Autore: anonym Data: To: The Tails public development discussion list Oggetto: Re: [Tails-dev] Faking htpdate user agent worth it?
14/10/12 14:28, intrigeri wrote: > Hi,
>
> Ague Mill wrote (01 Oct 2012 09:27:09 GMT) :
>> I think the overhead of not using '--head' and doing a full GET
>> would be marginal. It would make it at least a little bit harder to
>> distinguish from other requests.
>
> Fully agreed: this would make Tails' htpdate harder to distinguish
> from the TBB at the level of a single request / access.log line,
> and only stand out in aggregate.
OTOH it becomes easier to fingerprint Tails users on their side of the
pipe, which arguably is worse. Three *full* fetches of known web sites
are *much* more distinguishable than three header fetches of known web
sites, so Tails' startup traffic flow then becomes a distinctive pattern
to look for. Think "Bayesian classifiers" which was all the rage a year
or two ago.
The fact that Tails' current htpdate should be (relatively) safe from
fingerprinting since it only fetches headers is already documented here:
contribute/design/Time_syncing/#index5h1.
Slightly off-topic: Reading the above design doc made me thinking about
how recent changes in Tails may have affected it. Since the introduction
of stream isolation (Tails 0.14~rc1), htpdate (and other Tails-specific
applications) uses a SocksPort with IsolateDestAddr, so no circuit
sharing occur between fetches. Will this make htpdate fingerprinting
even easier when combined with full fetches?
* *Without* circuit sharing I imagine that the eavesdropper only has to
measure the traffic flow of a full fetche for each individual pool
member and store this infor for future comparisions (when an IP
address shows three of these flows, it's a Tails user with large
probability).
* *With* circuit sharing the eavesdropper would need to measure the
traffic flow of fetching all combinations of three pool members
instead. Hmm. On second thought I suppose it's easy to take the
individual measurements from the previous point and create all
combinations of three from them...
Well, I don't feel convinced by my own argument for stream isolation
being an issue for htpdate + full fetches, but let me just throw this
thought out there for others to ponder upon to be sure.
However, I do get the impression that stream isolation => loss of
circuit sharing may make htpdate easier to fingerprint in general. Full
fetch or not, each boot resulting in three different circuits being used
simultaneously seem more distinguishable than each boot resulting in
just a single circuit being used. OTOH, I'm a bit unsure whether Tor
guarantees that simultaneous fetches must share the same circuit when
stream isolation isn't used. If there's no such guarantee, then we
obviously shouldn't base our assumptions on it.