Mon Feb 29 12:23:25 EET 2016

Once again: Tor timing attacks and a Tor confession

Email I sent to cypherpunks, so far the flamewar is low:
https://cpunks.org/pipermail/cypherpunks/2016-February/012436.html


Searching the web for "tor timing attacks" (without quotes)
returns too many hits.

Short summary and PoC is at [1].

At [2] Tor (and/or DoD) confess:

>The Tor design doesn't try to protect against 
>an attacker who can see or measure both traffic 
>going into the Tor network and also traffic coming out of the Tor network.

NSA and the like  definitely can "see" traffic almost everywhere,
so Tor doesn't protect against the NSA, right? (some people learnt
this the hard way).

IMHO the first fucking thing Tor must do is to make the user click
at least three times on the above disclaimer.

Trying to make the rant on topic:

Is it theoretically possible at all to make low latency anonymity
of sufficiently decent quality?

[1] http://seclists.org/fulldisclosure/2014/Mar/414
PoC: End-to-end correlation for Tor connections using an active timing attack
[2] https://blog.torproject.org/blog/one-cell-enough

Posted by j | Permanent link