Research TCP connection patterns produced by web browsing
We suspect that Tor connections (and other TCP-based encrypted tunnel connections) can easily be distinguished from connections produced by a web browser by an attacker who has only logs of TCP SYN, FIN, and RST packets and the times at which they were sent. We should research this further.
The first step is to collect example recordings of the SYN, FIN, and RST packets produced by:
- a normal Tor client,
- a Tor client configured to use one bridge,
- a Tor client configured to use ten bridges,
- Firefox loading a simple (one HTML page without CSS or JS) web page over HTTPS,
- Chromium loading the same simple web page,
- Firefox viewing a JS-intensive web page (over HTTPS if possible), and
- Chromium viewing the same JS-intensive web page.
A simple visualization tool for the recordings will also be needed.