I’ve written about customizing PhantomJS to defend against fingerprinting but I never really looked at what affect Selenium (the driver that control lots of different Browsers) has on the fingerprintability of say something like the Tor Browser Bundle. Some people at the Tor Project are looking into using tor-browser-selenium or the like to automate control of a Tor Browser instance. For tasks like trying to detect whether an exit is manipulating content to the user it would be useful to emulate exactly what a user’s experience would be with TBB.
Continuation from previous posts: 1 and 2 Website Fingerprinting Defenses at the Application Layer I like research projects on subjects that I feel have no hope. So here’s hoping for hope! This research is attempting to specifically defend onion services from being fingerprinted. The most common attack scenario is when an adversary is able to inspect the traffic between the tor client and the network and correlate the amount of traffic sent, to the size of known onion services.
Continuation from previous post: 1 Waterfilling: Balancing The Tor Network With Maximum Diversity This paper is proposing a new tor circuit path selection algorithm that makes bigger nodes run middle/relay traffic more often and smaller nodes more become exits exits. Apparently the talk included an abridged history of tor’s path selection: 2003: Uniform at random 2004: Introduce bandwidth weighting for performance 2005: add Guards based on Helper nodes 2010: add bandwidth weights to map node capacity into probability of use in different positions (guard, middle, exit) The main goal of this new algorithm is to make very large tor servers (which are a higher risk of being used in a traffic correlation attack because they serve a higher percentage of tor clients) serve more relay traffic, and less guard or exit traffic.
The annual Privacy Enhancing Technologies Symposium (PETS) 2017 is a privacy nerd’s dream and has always been on my list to attend. Unfortunately, I did not make it out to Minnesota to attend but all the papers are readily available online so yay, open access! These are my notes about some interesting research presented this year based on the papers that were released and the live tweets that Nick Mathewson was doing during the event.