[tor-bugs] #9493 [EFF-HTTPS Everywhere]: Implement an option to pad HTTPS requests against traffic analysis

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Aug 15 13:19:48 UTC 2013


#9493: Implement an option to pad HTTPS requests against traffic analysis
----------------------------------+-----------------------------------------
 Reporter:  pde                   |          Owner:  pde
     Type:  enhancement           |         Status:  new
 Priority:  normal                |      Milestone:     
Component:  EFF-HTTPS Everywhere  |        Version:     
 Keywords:                        |         Parent:     
   Points:                        |   Actualpoints:     
----------------------------------+-----------------------------------------
 One of the tools that dragnet surveillance actors have against both HTTPS
 and Tor is message length analysis.  In general message lengths can be
 used to determine which paths on a give HTTPS domain a browser might be
 requesting (summed, but probably extractably so, with the lengths of
 messages the client might be POSTing to the server), and to perform end-
 to-end traffic analysis of Tor circuits.

 HTTPS Everywhere is in a position to pad requests to servers to some round
 number of bytes (N byte blocks, powers of two, floors of powers of some
 number lower than two).  We could do this by sticking in a new X-Padding:
 HTTP header.  We could also write an RFC specifying that servers should
 pad their responses in a similar way if they see the X-Padding header.
 Perhaps we could persuade some servers to respect this.

 Would this be valuable?  What padding scheme would we want?  Powers of two
 seems too costly for long messages, maybe we could have a hybrid that used
 512 byte blocks for short messages and powers of 1.3 (15% overhead) or
 something for long messages.  Perhaps we could even collaborate with some
 academics to figure out a good padding scheme based on message length
 spectra for gmail, wikipedia, or other major sites.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9493>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list