----- Forwarded message from Bryce Lynch <virtualad...@gmail.com> -----
From: Bryce Lynch <virtualad...@gmail.com> Date: Tue, 21 Aug 2012 12:49:02 -0400 To: zs-...@googlegroups.com Cc: doctrinez...@googlegroups.com Subject: Re: [tor-talk] End-to-end correlation for fun and profit Reply-To: zs-...@googlegroups.com On Mon, Aug 20, 2012 at 3:43 PM, Eugen Leitl <eu...@leitl.org> wrote: > ----- Forwarded message from Maxim Kammerer <m...@dee.su> ----- Beta testing some criticism here... > Anyway, let's do some math. Below, you will find a table where left > column denotes the number of Guard+Exit+Fast+Stable Tor relays one > needs to sniff at Class-C level, and right column denotes the "...at Class-C level..." This sounds like a class C network, i.e. a /24 (like 192.168.1.0/255.255.255.0). > 10 11.50% So, in other words, you'd hav to have 10 Tor routers on the same network. That's like me having 10 Tor nodes on my home network and not setting the NodeFamily directive in torrc. Somebody playing games aside, I can see this happening for nodes that are spun up in VPS environments, like the EC2 or Linode. I've cut the rest of the percentages, not to be catty but just for the sake of brevity. > As you can see, sniffing just 25 Class-C networks (or 42 individual > nodes) lets an adversary correlate ~25% of (non-.onion) circuits. Ouch. Poking around in the Tor sourcecode (config.c) I find the function is_local_addr(), which takes an IP address as its argument and determines whether or not an IP address is on the same /24 (class C network) as the instance of Tor. Now, I will freely admit that I might be talking through my hat on this matter because it's been ages since I last read through the Tor codebase so my recollection may be incorrect. But, wasn't Tor designed to not pick other nodes that were within the same /24 of a particular instance? > All of these servers are in US/CA or EU jurisdiction, so even an > unsophisticated LE operation can issue ~20 wiretapping orders at ISP > level (many of these networks are operated by same hosting providers), > and immediately deanonymize ~25% of Tor traffic. So far for anonymity! Or they could get a blanket wiretapping order and catch them all at once. I've often wondered if it's worth running Tor routers on the EC2 for this reason. > [1] http://pastebin.com/hgtXMSyx Now to catch up on the Tor mailing list to see whether or not I'm full of it... -- The Doctor [412/724/301/703] [ZS] https://drwho.virtadpt.net/ "I am everywhere." -- You received this message because you are subscribed to the Google Groups "ZS-P2P" group. To post to this group, send email to zs-...@googlegroups.com. To unsubscribe from this group, send email to zs-p2p+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk