[tor-bugs] #10969 [Core Tor/Tor]: Set of guard nodes can act as a linkability fingerprint

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Sep 16 15:38:04 UTC 2017 

#10969: Set of guard nodes can act as a linkability fingerprint
-------------------------------------------------+-------------------------
 Reporter:  asn                                  |          Owner:
                                                 |  mikeperry
     Type:  defect                               |         Status:
                                                 |  reopened
 Priority:  High                                 |      Milestone:  Tor:
                                                 |  unspecified
Component:  Core Tor/Tor                         |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tor-client, tor-guard, XKEYSCORE,    |  Actual Points:
  prop259, SponsorU-deferred, QUICKANT           |
Parent ID:                                       |         Points:  large
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by cypherpunks):

 * status:  closed => reopened
 * resolution:  fixed =>


Comment:

 Directory guards make this problem worse, don't they? (Each user is even
 more unique.)

 Having just re-read prop271, which I must say is a pretty vague and
 confusing text, I don't see how it fixes this problem.

 In ideal network conditions, prop271 might cause only one guard (plus a
 directory guard?) to be used, but as is well explained in this ticket's
 original description that is not a sufficient solution because the size of
 the set of tor users in a given city who have selected a given guard is
 likely to be small if not one. The set of users with the same guard(s) in
 the same city is effectively the anonymity set for the very real user-
 story/threat-model of "I want location anonymity against a passive
 observer at the local ISP while I travel around my city".

 I'm not even talking about FVEY here, I'm talking about adversaries like a
 stalker with a friend at the local phone company. But, of course, more
 powerful adversaries can locate people this way too.

 Does prop271 prevent connecting to several guards after being offline a
 little while? I actually doubt it even does that well. It defines
 "probably offline" as 10 minutes, and doesn't say anything about detecting
 "no route to host" (an obvious indicator of offlineness in my tor log file
 today). In any case, it certainly doesn't say anything about maintaining
 separate guards for different physical locations (gateway MAC addresses).
 I admit I haven't tried 0.3.0 yet, but if its supposed mitigations to
 these problems is what is described in prop271, I believe this problem
 must still exist.

 So, I am once again re-opening this ticket.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10969#comment:44>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list