[JZL003]

My favorite recent one I read was encoding it in the http packet delays. So the content of the server is innocuous but you measure the timings

I wonder how many packet sniffers record exact extremely-accurate timestamps, maybe you could even use synchronized gps clocks so even if the saved a millisecond (or better?) timestamp, you send enough packets with enough exact timings that you need to have saved higher resolution

[toast0]

> I wonder how many packet sniffers record exact extremely-accurate timestamps

Accuracy is hard to judge, but tcpdump/wireshark usually show 6 digits after the decimal. It's gotta be close enough within the bounds of usual jitter on a packet switched network.

[eddd-ddde]

Could even go a lower level and use something like the TCP packets metadata as the encoding. Send data in the form of TTL variations across packets.

[lelanthran]

> Could even go a lower level and use something like the TCP packets metadata as the encoding. Send data in the form of TTL variations across packets.

Even better: put it in the ICMP echo request; then you can also spoof the sending address if you wish.

Or encode it in a DNS request/response.

[ayende]

Sounds really interesting, and resources on that?

Sounds like the other size of timing leaks that cryptographers are so worried about

[nine_k]

But it's so easy to defeat with a device that would random delays to packets, maybe even shuffling their order a bit. It does not need to unpack and process the packet, only record and check boundaries, even simpler than a switch.

Would introduce a configurable amount of delay variance,

Would attach directly to the Ethernet port, before the patch cord going to the rack's router.

[8organicbits]

Wouldn't you need a very low ping for that to work?

[_0ffh]

I don't think it needs to be low, but rather consistent, so that the delay between packets is preserved.

[pitaj]

As long as it's very consistent, you can use differences

[meejah]

Yes, inter-packet timings are unfortunately pretty good at holding information. (e.g. https://www.freehaven.net/anonbib/cache/stepping-stones.pdf )

Note that Tor doesn't have "global passive adversary" in the threat-model (i.e. an actor that can monitor traffic entering and leaving the Tor overlay).

[vhcr]

You could implement error correction code on top.