Opened 5 years ago

Last modified 2 years ago

#18552 new defect

timing oracle for rendezvouz circuits

Reported by: cypherpunks Owned by: tbb-team
Priority: Very Low Milestone:
Component: Applications/Tor Browser Version:
Severity: Trivial Keywords: tbb-linkability
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


The performance and XMLHTTPRequest javascript APIs provide a toolset sufficient enough to measure for the existence of previously established rendezvous circuits.

Since CORS headers can only be determined after a request is performed, by measuring the time to failure on a series of cross-domain requests and observing the difference between the time-to-failure on the first and subsequent requests we could determine if a user has an already established circuit with a given rendezvous website.

While the timing on performance is quite coarse, it is sufficient to detect the build time of a rendezvous circuit. If the subsequent requests consistently take the same time as the initial request it could be inferred that the user already had a circuit established to the onion address being tested by the XMLHTTPRequest.

The measurement capabilities are very weak given that the sample set of the initial connection can only be 1, as such this attack is not very reliable.

Child Tickets

Change History (1)

comment:1 Changed 2 years ago by cypherpunks

Keywords: tbb-linkability added; timing performance removed
Note: See TracTickets for help on using tickets.