Opened 4 months ago

Closed 3 months ago

#2361 closed enhancement (wontfix)

Add Full Stream Isolation per every new connection

Reported by: anonymous maybe Owned by:
Priority: minor Milestone: undecided
Component: apps/i2ptunnel Version: 0.9.37
Keywords: Cc:
Parent Tickets:

Description (last modified by anonymous maybe)

When browsing through eepsites/clearnet on the browser , it should be that each new website has its own connection different from each other whether its in or out bound connection to prevent co-identity attack.

Well thanks to eyedeekay for testing that with modified Tor Browser to with I2P , concluded its not fully isolated:


Strictly speaking, I don’t think it has the same path, just the same return address. I was curious and technically the fingerprinter is partly broken(by browser improvements mostly) for the moment, but the destination that the server sees(to reply to the HTTP proxy tunnel) is still the same across the sites you visit. I linked to some pics at the the bottom. It’s arguably not that much of an issue. The destination expires automatically and is arguably of fairly limited utility. It doesn’t de-obfuscate your location and it can’t really lead to cross-site identification in and of itself, it needs to be combined with another identifiable characteristic that lives longer like a user account or possibly, a browser fingerprint. I just think that it could be less useful if each site got a different tunnel to reply to.

Check the uploaded images.

Subtickets

Attachments (2)

proof.png (78.8 KB) - added by anonymous maybe 4 months ago.
proof2.png (78.7 KB) - added by anonymous maybe 4 months ago.

Download all attachments as: .zip

Change History (6)

Changed 4 months ago by anonymous maybe

Changed 4 months ago by anonymous maybe

comment:1 Changed 4 months ago by anonymous maybe

  • Description modified (diff)

comment:2 Changed 3 months ago by zzz

  • Priority changed from major to minor
  • Status changed from new to infoneeded_new
  • Type changed from defect to enhancement

You've titled this ticket "Full Stream Isolation".
I believe this is a Tor term and corresponds to their proposal 171:
https://gitweb.torproject.org/torspec.git/plain/proposals/171-separate-streams.txt
basically putting different streams on different circuits.

Please confirm.

I2P doesn't have streams or circuits. But perhaps what you think it means for i2p is routing traffic for different far-end destinations through different tunnels.

In any case, that's different from having a different local destination, which is what shows up at the far-end in the X-I2P-* headers. That doesn't say anything about how it was routed, just where it came from.

So it's not clear if you're asking for different routing through a particular tunnel, or a full new local destination (set of tunnels) for each end-to-end connection to a new far-end destination.

Neither will be likely to happen as it's not the way i2p works.

But please specify what you are asking for, and why.

comment:3 Changed 3 months ago by anonymous maybe

  • Status changed from infoneeded_new to new

This one:

full new local destination (set of tunnels) for each end-to-end connection to a new far-end destination.

but since

Neither will be likely to happen as it's not the way i2p works.

Thats sad , because it will give more difficulty on co-identification attack which Tor done overcome it.

Last edited 3 months ago by anonymous maybe (previous) (diff)

comment:4 Changed 3 months ago by zzz

  • Resolution set to wontfix
  • Status changed from new to closed

Thanks for the clarification.
While the client could build a full destination for each far-end target, it's extremely expensive and thus impractical. We have some ideas on how to speed up tunnel builds but that's on the margins and won't change the overall picture.
The Tor issue is not directly applicable to I2P but there are some similarites. Unfortunately it's not something we can address anytime soon.

Note: See TracTickets for help on using tickets.