I agree that Tor most likely provides adequate protection against traffic correlation, but still, I’m curious about solutions for those of us lacking in such healthy control over our paranoia (or, jokes aside, for people working against oppressive governments or in other situations requiring extreme care about anonymity).
After a bit more reading, I see that Tor does offer some minimal protection against traffic correlation, described here:
However, I would not consider this adequate protection against de-anonymization in today’s world, where de-anonymization is becoming increasingly valuable, both for governments and for the profit of companies that sell people’s data. The document at the link above clarifies that this feature isn’t meant to protect against attacks by the ISP:
This defense does not assume fully adversarial behavior on the part of the upstream network administrator, as that administrator typically has no specific interest in trying to deanonymize Tor . . .
I think that as people’s data becomes more valuable, there is more and more reason to question this optimism.
Tor describes in their FAQ why they cannot use padding to provide comprehensive protection against traffic correlation:
Even if you could send full end-to-end padding between all users and all destinations all the time, you’re still vulnerable to active attacks that block the padding for a short time at one end and look for patterns later in the path.
The distinction between these active attacks and passive attacks is described on the Tor Wikipedia page:
There are two methods of traffic-analysis attack, passive and active. In the passive traffic-analysis method, the attacker extracts features from the traffic of a specific flow on one side of the network and looks for those features on the other side of the network. In the active traffic-analysis method, the attacker alters the timings of the packets of a flow according to a specific pattern and looks for that pattern on the other side of the network; therefore, the attacker can link the flows in one side to the other side of the network and break the anonymity of it.
I think protecting against active attacks would not be trivial at all, but such attacks becoming widespread does not seem so far-fetched to me. Companies already do all sorts of creepy things to defeat anonymity, including: all kinds of fingerprinting in the browser, completely blocking access from Tor, and intentionally breaking functionality or access when any sort of “adblock” is detected. I do not feel that a traffic correlation de-anonymization deal between ISPs and governments or data companies is so far-fetched.
One potential solution I am imagining is for a VPN to batch all traffic to and fro, between the VPN client and the VPN server, but I have never seen such a service advertised. It would certainly decimate performance, but for situations requiring extreme care for anonymity, this might be an acceptable trade-off?