<div dir="ltr"><div>ok understood, so in actuality he would have to be observing 3 things: </div>
<div> </div>
<div>1) The user' s computer (timing and size)<br></div>
<div>2) the first hop ((timing and size)</div>
<div> </div>
<div>3) the last hop ((timing, size and anythign else)</div>
<div> </div>
<div>He would have to be observing the user computer, as there would be no other way to correlate the first hop with the user, since the IP is hidden at the first hop, correct?<br></div>
<div class="gmail_quote">On Thu, Oct 9, 2008 at 6:41 AM, Gregory Maxwell <span dir="ltr"><<a href="mailto:gmaxwell@gmail.com">gmaxwell@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div class="Ih2E3d">On Wed, Oct 8, 2008 at 11:34 PM, M <<a href="mailto:moeedsalam@gmail.com">moeedsalam@gmail.com</a>> wrote:<br>> On Thu, Oct 9, 2008 at 6:31 AM, Gregory Maxwell <<a href="mailto:gmaxwell@gmail.com">gmaxwell@gmail.com</a>> wrote:<br>
>><br>>> On Wed, Oct 8, 2008 at 11:23 PM, M <<a href="mailto:moeedsalam@gmail.com">moeedsalam@gmail.com</a>> wrote:<br>>> > Thanx Gregory and F.Fox...understood the concept. Just one note though:<br>
>> ><br>>> > "Tor (like all current practical low-latency anonymity designs) fails<br>>> > when<br>>> > the attacker can see both ends of the communications channel. For<br>>> > example,<br>
>> > suppose the attacker is watching the Tor relay you choose to enter the<br>>> > network, and is also watching the website you visit."<br>>> ><br>>> > When it says "watching" does it mean? I thought the info was encrypted<br>
>> > (except the last hop) and the IP invisible? Does it mean timing attacks?<br>>><br>>> Yes. A Timing/Sizing attack. He sees the last hop exit.<br>> but it says "first hop"<br><br></div>
Sorry, I accidentally hit send.<br><br>Consider: Nothing prevents you from running multiple tor nodes. A well<br>funded party might run dozens or hundreds. If the attacker controls<br>both the entry and the exit that you are using he can look at the<br>
unencrypted traffic leaving the exit and correlate it with the timing<br>and sizes of the data on the the entrances he controls. He could also<br>do things like intercept your TCP connections leaving the exit and<br>stuff them with megabytes of junk data and then watch for the traffic<br>
spike on any of the entrances he controls.<br><br>If you think about it for a bit you'll realize why changing entrances<br>all the time would maximize your exposure to this attack. Eventually<br>you would land on the bad guy's entrance and he could track you down.<br>
</blockquote></div><br></div>