Re: [Tails-dev] TCP Sequence Numbers leak System Clock

Delete this message

Reply to this message
Autor: Griffin Boyce
Data:  
A: The Tails public development discussion list, Patrick Schleizer
Assumpte: Re: [Tails-dev] TCP Sequence Numbers leak System Clock
Mostly off-topic, but: Tor will also fail to start if it thinks that the system time/date are dramatically wrong. I've had to set the system date before for tor to be able to create a circuit at all (though it was wrong by days, not minutes). So, do people fetch network time before bootstrapping? That's probably a much worse situation to be in than just looking at a calendar or asking some bloke what time it is.

But to your point, local system time doesn't/shouldn't impact correlation attacks at all. Every network hop between the user and destination has a set system time that is far better to determine sequence. Correlation attacks are nice on paper, but seem to fall apart quite quickly. Even in a lab environment, I can't imagine they are easily replicated.

Imagine that you are a global adversary, and someone downloads 1mb of something bad from x:443. There is basically no chance that the person using tor or i2p will be found - even less if the tor user changes routes while downloading. There's simply too much noise for a global passive adversary to make any kind of realistic correlation to find the downloader. And while the risk increases with the size of the download, so does the chance that it won't complete during that 10-minute window (assuming it doesn't fail outright or wasn't already broken into pieces).

There seems like a slightly larger risk if the downloader is already under suspicion and assuming they have a monitored connection (no longer passive surveillance) and that they aren't generating cover traffic (with normal browsing or porn or Netflix) and if the correct sequence of atypical download sizes is seen. And even then it might all fall apart if lots of people are downloading things of that size from that source. (Episode sequences, for example). Or if the sizes are extremely common. Lots of classified documents are about 50kb, but that would be virtually impossible to correlate.

Anyway, I don't think correlation attacks in onion routing are much more than an interesting research problem. With a sufficient number of hops, it's solved.

best,
Griffin


On September 27, 2014 4:04:32 AM EDT, Patrick Schleizer <patrick-mailinglists@???> wrote:
>Hi,
>
>you might be interested in this:
>https://twitter.com/ioerror/status/509159304323416064
>
>Why could it be relevant?
>
>Tor Browser (and other applications?) leak the system clock in default
>settings [1]. At the same time, the system clock leaks to ISP level
>observers through TCP sequence numbers. This opens up to "quite simple"
>end-to-end correlation attacks, I think.
>
>Cheers,
>Patrick
>
>[1] https://trac.torproject.org/projects/tor/ticket/3059
>_______________________________________________
>Tails-dev mailing list
>Tails-dev@???
>https://mailman.boum.org/listinfo/tails-dev
>To unsubscribe from this list, send an empty email to
>Tails-dev-unsubscribe@???.


--
"Hackers are not rockstars. You know who are rockstars? ROCKSTARS."
~Dan Kaminsky