A recently conducted analysis sheds new light on website fingerprinting (WF) attacks on Tor.
Website Fingerprinting Attacks on Tor
According to a team of academics (Giovanni Cherubin of Alan Turing Institute, Rob Jansen of U.S. Naval Research Laboratory, and Carmela Troncoso of EPFL SPRING Lab), these attacks could allow threat actors to observe the traffic patterns between the user and the Tor network to predict the website the user visits.
“Existing WF attacks yield extremely high accuracy. However, the conditions under which these attacks are evaluated raises questions about their effectiveness in the real world,” the researchers said. This is accomplished by “adapting the state-of-the-art Triplet Fingerprinting attack to an online setting and training the WF models on data safely collected on a Tor exit relay.” This setup can be easily deployed by a threat actor.
The purpose of the research is to demonstrate how threat actors can accomplish a WF classification accuracy of more than 95% when observing a small set of 5 popular sites. However, the accuracy level drops to 80% when 25 websites are monitored. Thus, the researchers concluded that despite the possibility of WF attacks, it is inefficient to perform them in the real world when monitoring a larger number of websites.
More details are available in the original report titled “Online Website Fingerprinting: Evaluating Website Fingerprinting Attacks on Tor in the Real World.”
It is also curious to mention that in 2016, independent security researcher Jose Carlos Norte, revealed that Tor users could be fingerprinted. This means that Tor users can be de-anonymized whenever law enforcement entities decide.
User fingerprinting illustrates the ways of tracking various operations and details about the user’s online behavior. The Tor browser should provide protection against tracking to keep the user’s identity from being exposed.
As pointed out by Norte, fingerprinting is specifically threatening to the Tor user since data stored while he surfs the Web (through Tor) can be later compared to data taken from the user’s regular browser.