On 07/19/2016 02:42 AM, grarpamp wrote: > https://cryptome.org/2016/07/cloudflare-de-anons-tor.htm > > 18 July 2016 > > Cloudflare reCAPTCHA De-anonymizes Tor Users > > A sends: > > Cloudflare's insistence on solving reCAPTCHA puzzles when visitors are > coming from Tor exit nodes to one of the 2 million web sites that > Cloudflare 'protects' can be very instrumental for traffic analysis > and de-anonymizing of Tor users. > > This is how: > > The only non-public prerequisite for the de-anonymizing entity is the > ability to monitor traffic between ISPs and Tor entry nodes, and > traffic entering Cloudflare servers (no decryption required in either > case). There are, of course, no 2 million Cloudflare servers, probably > there is no more than few hundred. > > Each click on one of the images in the puzzle generates a total of > about 50 packets between Tor user's computer and the Cloudflare's > server (about half are requests and half are real-time responses from > the server.) All this happens in less than a second, so eventual > jitter introduced in onion mixing is immaterial. The packet group has > predictable sizes and patterns, so all the adversary has to do is note > the easily detectable signature of the "image click" event, and > correlate it with the same on the Cloudflare side. Again, no > decryption required. > > There likely are many simultaneous users (thousands), but they do not > solve puzzles at the same time, and they do not click on the puzzle > image at the same time. Simple math shows that disambiguating is > trivial. If there is some ambiguity left, Cloudflare can conveniently > serve few more images to specific users (or even random users, as long > as within the same few seconds different users get different amount of > 'correct' images.) > > This obvious opportunity is not the proof, but NSA would have to be > utterly incompetent not to be exploiting it. No one is that > incompetent. >
I pointed out this possibility regarding Hushmail in February 2015. http://auntieimperial.tumblr.com/post/111007562804 http://66.media.tumblr.com/acc793091fadb7eabc16dbf9705b2be3/tumblr_njs0wgovEO1r9ju7do2_1280.png It's especially treacherous if you do have something to hide, and helps them tune their shit, if you log in on tor, and also barefoot, at different times.
signature.asc
Description: OpenPGP digital signature