Flaws in Tor anonymity network spotlighted. At the Chaos Computer Club Congress in Berlin, Germany on Monday, researchers from the University of Regensburg delivered a new warning about the Tor anonymizer network, a system aimed at hiding details of a computer user’s online activity from spying eyes.
The attack doesn’t quite make a surfer’s activity an open book, but offers the ability for someone on the same local network—a Wi-Fi network provider, or an ISP working at law enforcement (or a régime’s) request, for example—to gain a potentially good idea of sites an anonymous surfer is viewing. [Ars Technica]
There are things users can do to protect themselves. From the article:
Users themselves can guard against this type of fingerprint-based eavesdropping relatively easily, Herrmann noted. Downloading or requesting more than one site at a time through the network will muddy the pattern enough that certainty will be very difficult for the eavesdropper to establish.
And from one of the comments:
This attack should be significantly less effective as well if the target in question is a fully functional and quality relaying node. In that case other people accessing through the node would randomize things significantly, and their access would be impossible to differentiate from a local user without the kind of physical access that makes the entire thing moot.