I find it a bit telling that neither the paper, the arstechnica nor this article mentions the most common argument against fingerprint attacks are describe in the base rate fallacy.<p>With 12% false positive rate that the paper mention, you still only need to visit a small number of websites to generate a false positive. I also doubt that the 12% is actually correct in real life circumstances, since the research only tested single traffic flows from clients and many website has JS that trigger simultaneous traffic flows while users browse the web in other tabs.
The the discussion of the paper at the tor project or ars technica is much more informative for the HN crowd; if for no other reason than the simple fact that they include a link to the paper:<p>Paper: <a href="http://people.csail.mit.edu/devadas/pubs/circuit_finger.pdf" rel="nofollow">http://people.csail.mit.edu/devadas/pubs/circuit_finger.pdf</a><p>TorProject: <a href="https://blog.torproject.org/blog/technical-summary-usenix-fingerprinting-paper" rel="nofollow">https://blog.torproject.org/blog/technical-summary-usenix-fi...</a><p>Ars Technica: <a href="http://arstechnica.com/security/2015/07/new-attack-on-tor-can-deanonymize-hidden-services-with-surprising-accuracy/" rel="nofollow">http://arstechnica.com/security/2015/07/new-attack-on-tor-ca...</a>