View comment

Let's talk about Traffic correlation attacks

by /u/zuzuzuzu · 0 votes · 26th June, 2023 19:00

What is a correlation attack?

Let's say you are a Tor user and you visit a drug market often using your Tor connection.

Let's suppose that LE have compromised this drug market. So they can see all the times you accessed this drug market and they also assumed you are in England because you only supply drugs to England.

Next, LE would subpoena popular ISPs in England to obtain information about which users were using Tor during the time windows when you accessed the website. The more access times LE have for you on this website, the better this method of identifying you will be.Note this evidence alone wouldn't be enough to convict you, but it would give LE reason to put your entire life under a microscope

You might then ask, won't using bridges prevent this type of attack? No, it won't ISPs have ways of identifying when Tor bridges are in use. I don't know how they do this, maybe someone more technical could explain it. But I have heard of people getting blocked from using the Tor network even when they use bridges.

The only way around this problem seems to be by using a VPN before accessing Tor. It doesn't have to be owned by someone else, you can setup your own. But you need some way of hiding your Tor usage to prevent becoming a victim of this correlation attack.

Note, this type of attack wouldn't be deployed for any Tom, Dick or Harry. You'd have to be a major player that LE really wants.

Final point before I end this thread, Tor users seem to overestimate how many people access use the Tor network. According to the Tor Project website, USA has a mean number 600k daily users, UK has a mean number of 70k daily users. There are 50 states, so if we assume the Tor use by state is distributed equally, then that's just 12k visitors per state daily. Furthermore, if you use Tor at unusual times, when everyone in your country is sleeping, this also increases the risk of falling victim to this type of attack.

User: /u/Twins7295

There are just some things not right about this post. Traffic correlation generally happens not from massive blanket search requests to ISP about which users was using Tor at a certain time. That would be ridiculous. Do you know how many fucking ISPs there are around the world? In most parts of the world using Tor isn't illegal too. So such request makes no fucking sense. How they do it is by running tor relays and timing the traffic between multiple relays. If they control all three of your relays it's easy to identify the specific user because you just follow the packets. If they control two of your relays (the guard, and exit node) it's possible to correlate the traffic a user sends. A bridge acts as a dedicated guard. You basically swap out a random guard from the Tor network with a "hidden" relay which acts as a entry point into the Tor network. It is possible to identify some "hidden" relay traffic with deep packet inspection (mainly the handshake process and traffic usage afterwards because it doesn't really act like a regular website). The problem people don't understand with VPNs is you are basically making a dedicated guard node FOR ALL YOUR TRAFFIC. Including your identifiable kind. All it takes is you to sign in to a personal account with the VPN on and now you have made yourself stand out far more than others. VPN companies are also not perfect. Some "no log" VPNs do in fact log. Adding more hops doesn't mean you are more safe. In fact it makes you less safe because there is more points of contact with your traffic to be correlated and have yourself compromised against. VPN connections are also not as stable and there has been many times that people got fucked because their VPN connection dropped and their real IP leaked. With a Tor bridge that doesn't happen because if you lose your connection with your bridge your connection to the Tor network just drops. That's it. It's isolated from your computers regular traffic. There are trade offs but if your worry is that some LEA will find you via traffic correlation know it's not really a thing happening. The Tor network pushes a lot of traffic from a lot of users and that makes correlation really difficult. It's not perfect but it's good enough for the vast majority of people. The defaults are private enough for like 99% of users. Don't go doing things you don't fully understand which will then harm your privacy. Try your best to look like others.