[tor-talk] Risk of checking multiple accounts with TorBirdy

Mix+TB Test mix.tb at yandex.com
Sat Jan 4 22:03:48 UTC 2014


dhanlin:
> Mix+TB Test:
>> dhanlin:
>>> The adversary I had in mind was a malicious exit node administrator.
>>
>> The exit node admin should only be able to see which email services you
>> are talking to, not the address you are using (assuming end-to-end
>> encryption). An even then they are only going to see it when you exit
>> through that node, which should not be all the time.
>>
>> So worst case is that they can see three simultaneous connections to
>> different providers, not which addresses are in use.
> 
> Yes, but with cooperation between the e-mail provider(s) and the
> malicious exit node, pseudonymous accounts can be connected to accounts
> using a real identity.  For example, if the NSA runs a malicious exit
> node and wants to know the identity of jane.doe at gmail.com, they can take
> from Google all the access times for that account.  Then they can look
> at the logs of their exit node, and find possible accesses to that
> account, and link them to other e-mail provider accesses.  If one of
> these providers is say a personal e-mail server at a domain with valid
> WHOIS, jane.doe at gmail.com is deanonymized.
> 
> I see your point that an malicious exit node cannot itself deanonymize
> by connecting accounts (unless the e-mail providers themselves would
> deanonymize the user, which is possible).  So the attack is a little
> harder than I initially thought.  There seems to be no technological
> impediment to an e-mail provider and a malicious exit node cooperating,
> though.

Yes, I was considering your threat model of a malicious exit node
administrator. Collusion or a global passive adversary is far more
difficult.

You could try separate Thunderbird profiles with only one account per
profile, or you could turn off checking at startup and checking every x
minutes and then just check manually. You could also use 'fetchmail' and
a small script with 'cron' or 'at' to randomise which accounts are
checked and how long the break is in between. Using separate profiles
would mean that an adversary may be able to see patterns of when you are
actively checking email, while a fetchmail setup running on an always on
machine would make this far more difficult.


More information about the tor-talk mailing list