[tor-bugs] #18552 [Tor Browser]: timing oracle for rendezvouz circuits
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Mar 15 05:16:16 UTC 2016
#18552: timing oracle for rendezvouz circuits
-----------------------------+--------------------------------
Reporter: cypherpunks | Owner: tbb-team
Type: defect | Status: new
Priority: Very Low | Milestone:
Component: Tor Browser | Version:
Severity: Trivial | Keywords: timing performance
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
-----------------------------+--------------------------------
The ''performance'' and ''XMLHTTPRequest'' javascript APIs provide a
toolset sufficient enough to measure for the existence of previously
established rendezvous circuits.
Since CORS headers can only be determined after a request is performed, by
measuring the time to failure on a series of cross-domain requests and
observing the difference between the time-to-failure on the first and
subsequent requests we could determine if a user has an already
established circuit with a given rendezvous website.
While the timing on ''performance'' is quite coarse, it is sufficient to
detect the build time of a rendezvous circuit. If the subsequent requests
consistently take the same time as the initial request it could be
inferred that the user already had a circuit established to the onion
address being tested by the ''XMLHTTPRequest''.
The measurement capabilities are very weak given that the sample set of
the initial connection can only be 1, as such this attack is not very
reliable.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18552>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list