CAT (the Swedish Internet Foundation)

Tor, an anonymity network with around 8 million daily users, is used to browse the Internet anonymously, circumvent censorship, and disseminate information anonymously. Tor is designed to minimize latency as much as possible, but this also entails weaker anonymity protection against stronger attackers. If an attacker is able to see both incoming and outgoing traffic on the Tor network, the traffic can be correlated to de-anonymize users.

Although such strong attackers typically are not considered within the threat model of Tor, medium-strong attackers can observe Internet traffic in many places simultaneously. Potential medium-strong attackers include larger Internet service providers like Telia, content delivery networks (CDNs) like CloudFlare, and Internet giants like Google. It is important to understand how these medium-strong attackers could attack Tor by exploiting their privileged positions on the Internet.

The aim of this project is to further investigate correlation attacks on the Tor network. Karlstad University’s previous research on correlation attacks has shown that attackers can combine web-fingerprinting attacks with DNS traffic to increase their accuracy considerably. Google has for example long had access to an average of 30% of all DNS traffic from Tor’s exit relays.

In the CAT project, researchers will generalize attacks to investigate other sources of correlation attacks, such as Online Certificate Status Protocol (OCSP), as well as web-based techniques like CDNs and HTML5. For each attack, a replicable experiment will be designed, documented and made available to the public after the end of the project. Karlstad University researchers will work with the Tor developers to gain the best possible protection against all attacks and to ensure that the results of the project benefit all Tor users.