New low cost traffic analysis attacks and mitigations

I think 1:1 App/Guard > multipl traffic types in one client. I want to edit the page to reflect that unless you are still unsure.

You mean A) Increase Protection from Malicious Entry Guards: One Guard per Application is more important than B) New low cost traffic analysis attacks and mitigations? I guess that could be true.

• Attack A) means zero connection privacy maybe for everything all the time.
• Attack B) means the ISP can see which websites are visited all the time.

Yes, please edit.

A): What about users who only use 1 app, the Tor Browser and nothing else?

Yep. I even asked an expert to confirm.

They would be screwed, but only for browsing traffic at that point. Other stuff would be “safe”. Combining traffic may or may not provide a marginal protection, but if it doesn’t then all of your activities’ privacy is blown.

I don’t know at all but I speculate it could be ~50-80% of Whonix users who only use the Tor Browser.

Also I don’t understand the distinction between application and activity here.

Common ground: Tor Browser is an application, OK. HexChat is another application OK. So far we agree. Now Increase Protection from Malicious Entry Guards: One Guard per Application claims “Tor Browser and HexChat” should use different Tor circuits. Alright.

But why does it matter? From perspective of Tor, it’s all just TCP traffic. Tor doesn’t look if it is coming from Tor Browser or HexChat. That difference doesn’t exist anymore at that level. (Except these applications are configured to use different Tor SocksPorts.

Now reductio ad absurdum.

• User A): uses Tor Browser. HexChat, Thunderbird, OnionShare, Electrum, Monero → 6 applications → “you should use 6 different Tor entry guards”.
• User B): uses Tor Browser for browsing, uses Tor Browser IRC Chat add-on or IRC webchat, uses cloud file send services, uses web wallet → 1 application → “you should use only 1 Tor entry guard”.

As more and more functionality moves from previously standalone applications (HexChat, Thunderbird, …) into the browser the less the distinction between applications makes sense to me.

It would sound a lot more convincing to me to tell user B “use a different Tor entry guard per activity”. Why should users not use a different Tor entry guard by activity?

• [1] Considered true (?): use a different Tor entry guard per application
• [2] Considered true (?): do not use a different Tor entry guard per activity

How can [1] and [2] be considered true at the same time?

1App:1G just assumes the worst and doesn’t attempt to create cover traffic, but argues for putting your apps/eggs in different guard baskets.

He never argues against segregating website visits to different guards so we can assume this is just as valid. Worth asking once a dialog starts, but logically this advice is equivalent. The idea is to fragment a user’s anonymous traffic so no guard can construct a full picture if it decides to be evil.

Turns out everything I thought I knew about snowflake and bridges was wrong:

https://lists.torproject.org/pipermail/tor-dev/2020-January/014127.html

The stuff running in the browser is proxy for the actual bridge that someone hosts. All bridge types need port forwarding.

You need custom code to mix client traffic and bridge traffic. The benefits are only for Onion services not clients.

In short we can safely scratch that off.