[guardian-dev] Flaws in Tor anonymity network spotlighted

Nathan Freitas nathan at freitas.net
Sun Jan 2 14:16:36 UTC 2011


On 01/01/2011 06:33 PM, Hans-Christoph Steiner wrote:
> 
> At CCC, some people presented some possible ways of defeating the Tor
> anonymity.  Its hard to do, so it's not like Tor is useless in the face
> of this, but it seems like something to be aware of:


I am curious to hear a more formal or public response on this, but I do
believe there are ways this flaw is addressed, and as you said, this
attack lives with the realm of possible, but not probable.

However, in relation to mobile, which is more app-centric than
browser-centric, I do believe one of the main vectors for this attack
was being able to start with "what are the most popular 100 websites",
and using the page/fetch size of accessing those sites as a starting
point for analysing traffic.

I am curious that with the more API-centric approach of a mobile app,
would the potential of this attack be lessened? I suppose you could
create a similar fingerprint based on JSON or XML data access patterns,
but I also feel that the relative difference in request/response size of
an API call would be harder to differentiate between sites and services.

Unfortunately, mobile apps introduce a new significant risk to user
privacy, in terms of this attack, I feel they offer a potential advantage.

+nathan





More information about the tor-dev mailing list