Does my trick, fighting time correlation, have a reason?

I invented a special trick to prevent a “Global Adversary” from knowing the exact moment when I disconnected from Tor network but I don’t know if it really makes any real sense. So I want to check it out here. My method is very simple - I just disable Internet connection before disconnecting from Tor itself. I’ll try to explain what the idea is: let’s not specify the country, but there are such countries that have special equipment that records all users connections for possible future analysis. When they need to find some special user from some special site (who they know is using Tor and maybe living in their country) they, among other things, could try to perform time correlation. For this they need to check Tor connection and dosconnection time of all users (made over a special period of time), living in country under their control. But for this there should be some default, ordinary, usual record that Tor users leave (of course in cases when someone records) when they disconnect from Tor usual way. Then some operator, sitting behind remote control, will enter a request to display to him all records of connections and disconnections of Tor network users. But in my case there will be no such disconnection records because for network it looked like I just disappeared before actually to perform standard disconnection procedure from Tor. So this way I hope not to get in that log that he will receive, created for him automatically by the system. And even if he will have my connections records, he will not have those disconnection records that he needs but only those that I made specially (and that are innocent) to “cover my tracks”. Of course if they wanted to examine me more closely they would make request to my ISP (or just examine exact that special node [I mean not Tor node but one of their own nodes that each ISP has installed and that keeps those records] working in my region) and find out that my connection was always interrupted before disconnection from Tor, BUT to do this they need first to see me in that log (where I’m planning not to be thanks to my method that I invented) and find me interesting.

Share your opinion. Could this really be a working method? Or is it still pointless? Then argue.

1 Like

I will start by saying I am not a Tor expert and I do not think you are either. So two non-experts discussing technical issues.

Let me see it I understand your trick. Before closing the Tor browser you “cut” the line so the disconnect from Tor does not log. Am I correct?

ISPs can see your traffic, let’s say to the guard of the Tor circuit, and see the closing sequence of IP packets… but the line is “cut”. Those closing sequences from the guard will come in anyway after a time-out even if you turn off the modem (or whatever). As you say this creates a pattern.

I will assume you and the target site are in the same country XX for this time correlation to be of value. Now you start Tor Browser XX and it connects to NL then DE then FR then to the target XX. We now have the five nodes.

You surf to site then disconnect after some time: logged but from where? Can they check the pattern your trick creates to correlate time? You say they can.

My guess is to not create the pattern but keep on surfing like nothing happened. You still have the connection to NL which is not closed. So was that you connected to

This is my opinion from a non-expert.

There is a good article on Wikipedia about counter measures adversaries use against Tor.


Not an expert, but here’s my take.

I think, with bridges such as Obfs4, that this MIGHT be useful. Obfs4 looks like a random stream of data to an adversary, so seeing a completely random stream of data disappear MIGHT throw things off. On the other hand, I think Snowflake proxies would benefit from proper disconnects, that way it looks like a valid video call.

According to TorProject’s staying anonymous page, “Tor tries to prevent attackers from learning what destination websites you connect to. However, by default, it does not prevent somebody watching your Internet traffic from learning that you’re using Tor. If this matters to you, you can reduce this risk by configuring Tor to use a bridge rather than connecting directly to the Tor network. Ultimately the best protection is a social approach: the more Tor users there are near you and the more diverse their interests, the less dangerous it will be that you are one of them. Convince other people to use Tor, too!”


After what period of time does this time out come?

Didn’t understand the question. What do you mean?

I don’t think you quite understand the way I see how their logging works. Yes, all traffic is recorded and stored but it matters how it is analyzed then. Human can’t process this data. It takes a machine. It takes an algorithm. But the algorithm will operate on a previously created pattern. If it’s assigned to highlight a specific type of connection and disconnection, that’s what it’s going to do. And if there’s no disconnection that matches the pattern it was given, it won’t register it. The “operator” (human) will have a log made for him in advance by the machine. Since machine didn’t log my real disconnections, it could not decide if I should be in that final log made for human operator. So it will not add me there, because this is machine logic - if something doesn’t match - it doesn’t match.

There’s one more thing to note. If the number of online sessions on the site was sufficient, they also can compare all users that were using Tor and see if there is those who were always online when those online sessions happened. If someone did not use Tor when some of those online sessions happened then he probably will be excluded from list of suspects. My method will not help in such case but this is the reason not to use your own Internet for dangerous activities.

1 Like


It depends on what the observer records. If it records traffic, no traffic is detectable.

If you pull out the Ethernet cable, the entry still has an open socket. The entry has no reason to close it until keep alives, padding etc generate action (close the port) or it comes under receive pressure and needs to close over old ports. As long as the socket is not closed, the entry server will not (re)use it. An observer might think the connection is still there.

Routers along the path are mostly stateless. They don’t close ports on their behalf.

Under circumstances your trick could give an advantage, I guess

1 Like

After what period of time does this time out come?

I don’t have that answer but there must be “keep alive” traffic happening and yours is not doing it.

logged but from where?

Ah yes, ambiguous.
As in logged from which location. In our context from location XX which is what counts. In our context I am excluding the possibility that a “Global Adversary” owns, controls, or is able to monitor an entry node outside of XX.

I don’t think you quite understand the way I see how their logging works.


I assume they log everything and analyse later and presume it is not for one specific pattern.

“Now why would someone ‘cut’ the line? Maybe to prevent time correlation. Hmmmm… let’s correlate that with all our sites and see” thinks agent 000.

But if you keep on by surfing to then there is no pattern. That person who was on and disconnected from it could be from BR or US or anywhere.

…but this is the reason not to use your own Internet for dangerous activities.


I did not mention the option Not_Ambrose proposes since it did not fit the question “Does my trick, fighting time correlation, have a reason?” plus I am not too familiar with it. (read that as knowing nothing about it except that it exists)


I imagine without the “keep alive” traffic it should be quick for a close port action. Remember our context of the 5 nodes: XX → NL → DE → FR → XX
and our “Global Adversary” is in XX.

1 Like

Let’s take a concrete example: Russia has special equipment developed for this, called “SORM-3” It’s installed on the side of all providers. As I understand a group of these devices forms nodes in a specific region. Every single region has its own control panel with attached alive operator. Among all control panels is one master control panel, controlled by master operator. This is what I’ve read in articles on the subject. All traffic is stored. Videos, streams (in other words “files”) stored for about year. Metadata (don’t know if I use right word in this case, but I mean any hystory of activities) stored for three years. They can’t decrypt encrypted traffic but store it anyway.
So, in this concrete example when they know when target was online on the site and that it used Tor, the operator would make a request that would have to be processed by the machine / algorithm. The essence of this request would be that he would set a specific time frame within which the algorithm would show him who was connected to Tor and disconnected from Tor in those time periods. Of course, it wouldn’t be a coincidence in all cases, but by normal logic, they would be if the target was in their control zone (Russia). But how algorithm would find the matches? This is exactly why it would have used predefined patterns on how connections and disconnections from the Tor network look like. And these would be the usual, patterned connections. Or do you think they would prescribe a pattern in advance where the user evey time breaks the connection before disconnecting from Tor? I doubt it. So the log that the operator gets, I won’t be in it, and he won’t even know about my existance. The only thing that would help them is if they next requsted which people were connected to Tor at all during those times, regardless of when they were connected or disconnected. But if combine my trick with your trick it might even strengthen both of them. But if the number of online sessions were large enough, it wouldn’t help anyway, so that’s why I suggest better not to use your own Internet.

1 Like

So use a VPN with a secondary device connected through the same VPN to generate noise, SORM-3 will see nothing other than a VPN tunnel with encrypted data moving up and down while you are using tor along with encrypted data from outside of tor mixed in. When you exit tor the VPN will look the same and the secondary device will still be creating traffic.

1 Like

Ah, I see we have converged on dot XX.

Agreed, the best way to be faceless or under the radar is to NOT appear in any log and this applies to everything.

From the site point of view it is not 100% that the target is using Tor. In our scenario the site sees FR but for all intensive purposes the user-agent Firefox/115 kinda gives it away. I have tested Tor on a Linux machine with some “What’s my IP/UA” sites and most say Windows (Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0) and some see Linux but always Firefox/115.0.

Some smart Tor guy should explain this.

OK, I’ll agree that there would be standard patterns to look for and it would also make sense if operators could define patterns of their own.
This is what agent Double Naught Zero is thinking when a line is “cut”. I don’t know many people who “cut” the line. So by continuing your surfing to (here’s another one) kiss-my-butt-and-do-not-fall-from-your-tenth-story-window.XX would help or just read the news or learn how to grow potato.

Yeah both “tricks” combined may help to be faceless.

doktor suggests creating noise. Guess I’m saying the same sort of thing.

But don’t underestimate that global adversary. They probable know more tricks and counter-measures than we can think of.


Correct. The VPN would become like a stream and tor would be a boat within the stream, the VPN encryption would also stop them knowing when it entered the stream and when it left which makes measuring time more difficult since there is no marker for where it starts and ends.

Also legally I believe its allowed it manipulate and record tor network activity by just becoming part of the open network whereas VPNs and data centers are owned by private companies which probably provides a more difficult legal task.

This is true but I doubt the vast majority of tor users are a “worthy target” for a GPA and to selectively single somebody out for targeted attack would mean they probably need more than just tor to stay safe anyway, I usually see articles about terrorists using whatsapp and telegram so there is also a question of how heavily prioritised they feel it is to monitor tor considering there are other easier avenues.

From memory I believe the majority of tor breaches came from personal mistake rather than monitoring or targeting people at network level. Client side errors have been the biggest cause.

1 Like

I was thinking about such set-up too but have read article on the topic with pros and cons of this method and there was said that ISP most likely still can destinguish ordinary VPN connection from VPN connection masking Tor if it really wants it. And there were obfs4 bridges suggested instead. It was specifically an article on Whonix official site. Can’t find it now but it’s definitely there. So you may find it

In our scenario adversary is already interested in the account that is used on that site. So he checked all information about sessions and surely knows that user uses Tor, so there is nothing to talk about on this topic.

How he always can know about me and my “cut scheme” in your scenario version? If he will have log where I am absent then he will not know about any “cut scheme”. He may continue searching. What could he have done in the event? If I would be him I would continue with changing search patterns and added pattern “all users who used Tor connection in those periods of time”. Then looked if there are those who was always connected in that time. If number of online sessions was large enough then at that point, some specific suspects could be identified (and only in such a development, if they decided to look at me closer, only then they would find out my “cut scheme”). But if number of sessions was not big enough then he just could make conclusion that real target (I mean the user behind that account) is living somewhere outside of country. Or he could just write in the report that the suspect was not identified. All this because on that phase there will be no “cut scheme” in the log because operator not added yet into algorithm the goal to find such pattern.
In other words I agree that method of making noise is appropriate but my method is about not getting into the first log. It can’t mask your using Tor but it might make it harder for algorithms to spot you.

And then you just have to rely on the integrity of the VPN owners.

1 Like

:slight_smile: I’m quite certain that our agent Triple Zero is not much concerned about what is legal or not. :laughing:

I was also wondering about VPN vs Tor to create noise. I saw it as a few open tabs in the browser to different sites to create that noise.

I agree about not being in any log and was also wondering about what is the purpose of that snooping by this agency. To catch people or ID them or to block them. It seems blocking does not work. I see a section in this forum about how to bypass censorship. In any case, in such a regime as XX, they could just break down the door and do what they want or can they?

You know that if I were any covert agency, I would build the best VPN service around and cheapest too.
And our course I would not record anything because the law does not permit that. nudge, nudge, wink, wink.

You can choose one that has been audited multiple times by different companies meaning the chances of them lying is practically zero or you can choose one which has been proven legitimate in court which also means chances of them lying is practically zero.

Do exit node owners pay for their whole setup to be audited? Do you get to know who they are? Have they historically been proven as good willed?


1 Like

A good point. Look at the Wikipedia article about eavesdropping especially the part of costs

Again, if I were any covert agency, I would own a few (make that more than a few) of these nodes and, of course, not record anything. heh, heh (fingers crossed).

Historically doing so hasn’t worked out the best for them as all their secret illegal plans end up getting leaked eventually.

Probably a mix of all three dependant upon where it is and what it is. Censorship heavy countries will want to block tor, some will want to know who is using tor and some will want to know who certain usernames are.

I don’t want to shoot myself in the foot with this comment but it feels like LEA have less ability to break tor safety than what they had before, several very big hidden services have been created and ran for years until shutdown by operators rather than shutdown through compromise, I also imagine the one’s which have been compromised were only vulnerable due to personal operator error or payment trails which they wrongly thought were anonymous.

What happens when you submit gathered evidence to a public court and everybody finds out the company is a shill front? Not submitting gathered evidence to protect your secrets will just benefit whoever you’re after.

I remember some people getting away with breaking laws over tor years ago because the FBI didn’t want to disclose their method in court for that exact reason, although I believe it was later accepted among security communities that it was most likely a simple javascript based drive by download which auto installs malware in the background.

Also, how will you fool auditers? What if somebody connects to your VPN via another VPN? What if they use pre paid roaming data?

Setting up a fake VPN company for spying does sound very James Bond but in actual practice it would have more chance of exposing covert spying rather than provide useful data. People say the same about criminals setting up a VPN to harm people but that has never been done thus far to my knowledge.

There was a dark web based VPN provider that got shutdown by LEA for advertising to criminals so they technically could have done a silent take over and enabled logging, but they didn’t.

Didn’t the Tor developers come up with some way to weed out unreliable owners of the entry and exit nodes? I think they did something. It was written somewhere in Tor documentation.

Ok. Maybe. Then think of how much it will cost for you, how big resources it will take and about the ultimate benefit you get in the end, given that you just need to de-anonymize some users in your country, and the Tor nodes are spread all over the world. It can turn out that maybe there aren’t so many people in your country that you’re so interested in trying so hard for them. Just a thought.

All states have intelligence services except maybe for Andorra and other such small countries. For whatever reasons this monitoring is still happening so they must be getting something useful [for them] out of it or they would not persist. I have no idea what. I would like to say “I don’t care” but not really.

I did not say fake VPN company. I said a real one and the best and cheapest maybe three or four hands away for the sake of deniability and operating in places like Panama.

I do remember that incident about not disclosing their methods in a child porn case. They took out the owners of the ring and their “clients” but one or two defendants got away.

I learnt that when you mention national security or protecting the children you can almost pass any law or do almost anything and costs are no object.

I think we have solved most of the world’s surveillance problems and have done a good job. :grinning:

I forgot one thing: You got me on LEA
law enforcement agencies???