[tor-dev] Traffic Obfuscation

[Mansour Moufid]

On 2013-09-04, at 8:09 PM, josef.winger at email.de wrote:

> Can a developer please explain to me why something like the 
> following obfuscation of 'torified traffic' is exploitable?
> 
> Suppose a scenario where a collective of authorities is able
> to observe large parts of the www. Then observing traffic
> correlation can unreveal a connection through the network.
> 
> But why can't we just alter the pattern inside the network,
> such that there is no correlation between 'incomming' and
> 'outgoing' data anymore?

Regardless of what goes on inside the network, the traffic must be in-
order at the points of entrance and exit to the network (a property of
TCP). Those are the points of interest to an observer doing traffic
correlation.

Compounding that problem is the low latency of the network: the relative
timing within any given stream is preserved.

The first problem might be mitigated with packet padding; the second
problem might be mitigated with random packet delays. My understanding
is that these two approaches are being studied at the moment.

Modifying the behaviour of traffic within the network does not help.

It has also been suggested that cover traffic is a solution, based on a
Bayesian argument with (IMHO) incorrect assumptions. I think it will be
proven wrong as attacks get better.