[tor-talk] Identify requests made by the same user

NoWhereMan nowhereman at autistici.org
Fri Jun 21 05:52:10 UTC 2013 

Il 20.06.2013 23:19 krishna e bera ha scritto:
> 
> Some of your question is answered here:
> https://trac.torproject.org/projects/tor/wiki/doc/TorFAQ#SoImtotallyanonymousifIuseTor
> 

I've read the entire FAQ page! :)


> 1) By design, you cannot know whether aaa.onion and bbb.onion are
> running on the same machine or are run by the same operator.

Yes, I know that. What i'd like to know, is if it's the same from the 
client point of view.


> 2) If either .onion site requires registration, you must be careful to
> use different email userid and password on each, and those must also be
> different from anything you use in non-Tor contexts.
> 
> 3) If you check the tests at
>     http://ip-check.info/?lang=en
>     you will see how much browser fingerprinting is possible.  So you
> must be careful not to change any settings that will make your browsing
> session look different from any other person using TBB.

Yes yes yes. That's clear. Tor encrypts my connections, but I have to be 
careful on what I (and my browser) send over the internet. This is 
application and physical transport level. What makes me think is the tor 
transport level (the payload of tcp/udp packets tor sends over the 
internet).

My question wasn't actually related to a specific application. This is 
my reasoning: in order to get the server response back to me, the 
encrypted packet Tor sends over the network, should contain and 
identifier of my Tor client. This way the .onion service can read the 
request, prepare a response and send it back to me. Just like a TCP 
packet that contains the sender's IP address (Tor's TCP packet will 
contain the IP of the last node on the tunnel, but at an higher level 
there should be my client ID).

I'm speaking about a kind of "internal ip", some internal identifier in 
the Tor network. Let's put aaa.onion is an IRC chat and ccc.onion is a 
bulletin board. And that from the same client come 2 different requests 
for aaa.onion and ccc.onion. From the application layer, knowing that 
they come from the same client, is impossible. But, Tor should someway 
know that both responses will be forwarded to the same client, thus 
making possible to "group" them and know that behind them there is the 
same user.

I've read much technical documentation, but looks like this point is not 
properly described. I should read Tor's code, but I can't manage to do 
that.

Thankyou all

-- 
NoWhereMan
nowhereman at autistici.org

More information about the tor-talk mailing list