Online Website Fingerprinting: Evaluating Website Fingerprinting Attacks on Tor in the Real World

Lounge
1

Abstract:

Website fingerprinting (WF) attacks on Tor allow an adversary who can observe the traffic patterns between a victim and the Tor network to predict the website visited by the victim. Existing WF attacks yield extremely high accuracy. However, the conditions under which these attacks are evaluated raises questions about their effectiveness in the real world. We conduct the first evaluation of website fingerprinting using genuine Tor traffic as ground truth and evaluated under a true open world. We achieve this by adapting the state-of-the-art Triplet Fingerprinting attack to an online setting and training the WF models on data safely collected on a Tor exit relay—a setup an adversary can easily deploy in practice. By studying WF under realistic conditions, we demonstrate that an adversary can achieve a WF classification accuracy of above 95% when monitoring a small set of 5 popular websites, but that accuracy quickly degrades to less than 80% when monitoring as few as 25 websites. We conclude that, although WF attacks may be possible, it is likely infeasible to carry them out in the real world while monitoring more than a small set of websites.

https://www.usenix.org/conference/usenixsecurity22/presentation/cherubin

TL;DR;

:onion:

5 Likes
2

this is why I have been trying to learn about tor alternatives lately like i2p, zeronet, freenet, loki, ygdrasil, etc

1 Like
3

Fingerprinting techniques are not bound to the protocol - all of those will have the same issues.

4 Likes
4

In my mind, it would be much harder to focus on a small subset of websites like the article states if one browses across several networks all designed to be private, or am I wrong?

5

Then they can fingerprint your traffic pattern as you switch between those networks. :wink:

For example, if you have Tor Browser set with a homepage (or worse, a set of tabs with different home pages) then every time you start the browser the traffic will be the same. If someone monitoring your connection sees the same pattern of traffic hitting the same servers then they can tie that pattern (fingerprint) to a single user and so track your activity.

The best option is to browse a large number of sites via the same network (whether Tor or whatever) - the article points out that the more traffic across a variety of sites the harder it is to identify a particular pattern of usage.

Therefore, I’d suggest you just use Tor Browser for general anonymous searching and browsing and add to the swarm of Tor traffic (and therefore an amount of Tor traffic is normal for your connection so it’s less “suspicious”). Stick to your normal browser for anything where you need to be tracked (i.e. signed in: banking, shopping, fora, …).

3 Likes