhanced by passively running certain node types.

"Users Get Routed"
"Trawling for Tor Hidden Services"

Further enhanced by actively attacking traffic or protocols via nodes
or fiber.

"The Sniper Attack"

$25mil or less to most onions and ~25% users, who gives odds?

> IMHO the first fucking thing Tor must do is to make the user click
> at least three times on the above disclaimer.

Disclaimers confuse and ward off users, and aren't popular
in marketing departments.

> [1] http://seclists.org/fulldisclosure/2014/Mar/414
> PoC: End-to-end correlation for Tor connections using an active timing
> attack
> [2] https://blog.torproject.org/blog/one-cell-enough

More information about the cypherpunks mailing list