Comment by cookiengineer

Comment by cookiengineer 19 hours ago

2 replies

View on Hacker News

The issue that TOR has is that it's a layered routing concept that won't respect ASN based spreading/scattering of traffic.

Circuits are temporary but the traffic is not scattered across the network to make MITM fingerprinting of request/payload sizes/timestamps impossible.

A typical MITM like the FBI surveillance van next door can identify you by observing the network packets and by _when_ they were requested and by _how large_ the payloads were. There was a famous court case where this was enough evidence to identify a user of an onion service, without the FBI having access to the Wi-Fi of the user. But they had access to the exit node logs that were encrypted, the pcap logs to the onion service from that exit node, and the encrypted Wi-Fi packets of the user.

(Also TLS lower than 1.3 and SNI related problems are relevant here, because DNS TTL 0 effectively makes everyone's privacy compromised, shame on you if you set a DNS TTL to 0)

My point is that with more randomized hops across the network and across ASNs it would be less likely that a threat actor can control both guard and exit nodes.

(Assuming that they parse RIR datasets to map organizations across ASNs, which the datasets already provide)

runamuck 16 hours ago

Would an Ethernet cable plugged into your ISP router defend against the above mentioned surveillance (i.e., no WiFi snooping)? Or did the FBI PCAP at the ISP?

Reply View 1 reply
  • cookiengineer 16 hours ago

    The problem is also that different network stack implementations have different MTU values and different TCP headers.

    There's a lot of tools available that can fingerprint different applications pretty well these days. For example, Firefox and TOR Browser can be fingerprinted because of their custom network library that's OS independent.

    It gets worse if you use a DSL2 connection with scaling because that will uniquely make your packets fingerprintable because they have a specific MTU size that's dependent of the length of the cable from modem to the next main hub. Same for cable internet, because the frequencies and spectrums that are used are also unique.

    (I'm clarifying this, because an FBI van not having access to your Wi-Fi still has access to the cable on the street when there's a warrant for surveillance / wire tapping issued)

    [1] https://github.com/NikolaiT/zardaxt (detects entropies of TCP headers and matches them with applications)

    [2] https://github.com/Nisitay/pyp0f (detects the OS)

    [3] https://github.com/ValdikSS/p0f-mtu (detects the VPN provider)

    Reply View 0 replies