[tor-bugs] #10451 [Tor]: Allow me to have a short HeartBeatPeriod

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Nov 28 10:11:31 UTC 2014 

#10451: Allow me to have a short HeartBeatPeriod
-------------------------+-------------------------------------------------
     Reporter:           |      Owner:
  cypherpunks            |     Status:  new
         Type:  defect   |  Milestone:  Tor: 0.2.???
     Priority:  normal   |    Version:  Tor: 0.2.4.18-rc
    Component:  Tor      |   Keywords:  tor-relay, easy, heartbeat, needs-
   Resolution:           |  research
Actual Points:           |  Parent ID:
       Points:           |
-------------------------+-------------------------------------------------

Comment (by badon):

 To correlate vague statistics in a de-anonymizing way requires time. In
 short, the more time the logged statistics cover, the more time is
 required to use them to de-anonymize someone. Off the top of my head, this
 appears to be mostly limited to bulk traffic analysis, because that's what
 the heartbeat statistics contain. The traffic analysis scenario is fairly
 well studied, so I think we have a basis for insight into the risk
 involved here.

 Firstly, an attacker must have access to the heartbeat statistics over a
 long period of time. I don't know how long, but let's make a wild guess
 that to successfully de-anonymize someone, you would need to observe at
 least 10'000 heartbeats. I suspect the true minimum number could be far
 higher, and it might be a non-linear relationship where the number of
 heartbeats required increases faster for longer heartbeat periods.

 Here's a very simple totally made-up hypothetical example, without a non-
 linear increase in observation time:

 If heartbeats occur every 1 second, then the attacker would need to
 observe for 10'000 seconds, or  2.78 hours. If heartbeats occur every 300
 seconds (5 minutes), then I will make a wild guess that the attacker would
 need to observe for 10'000 * 300 seconds, which is 833.33 hours, or  34.72
 days. All of this assumes the attacker has access to the Tor logs, which
 probably means log correlation via traffic analysis is less of a problem
 than other things the attacker might be able to do. Oh, and another thing,
 it probably also assumes that the logs are being written to disk, which
 isn't normally done.

 I hope this thought experiment gives you further ideas for judging the
 risks that might come from implementing this idea. I think it would be
 very helpful and enlightening to have more status information available.
 The end result might be increased security, due to insights people have
 while observing the status information. Either way, I think it should be
 at least possible to configure rapid heartbeats, even if it is insecure,
 if only for research purposes.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10451#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list