[tor-talk] Danish data retention on steroids

aka akademiker1 at googlemail.com
Sun Jan 31 00:10:12 UTC 2016


Niels Elgaard Larsen:
> * Session volume (number of bytes)

> 1. Tor would kill this right at the entry-node? Even a user fired up
> TorBrowser, typed in http://example.com/foo.mp4, watched the video and
> closed the brower, there would be enough negoitiation to obfuscate the
> bytecount?
> 

I assume "session volume" is the size of payload data transfered in a
single TCP session.
If a Danish Tor user visited a Danish website affected and the website
used non-multiplex http (everything before http/2 and SPDY) there would
be 30 different TCP sessions for all those pictures, scripts, 3rd party
tracker elements, etc on the website. So in the data retention database
there will be a very fine grained and timestamped traffic log of this
particular site visit, useable for traffic correlation attacks. The
situation gets even worse if the website uses some periodic push/pull
system like for example a twitter feed, creating and closing TCP
connections every few seconds.

Lots of data over one single persistent TCP connection = only one entry
in data retention database = not useful for deanonymizing Tor users.
Lots of data over many short lived TCP connections over a long period of
time = many fine grained entries in data retention database = useful for
deanonymizing Tor users.

It should also be taken into account the goverment could force the ISP
to terminate TCP connections every few seconds to increase the amount of
logs created.


More information about the tor-talk mailing list