taler
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Taler] denomination manipulation


From: Christian Grothoff
Subject: Re: [Taler] denomination manipulation
Date: Sat, 28 Nov 2015 12:37:59 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Icedove/38.3.0

On 11/28/2015 05:22 AM, Jeff Burdges wrote:
> 
>> > by the wallet, in the background without some strange cookies
> I'm not sure that eliminating super-cookies or whatever is as easy as
> you think, but we can ask the Tor Browser people for help with that, so
> I'm not too worried. 
> 
>> > or god knows what self-identifying information you assume may be
>> > provided. 
> Timing correlation has been the identifying information all along. 

No, because there is no *correlation*. You get a request to /keys at
5pm. What do you correlate that with? Well, you also got a request to
say 'index.html at 4:59:59. Great. So those two likely came from the
same user. Well, you also got '/favicon.ico' from that user at 5pm, and
the latter equivalent (!) correlation happens for pretty much every page
you visit with Tor. That doesn't deanonymize users: just being able to
say that two requests are related doesn't tell you whom they came from.
So think of '/keys' as equivalent to an image or CSS or JS resource
fetched with a page. The additional data leakage (+1 request) is almost
nothing (I could equally add another image into the page), especially as
you know nothing about the user visiting the mint page in the first
place (as he's, as you acknowledged, browsing via Tor).

Correlation only helps you if you can correlate the visit to something
where you know more about the user. Here, you do not have that.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]