It sounds like to be truly safe you need to know safe entry guard node(s) and/or operate your own group of entry relays. Otherwise, you risk X% of your traffic potentially being deanonymized by someone controlling both ends.
Of course, if you do that, you probably need to remain constantly connected and moving data through Tor 24/7 to prevent any kind of analysis since you can't hide the fact you:
> you probably need to remain constantly connected and moving data through Tor 24/7
You almost have it. The problem is that just moving data through isn't enough. Given enough sample data, you can eventually figure out enough information about the traffic to correlate with another host moving the same traffic.
The most effective way to mask the effects of passive statistical analysis is to employ either a masking effect or a countermeasure. Either make all the traffic look identical (and have its rate be identical and constant), or make all the traffic look random, insofar as garbage is injected or frames are truncated at every hop.
Also, you don't have to control both ends. You just have to observe a given percentage of the traffic along its path(s), and you can determine a probability of which hosts lead to/from what traffic. If you're just trying to trace an unknown adversary, it may be able to [at the very least] identify the network they're on.
> Also, you don't have to control both ends. You just have to observe a given percentage of the traffic along its path(s), and you can determine a probability of which hosts lead to/from what traffic. If you're just trying to trace an unknown adversary, it may be able to [at the very least] identify the network they're on.
Really? I figured the number of hops involved meant as long as they couldn't control both Entry Guard & Exit Node you were relatively safe.
> The most effective way to mask the effects of passive statistical analysis is to employ either a masking effect or a countermeasure. Either make all the traffic look identical (and have its rate be identical and constant), or make all the traffic look random, insofar as garbage is injected or frames are truncated at every hop.
So, setup a webcrawler whenever you aren't using it that randomly crawls pages I suppose. Random garbage would make you easier to find, I suspect, since it doesn't fit with a "normal" pattern of any kind.
I don't like the idea of 'relative' safety. I trust tor about as much as the extradition treaty of the country i'm using it from. And no, there's been many attacks on the tor network that have been successful without controlling the ingress & egress nodes.
Webcrawlers have a pattern too. The point is to generate garbage in such a way as to make the traffic indistinguishable and as random as possible, while still embedding a real payload. It would not be easy. The timing is often more telling than the data, though.
Nope. The ones that have a pattern are the ones that play by the rules. It's extremely easy to write a web-crawler that performs random actions (download torrents, seed data, make bing/yahoo/google/duckduckgo random searches and click on 25 random indexed results, etc.).
In order for a sniffing party to understand what it's going on, it will (probably) take a Bayesian approach which will require more data than one can generate in 100 years.
Writing such a crawler for an experienced developer is extremely trivial (e.g. ruby + mechanize + nokogiri).
What is that even supposed to solve? You're just making random network connections... it really does nothing to obscure origin or destination. It's not the target traffic so it'll get filtered out, and timing attacks still work on the target data.
> you probably need to remain constantly connected and moving data through Tor 24/7
I guess this is why they recommend running a (non-exit) relay – at the very least it increases the cost of figuring out when you're using Tor yourself.
It's still vulnerable to passive analysis as the other guy noted since if you control the ISP for the end-user you have some idea how much data is being pumped through an encrypted connection. [e.g. Is it just staying alive or pulling 50mb/s?]
Of course, if you do that, you probably need to remain constantly connected and moving data through Tor 24/7 to prevent any kind of analysis since you can't hide the fact you:
A) Control the relay you connect to.
B) Are connected to Tor.