[Cryptography] NSA and Tor was Updates on Durov charges in France
Peter Fairbrother
peter at tsto.co.uk
Sun Sep 8 14:35:29 EDT 2024
On 07/09/2024 15:51, Christian Huitema wrote:
> All the anonymity schemes are based on "hiding a needle in a haystack".
> Not just Tor, but also VPNs, TLS Encrypted Client Hello (ECH), oblivious
> DNS, oblivious HTTP, etc.
You could probably do oblivious DNS through a PIR scheme, no haystack
needed. Alone that wouldn't be enough though, as you then have to
contact the IP returned somehow.
> The small haystack problem is very much the reason why "setting up your
> own node to hide your own traffic is generally a bad idea".
Kinda. Also, some traffic is going in but not coming out? Very bad idea.
But the realest reason is that exit nodes get busted from time to time
just for being exit nodes, or just get noticed - and that just draws
attention from the Police, the very very last thing a successful
criminal needs.
> If the traffic can be easily finger printed, "the needle is too shiny".
> That's the property used for correlating traffic in and out of a mixer,
> or correlating traffic at entry and exit points of Tor.
Yep, that's a problem with Tor and any low-latency web anonymiser.
First off, TCP/IP packets mostly have a from: as well as a to: address.
So if you have a million packets coming in on 50 circuits/streams, NSA
can sort those million packets into 50 individual from: streams. Which
makes correlation by packet numbers, sizes and timings much easier.
And where the origin address is spoofed each packet of each incoming
stream or circuit still has to be identifiable as belonging to that
stream so the server can do the right thing with it; and it's pretty
much always done in some plaintext manner - servers ain't gonna do
expensive PK operations on each packet, no sir, and they don't otherwise
know which symmetric key to use.
You probably could do some more obfuscation there, but apart from
occasional source spoofing afaik nobody does.
Second, web traffic data has a low entropy. Take TCP/IP ACK packets for
instance. There are lots of them, they can't be delayed, and a single
packet on an otherwise empty stream is... noticeable. Also packets come
in bunches of a wide variety of sizes.
I don't know what measures Tor uses to obfuscate traffic from the user
to the entry node, they might do something there. Traffic from the exit
node to the web server can't really be changed though, as it is just
normal web traffic.
Peter Fairbrother
More information about the cryptography
mailing list