Tor seems to have a huge security risk--please prove me wrong!

Paul Syverson syverson at itd.nrl.navy.mil
Sun Aug 29 03:02:04 UTC 2010


On Sat, Aug 28, 2010 at 02:51:35PM -0400, Roger Dingledine wrote:
> On Sat, Aug 28, 2010 at 11:20:41AM -0400, Paul Syverson wrote:
> > What you describe is known in the literature as website fingerprinting
> > attacks,
> [snip]
> > Roughly, while Tor is not invulnerable to such an attack, it fairs
> > pretty well, much better than other systems that this and earlier
> > papers examined mostly because the uniform size cells that Tor moves
> > all data with adds lots of noise.
> 
> Maybe. Or maybe not. This is an open research area that continues to
> worry me.
> 
> I keep talking to professors and grad students who have started a paper
> showing that website fingerprinting works on Tor, and after a while they
> stop working on the paper because they can't get good results either way
> (they can't show that it works well, and they also can't show that it
> doesn't work well).
> 
> The real question I want to see answered is not "does it work" -- I bet
> it can work in some narrow situations even if it doesn't work well in
> the general case. Rather, I want to know how to make it work less well.
> But we need to have a better handle on how well it works before we can
> answer that harder question.

OK I'm confused. Sorry for being terse initially but I just wanted to
get out that website fingerprinting is a known problem not a new
surprise. But it sounds like you think you are contrasting with what I
said rather than extending the same points. I said Tor is not
invulnerable to the attack, only that the published research (I wasn't
talking about the abandoned projects) shows it's a lot less vulnerable
than other deployed systems examined in that research, like jondonym
or various VPNs.  Yes, of course that's subject to the experiments and
assumptions conducted so far. I also said that it's worthy of
continued examination and analysis even if it is not the demonstrated
problem for Tor that end-to-end correlation is.  Since it's a pretty
open research area, we cannot say some significant attack isn't around
the corner. That's always the case.  All we know yet is that the few
published results there are show a small fraction of websites seem to
be uniquely identifiable via existing techniques. What am I missing?

> 
> For those who want more background, you can read more at item #1 on
> https://www.torproject.org/research.html.en#Ideas
> (I hoped to transition
> https://www.torproject.org/volunteer.html.en#Research over to that new
> page, but haven't gotten around to finishing)

Yes. Exploring defensive techniques would be good. Unlike correlation,
fingerprinting seems more likely to be amenable to traffic shaping;
although the study of this for countering correlation (as some of us
recently published at PETS ;>) may be an OK place to build on.
Personally I still think trust is going to play a bigger role as an
effective counter than general shaping, but one place we seem to be in
sync is that it all needs more study.

aloha,
Paul
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/



More information about the tor-talk mailing list