[semiquaver]

Of course a backbone provider can directly inspect the source and destination IP addresses of any traffic transiting its network. How could it be otherwise? Thats not fingerprinting, it’s just pulling fields out of a struct.

Tor does defeat this though. Rather than seeing the true destination of your traffic they see that of a Tor exit node.

[londons_explore]

But... That tor exit node then sends the traffic onwards... Again via the internet, and the backbone provider can inspect it again.

Seeing a packet heading to a tor exit node and then a similarly sized packet heading onwards a fraction of a millisecond later is a pretty surefire way to spy on individual tor users.

[Thorrez]

I think Tor tries to resize/split/join packets a bit. And each Tor node will in theory be carrying traffic for many different users simultaneously. And Tor uses 3 nodes, each in a different country. So it's not quite as trivial as you make it sound.

If 1, 2, or possibly all 3 nodes are run by a malicious actor, deanonymization becomes easier. At one point 10% of nodes were run by a single malicious actor: https://therecord.media/a-mysterious-threat-actor-is-running...

[Pingk]

Yes, being able to see all the traffic on a given network is a legitimate threat to Tor's anonymity.

IIRC There is an alternate method of connecting to an endpoint which uses a 3rd node as a rendezvous point which is meant to be better, but I forget the name of the process...