Re: [tor-talk] Danish data retention on steroids

[James Harrison]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 30/01/2016 04:36, Niels Elgaard Larsen wrote:
> True, but making it official also makes it easier to enforce and to
> make every service provider cooperate.
> 
> For Tor competent and systematically logging might worse that
> draconian measures by dictatorships.

To an extent - dictatorships can also competently and systematically log
.

The UK is in a very similar policy position, assuming the proposed
bill for investigatory powers goes forward (which it almost certainly
will); anyone who is an ISP can be compelled to do practically
anything. This includes tampering, interference, etc, with data or
equipment, owned by the ISP or not. Tor relay operators in the UK
could be legally compelled to provide access to government and gagged
from discussing it, for one worst-case scenario. This is much worse
than the Danish model, as far as I know.

The interesting questions, at least to me, are around how this changes
the threat model, and how capable Tor is at dealing with attacks that
take advantage of a well-equipped, legally mandated adversary
attempting to deanonymize users. While this isn't the stated goal of
such legislation, it could certainly be used in this manner.

- -- 
Cheers,
James Harrison
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.17 (MingW32)

iQIcBAEBAgAGBQJWrTPMAAoJENTyYHL8dmp9iAQP+QHh5PFnx1AjIUUZ6Jc80JHH
31CbV3yQTzSORJz0KE2N6AlYJNNewI1dGclEKjCcs88oGxTEak9zwzTnqLUX65r5
LaaGFjaMS5D41H3B3gK0Pm2nYnX5pseR8/C7PK+bzDD9IpnpztfYIVmMIten3Rno
kPq/GLN91VG8yLMa9DOg16UNhiiTAJwoRsFU+/0lbmoQE2QId2I8YnOZGjC/8CQz
dDgA6Xe5m6spdj6zmo99o9N4k0cJDIhArgZqz4y/RIYyXU8Az3R42GC0eIyRPTAx
VGO4RGzlhnLveQ7kWuCRd113vcWGHdOO2rrY/Vjz6DH3espnD0ERTdJD5eLa9JCe
vnHbe5QnLPFiMUaE47CHt+Wi6kXMbDGzQTTUhANPulHFQjkgvX/xRbS+/Lg+629v
X7jn7qeRCpaB1Nx0Nnw67KecfT1X89XihhKmeLNnlhtz6VOqjgDND773NPddS7vW
sWbVIgZLMX/5dOAt8yRSxfiiTsFpe9IjZ1Pd7F4DgOI/QLK9ln2hqyk3IyLTTCHD
JjzH0+kIwsYh+F2kkK6C+EDU6VhXukTMwJklKNfmFjqFwlLdHulfFl3Q9Ks3/FR8
pYK/nkhCSTeFLLfE7F05VdZhBePWeI3EPRwKaJJxx4NhmwawayTZo5/zWXfpJLva
M20jqT7oXRTyrxm/NqKW
=Inxw
-END PGP SIGNATURE-
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Danish data retention on steroids

[aka]

Niels Elgaard Larsen:
> * Session volume (number of bytes)

> 1. Tor would kill this right at the entry-node? Even a user fired up
> TorBrowser, typed in http://example.com/foo.mp4, watched the video and
> closed the brower, there would be enough negoitiation to obfuscate the
> bytecount?
> 

I assume "session volume" is the size of payload data transfered in a
single TCP session.
If a Danish Tor user visited a Danish website affected and the website
used non-multiplex http (everything before http/2 and SPDY) there would
be 30 different TCP sessions for all those pictures, scripts, 3rd party
tracker elements, etc on the website. So in the data retention database
there will be a very fine grained and timestamped traffic log of this
particular site visit, useable for traffic correlation attacks. The
situation gets even worse if the website uses some periodic push/pull
system like for example a twitter feed, creating and closing TCP
connections every few seconds.

Lots of data over one single persistent TCP connection = only one entry
in data retention database = not useful for deanonymizing Tor users.
Lots of data over many short lived TCP connections over a long period of
time = many fine grained entries in data retention database = useful for
deanonymizing Tor users.

It should also be taken into account the goverment could force the ISP
to terminate TCP connections every few seconds to increase the amount of
logs created.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Danish data retention on steroids

[Niels Elgaard Larsen]

aka:
> Niels Elgaard Larsen:
>> * Session volume (number of bytes)
> 
>> 1. Tor would kill this right at the entry-node? Even a user fired up
>> TorBrowser, typed in http://example.com/foo.mp4, watched the video and
>> closed the brower, there would be enough negoitiation to obfuscate the
>> bytecount?
>>
> 
> I assume "session volume" is the size of payload data transfered in a
> single TCP session.

Yes.

> If a Danish Tor user visited a Danish website affected and the website
> used non-multiplex http (everything before http/2 and SPDY) there would
> be 30 different TCP sessions for all those pictures, scripts, 3rd party
> tracker elements, etc on the website.


I just checked the front page of politiken.dk, one of the major Danish
newspapers. Without an adblocker it is 202 request to 7 different
domains. So even with HTTP/2 there would be some quite detailed logging.

> So in the data retention database
> there will be a very fine grained and timestamped traffic log of this
> particular site visit, useable for traffic correlation attacks. The
> situation gets even worse if the website uses some periodic push/pull
> system like for example a twitter feed, creating and closing TCP
> connections every few seconds.

Indeed. While I was typing the above paragraph there was three more
requests to https://ping.chartbeat.net/ on the Politiken page.

> Lots of data over one single persistent TCP connection = only one entry
> in data retention database = not useful for deanonymizing Tor users.
> Lots of data over many short lived TCP connections over a long period of
> time = many fine grained entries in data retention database = useful for
> deanonymizing Tor users.


Yes. Unless it is a very popular site, used by many Tor users at the
same time.

> It should also be taken into account the goverment could force the ISP
> to terminate TCP connections every few seconds to increase the amount of
> logs created.

Not so likely. This is a proposed law that the ISP's are fighting. They
would not do more than required by the law. The Danish government cannot
force ISP's to do things like that.  But of course what matters is not
my ISP but the ISP behind the site I am connected to. And one or two
ISP's might be willing to cooperate.


-- 
Niels Elgaard Larsen
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Danish data retention on steroids

[Niels Elgaard Larsen]

I come from a meeting in the Danish ministry of Justice this afternoon,

They plan to reintroduce the data retention of Internet sessions.

It was scrapped in 2014 after the European Data Retention Directive was
declared invalid by the Court of Justice of the European Union.

But now Denmark plans to require data retention much more invasive than
both the old directive and the pre 2014 danish implementation of.

The most technical interestion points are:

* Logging of session (e.g. a TCP connection), IP addresses and ports in
boths ends.
* Timestamps
* NAT mapping
* Session volume (number of bytes)
* Geo position of mobile data sessions

The volume logging is a new idea.

So for TOR:

1. Tor would kill this right at the entry-node? Even a user fired up
TorBrowser, typed in http://example.com/foo.mp4, watched the video and
closed the brower, there would be enough negoitiation to obfuscate the
bytecount?

2. If a Tor user in Denmark, even using all non-Danish Tor nodes post
something using HTTP POST to a public blog, even one outside Denmark:
could the TOR user be identified given that probably what he posted is
public as well as the timestamp and that the size of POST can be
trivially calculated?

3. How many Danish Tor nodes in a circuit would you be comfortable with?

-- 
Niels Elgaard Larsen
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Danish data retention on steroids

[Anders Andersson]

On Fri, Jan 29, 2016 at 4:57 PM, Niels Elgaard Larsen  wrote:
> I come from a meeting in the Danish ministry of Justice this afternoon,

Why? :)


> 3. How many Danish Tor nodes in a circuit would you be comfortable with?

I can assure you that a lot of countries will have worse data logging
place, the main difference being that making it official makes it
easier for a bad guy to get hold of.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Danish data retention on steroids

[Niels Elgaard Larsen]

Anders Andersson:
> On Fri, Jan 29, 2016 at 4:57 PM, Niels Elgaard Larsen  wrote:
>> I come from a meeting in the Danish ministry of Justice this afternoon,
> 
> Why? :)

I represented IT-POL, https://itpol.dk/

there will be a consultation in February and we are known to be against
data retention (fighting against it since 2007), so they wanted to
exchange views before preparing the law.

> 
>> 3. How many Danish Tor nodes in a circuit would you be comfortable with?
> 
> I can assure you that a lot of countries will have worse data logging
> place, the main difference being that making it official makes it
> easier for a bad guy to get hold of.

True, but making it official also makes it easier to enforce and to make
every service provider cooperate.

For Tor competent and systematically logging might worse that draconian
measures by dictatorships.

And just because there is/will be a Danish law requiring data retention,
does not mean that there is not more going on.
I would not choose TDC for a Tor node.



-- 
Niels Elgaard Larsen
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Danish data retention on steroids

[Niels Elgaard Larsen]

I come from a meeting in the Danish ministry of Justice this afternoon,



2. If a Tor user in Denmark, even using all non-Danish Tor nodes post
something using HTTP POST to a public blog, even one outside Denmark:
could the TOR user be identified given that probably what he posted is
public as well as the timestamp and that the size of POST can be
trivially calculated?


Well, of course even that would not be so critical with TOR.
On the entry side the POST and whatever other requests it took to get to
the post form would be mixed together.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk