Anonymity considerations of HTTP referer field

Question

I was just reading about security risks associated with the referrer field and the ticket generated on Tor to probably disable it for anonymity. But I don't really understand the security risks. I have two questions, both concerning the unlinkability property in anonymization.

Scenario 1:

Let's say I'm using Tor and I go to site A and we are both using HTTPS. The communication between my computer till Exit Node is encrypted by Tor and from Exit Node to website is encrypted using HTTPS. No one can know I'm visiting website A and website A doesn't know my identity.

Now I go from website A to B, website B will know I came from A due to the referrer field. But it wouldn't know my identity. So no linkability. How would this jeopardize my anonymity?

Scenario 2:

Consider Scenario 1 using HTTP. Now data sent should be considered compromised as any one can see it between Exit Node and Website A. But what about my identity? If I don't reveal my identity in the data, they don't know with whom to associate it with. So still no linkability. Am I right?

Answer 1

It's an old talk, and - actually - it's not related to Tor itself and even to Darknets in general: a clearnet/Internet surfing has exactly the same concerns. So - step-by-step to your scenarios.

Scenario 2 is insecure by itself : a cleartext data are very easy to track, tag and mess up. No further questions even possible: it is horrible in terms of security.

Scenario 1 is hyypothetically vulnerable to "behavioral fingerprinting* in case of MitM SSL or if something like PRISM(according to Ed Snowden) has access to logs of the endpoint servers. It can be potential guess-mapping like "Person #1 visits Gmail then surfs Facebook for 2-5 minutes and then goes to GitHub". The guess is very vague, but it's possible to make a set of "behavioral uses" for a person and have a 80%+ precision in traffic mapping. The oddity of this method disappears if we will take a look at basic psychoogy: all people do have some little uses, the exact things done in exact manner an usually in exact order. These fingerprint are closely related to the personality of the subject and in 90% cases are totally invisible ti the subject's conciousnes. You can take an experiment on yourself by using a local proxy+DNS to do your internet things and taking a look at the logs in search for patterns. They will show up - I've checked it myself.