(See reply below.)
(Note: My replies take into account the revelation that TorVM does, in
fact, use persistent entry guards. They also take into account the
subsequent thread on this topic.[4])
I suspect that this is a moot point since Qubes doesn't support the
anonymized downloading and updating of packages (including the qubes-tor
package itself). I will clarify what I mean, but first, please allow me
to recap your basic argument, Patrick. (Please correct me if I get it
wrong.)
Axon's recap of Patrick's argument:
> All else being equal, it is better (i.e., safer with respect to
> anonymity) to look like a regular TBB user than to look like
> something different (e.g., a TorVM user). Using just one TorVM allows
> you to look the same as regular TBB users, which is good. However,
> using multiple TorVMs makes you look different from regular TBB users
> to ISP-level adversaries, since they can see that you use multiple
> different sets of entry guards (one per TorVM), whereas a regular TBB
> user uses only one set of entry guards. Therefore, Qubes users should
> use just one TorVM rather than multiple TorVMs.
This is a very reasonable argument, but it doesn't apply to Qubes due to
the simple fact that ISP-level adversaries *already* know you're a TorVM
user (and therefore different from regular TBB users) because they can
see your downloads/updates of the qubes-tor package! The exception to
this is, of course, if you mask your download of the qubes-tor package
in some way, e.g., by downloading it over Tor. However, since doing
Qubes updates over Tor is very difficult and not supported,[5] we can
safely assume that almost every Qubes user does not currently do this.
(Depending on how serious this is (see below), this may be a place where
Whonix has a noteworthy advantage over Qubes+TorVM.)
>> Another way to look at it is this: Suppose you have X number of distinct
>> pseudonyms. How is anyone going to know that they're all controlled by
>> you, rather than being different people who happen to share an internet
>> connection with you?
>
> When TorVM with set of entry guards a is online, this fact is logged.
> When pseudonym b is active (in a public forum or so), this fact is
> logged. Same goes for set of entry guards c and pseudonym d. Adversaries
> can attempt to correlate such logs. They don't need a proof, only to
> make the circle of suspects smaller and investigate further with
> ordinary means from there. I think, if you are using the same set of
> entry guards for all your pseudonyms you're better off.
>
OK, let's flesh out your example. Suppose I have three TorVMs connected
to three pseudonyms:
TorVM[a]---Pseudonym[A]
TorVM[b]---Pseudonym[B]
TorVM[c]---Pseudonym[C]
The following facts are then logged whenever they occur:
- [a] is online.
- [A] is active (e.g., in a public forum).
- [b] is online.
- [B] is active (e.g., browsing a website).
- [c] is online.
- [C] is active (e.g., sending an email).
Adversaries can then attempt to correlate these logs. They can correlate
[a] with [A], [b] with [B], and [c] with [C]. (Let's assume I don't
consistently start/stop usage of any pair at the same time as any other
pair.)
But how is this any different from the risk that *every* Tor user faces?
Even if I decided to use plain vanilla TBB with one pseudonym, I would
face the same risk, namely that my entry traffic log gets correlated
with my exit traffic log. The only difference in the case of multiple
TorVMs is that my real identity is associated with multiple sets of
entry traffic logs (i.e., multiple sets of entry guards). But that, by
itself, does not make it any easier for my adversary to succeed in
correlating my entry traffic with my exit traffic. In pictorial terms:
/---[TorVM]---Pseudonym1 (TorBrowser user)
Real Identity--------|----[TorVM]---Pseudonym2 (TorBrowser user)
(multi-TorVM user) \---[TorVM]---Pseudonym3 (TorBrowser user)
My ISP (and everyone else who can see my traffic as it enters the Tor
network) can see that I'm a multi-TorVM user. However, in my AnonVMs, I
use TorBrowser (with Transparent Torification), so my exit node (and
everyone else who can see my traffic as it leaves the Tor network) just
sees another TorBrowser user.
Once again, an adversary can unmask me if he can successfully correlate
my entry traffic with my exit traffic, but the same goes for every other
plain vanilla TBB user. So nothing is lost by using multiple TorVMs.
What do you think, Patrick? Have I correctly understood your argument?
Do you (or anyone reading this) see any flaws in my reasoning?
[4]
https://groups.google.com/d/topic/qubes-users/xWAO3WpXn9k/discussion
[5]
https://groups.google.com/d/topic/qubes-users/9gf2rhkJfPc/discussion