Thus spake Mike Perry (mikeperry@fscked.org):
Thus spake Robert Ransom (rransom.8774@gmail.com):
On Thu, 23 Jun 2011 10:10:35 -0700 Mike Perry mikeperry@fscked.org wrote:
Thus spake Georg Koppen (g.koppen@jondos.de):
If you maintain two long sessions within the same Tor Browser Bundle instance, you're screwed -- not because the exit nodes might be watching you, but because the web sites' logs can be correlated, and the *sequence* of exit nodes that your Tor client chose is very likely to be unique.
I'm actually not sure I get what Robert meant by this statement. In the absence of linked identifiers, the sequence of exit nodes should not be visible to the adversary. It may be unique, but what allows the adversary to link it to actually track the user? Reducing the linkability that allows the adversary to track this sequence is what the blog post is about...
By session, I meant a sequence of browsing actions that one web site can link. (For example, a session in which the user is authenticated to a web application.) If the user performs two or more distinct sessions within the same TBB instance, the browsing actions within those sessions will use very similar sequences of exit nodes.
The issue is that two different sites can use the sequences of exit nodes to link a session on one site with a concurrent session on another.
Woah, we're in the hinterlands, tread carefully :).
I still think Tor should just do this, though. Every app should be made unlinkable by a simple policy there by default, and we should just rate limit it if it gets to intense (similar to NEWNYM rate limiting).
Arg. The demons in my head just told me that there exists a stupid mashup web-app out there just waiting to ruin our day if we do this in Tor without browser interaction. The demons tell me at least one stupid banking or shopping-cart site checks to make sure both the IP address and the cookies match for all pieces of the app to work together across domains. I think the demons are right. I think this is why we created TrackHostExits, but the demons just laugh and tell me that the hosts are not the same in this case.
So perhaps Torbutton controlled per-tab proxy username+password is the best option? Oh man am I dreading doing that... (The demons laugh again.)