[guardian-dev] Blackphone
Michael Rogers
michael at briarproject.org
Fri Jan 17 06:21:52 EST 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 17/01/14 11:10, Matej Kovacic wrote:
> Yes, but adversary can see when do you connect to OSTN server to
> place a call and see who responded to a call. Actually they can
> only see who is transferring the data and in what amount, but it is
> enough for correlation. So they can see who is communicating with
> who.
Yup, an adversary wiretapping both parties can see that they're
communicating. But the parties' OSTN servers can see that _without_
wiretapping them.
> A solution would be to use OSTN with Tor network (OK, it would not
> work, but you can use ChatSecure's voice messages), while both
> parties should also generate some additional fake traffic to Tor
> network to prevent correlation.
>
> In that case you would have encrypted conversation, server
> administrator cannot see who is communicationg with who (actually,
> can only see some identity number like number 1000 is calling
> number 2000, but without real IP addresses), and adversary can only
> see that you have connected to Tor network and that you are
> transferring some data.
>
> In that case you do not need to trust anyone. Except endpoint
> devices. :-)
Sounds like a good solution, as long as the OSTN accounts are
registered and used always through Tor.
IIRC, the Tor protocol allows clients to send padding frames to relays
- - but it doesn't allow clients to ask relays to generate padding. So
the Tor->Alice direction of the Alice->Tor connection, and the
Tor->Bob direction of the Tor->Bob connection, could still be
correlated. And of course, circuit setup and teardown times are quite
revealing even if the circuits are fully padded.
Cheers,
Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJS2RJPAAoJEBEET9GfxSfMLd4IAKZff9pu0RrpLvxwoV41W9eC
qiO6lGefks4yQlGL5h50HMc/UJfdtpG3co8swRK8LGylTf7vD6kSgRpsRMUAGMZM
Zm+hojpfbgGxhz0UA7AY4U63W3XVulDykbqwEV5+Z9jwvxF2kMAhqOl+s+IReMeY
EwxAoE+kN6F9EsJyJF+u00zHVn+Ak3HfTAUaxgxGSwwxD1djSQs0UOdM5ol4ut5T
CSMKt2iHblujFv0KcYacKAYnfqeBlNlEgkT3E5NhgO8ndBDNAiVemTX1FTF/RTLh
tMrubxaPcv68juPgv85UMkfsoBq1OC7NxKCwmYLH9FJ9EVHvzUzMYIBKu4MvtnE=
=nVk0
-----END PGP SIGNATURE-----
More information about the Guardian-dev
mailing list