[tor-talk] Risk of checking multiple accounts with TorBirdy

[dhanlin]

Sebastian G. <bastik.tor>:
> 04.01.2014 09:05, dhanlin:
> It also depends on where and who your adversary is.

The adversary I had in mind was a malicious exit node administrator.  If
all e-mail accounts are accessed using the same circuit, it seems the
exit node would see the near simultaneous connections (assume encrypted)
to various e-mail servers, and even with one occurrence suspicion could
be developed that the accounts accessed are linked.

Suppose I check simultaneously:
- john.doe at yandex.com
- jane.doe at gmail.com
- my.actual.name at my.server.org

If the adversary wants to create a database linking many e-mail accounts
accessed over Tor using secure connections, they could collect
simultaneous e-mail account accesses from their exit node.  When the
combination of the servers accessed simultaneously is distinct (e.g.
yandex.com + gmail.com + my.server.org), the accounts can be linked,
even if their account names are unknown.  (The actual account names
could be found out retrospectively, for example by subpoena of gmail.com
accounts accessed at a certain time.)

Unless this threat is flawed, it seems like it therefore would be safest
if TorBirdy used a separate circuit for each account, or enforced delays
between checks of multiple accounts.  (Maybe it already does?)

dhanlin