[tbb-bugs] #18552 [Tor Browser]: timing oracle for rendezvouz circuits

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Mar 15 05:16:16 UTC 2016

#18552: timing oracle for rendezvouz circuits
     Reporter:  cypherpunks  |      Owner:  tbb-team
         Type:  defect       |     Status:  new
     Priority:  Very Low     |  Milestone:
    Component:  Tor Browser  |    Version:
     Severity:  Trivial      |   Keywords:  timing performance
Actual Points:               |  Parent ID:
       Points:               |   Reviewer:
      Sponsor:               |
 The ''performance'' and ''XMLHTTPRequest'' javascript APIs provide a
 toolset sufficient enough to measure for the existence of previously
 established rendezvous circuits.

 Since CORS headers can only be determined after a request is performed, by
 measuring the time to failure on a series of cross-domain requests and
 observing the difference between the time-to-failure on the first and
 subsequent requests we could determine if a user has an already
 established circuit with a given rendezvous website.

 While the timing on ''performance'' is quite coarse, it is sufficient to
 detect the build time of a rendezvous circuit. If the subsequent requests
 consistently take the same time as the initial request it could be
 inferred that the user already had a circuit established to the onion
 address being tested by the ''XMLHTTPRequest''.

 The measurement capabilities are very weak given that the sample set of
 the initial connection can only be 1, as such this attack is not very

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18552>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list