According to new research of website fingerprinting (WF) attacks directed at the Tor web browser, an adversary may identify which websites a victim visits but only in cases where the threat actor is interested in a specific subset of the websites that users visit.
Researchers Giovanni Cherubin, Rob Jansen, and Carmela Troncoso said in a recently published paper that while attacks can surpass 95 percent accuracy when tracking a small set of five popular sites, indiscriminate (non-targeted) strikes against groups of 25 and 100 websites fail to exceed an accuracy of 80 percent and 60 percent, respectively.
Website fingerprinting cyberattacks on Tor try to defeat these anonymous safeguards by allowing an adversary to anticipate the website visited by a victim by monitoring the encrypted traffic trends between the victim and the Tor network. The academics’ threat model assumes that an attacker sets up an exit node to capture the variety of traffic generated by genuine users, which is then utilized as a source to collect Tor traffic traces and build a machine-learning-based classification model on top of the data to infer users’ site visits.
An “online training phase that employs observations of real Tor traffic obtained from an exit relay (or relays) to continually update the classification model over time” is included in the adversary model. The paper’s authors emphasized the safety safeguards adopted to avoid leaking of sensitive websites that users may access using the Tor browser to alleviate any ethical and privacy concerns raised by the study.
According to the researchers, “the findings of our real-world evaluation suggest that WF cyberattacks can only succeed in the wild if the adversary seeks to identify websites within a narrow collection.” In other words, untargeted adversaries attempting to track users’ website visits would fail, but specialized attackers focusing on a specific client configuration and website may succeed.