[tor-talk] Risk of checking multiple accounts with TorBirdy

dhanlin MlgAcRBC at yandex.com
Sat Jan 4 15:12:36 UTC 2014



Mix+TB Test:
> dhanlin:
>> Sebastian G. <bastik.tor>:
>>> 04.01.2014 09:05, dhanlin:
>>> It also depends on where and who your adversary is.
>>
>> The adversary I had in mind was a malicious exit node administrator.  If
>> all e-mail accounts are accessed using the same circuit, it seems the
>> exit node would see the near simultaneous connections (assume encrypted)
>> to various e-mail servers, and even with one occurrence suspicion could
>> be developed that the accounts accessed are linked.
>>
>> Suppose I check simultaneously:
>> - john.doe at yandex.com
>> - jane.doe at gmail.com
>> - my.actual.name at my.server.org
>>
>> If the adversary wants to create a database linking many e-mail accounts
>> accessed over Tor using secure connections, they could collect
>> simultaneous e-mail account accesses from their exit node.  When the
>> combination of the servers accessed simultaneously is distinct (e.g.
>> yandex.com + gmail.com + my.server.org), the accounts can be linked,
>> even if their account names are unknown.  (The actual account names
>> could be found out retrospectively, for example by subpoena of gmail.com
>> accounts accessed at a certain time.)
> 
> The exit node admin should only be able to see which email services you
> are talking to, not the address you are using (assuming end-to-end
> encryption). An even then they are only going to see it when you exit
> through that node, which should not be all the time.
> 
> So worst case is that they can see three simultaneous connections to
> different providers, not which addresses are in use.

Yes, but with cooperation between the e-mail provider(s) and the
malicious exit node, pseudonymous accounts can be connected to accounts
using a real identity.  For example, if the NSA runs a malicious exit
node and wants to know the identity of jane.doe at gmail.com, they can take
from Google all the access times for that account.  Then they can look
at the logs of their exit node, and find possible accesses to that
account, and link them to other e-mail provider accesses.  If one of
these providers is say a personal e-mail server at a domain with valid
WHOIS, jane.doe at gmail.com is deanonymized.

I see your point that an malicious exit node cannot itself deanonymize
by connecting accounts (unless the e-mail providers themselves would
deanonymize the user, which is possible).  So the attack is a little
harder than I initially thought.  There seems to be no technological
impediment to an e-mail provider and a malicious exit node cooperating,
though.


More information about the tor-talk mailing list