[tor-talk] de-anonymization by correlating circuit changes

[Curious Kid]

> From: "bemoo129 at hushmail.com" <bemoo129 at hushmail.com>

> Sent: Saturday, August 20, 2011 5:18 PM
> Subject: Re: [tor-talk] de-anonymization by correlating circuit changes
> 
> Okay, but my question was, how traffic could be correlated if the 
> atttacker has traffic-logs from all servers a possible user could 
> use (e.g. all server operated by one provider/in one country) - but 
> he does not know the user himself.

What I think you are assuming is that your attacker can monitor and log all Internet traffic in one nation and the user lives in that nation and uses Tor exclusively from that nation. That sounds reasonable.

> So, he could follow the tcp-stream,i think: At first, he examines 
> the log of the exit-node, an he detects, that there is some 

Are you also assuming that the exit node is in that nation? Tor avoids making circuits in which the entry and exit nodes are in the same country, and one can prevent Tor from choosing exit nodes in a particular country. If the attacker can monitor many Tor exit nodes throughout the world, then it is a global adversary -- Tor won't be enough. The user would be vulnerable to a traffic confirmation attack based on timing the network traffic.

> specific traffic ingoing and ountgoing at the same time. And then, 
> he follows this stream through the other relays...

If the attacker can monitor every relay in a user's circuit, then they could trace the stream. Otherwise, the encryption layers between the user and each relay prevent relays (or eavesdroppers) from being able to link users to their destinations.