Delivery-Date: Thu, 30 Apr 2015 14:54:00 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 4902C1E1040
	for <archiver@seul.org>; Thu, 30 Apr 2015 14:53:58 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 56468348FB;
	Thu, 30 Apr 2015 18:53:54 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 63AF334797
 for <tor-talk@lists.torproject.org>; Thu, 30 Apr 2015 18:53:50 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id vcjuZm1dktRe for <tor-talk@lists.torproject.org>;
 Thu, 30 Apr 2015 18:53:50 +0000 (UTC)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204])
 (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id 4526B34535
 for <tor-talk@lists.torproject.org>; Thu, 30 Apr 2015 18:53:50 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org;
 s=mail2; 
 h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:To:From:Date;
 bh=NIabIJMI/k+W9Tomt8nNsQ7OZUTusSG3ohJQshWafA0=; 
 b=WFSOu14Dip1hROi/qbdNKFn6lch61XVWeWmkdPJxaPEQeO9utdtQNo1xIcNChuzXdD9cPgdtlC+5FLk42EFbslx5DAqydBZr2Vr6yX6FSZ9P/NHO4lQeIX/o4lB3HVGcsMidUcJ3IVTOqxwpycq1Ej5eGj5bFnRFOWJ0qn09VKc=;
Received: ; Thu, 30 Apr 2015 11:53:46 -0700
Date: Thu, 30 Apr 2015 11:53:46 -0700
From: Seth David Schoen <schoen@eff.org>
To: tor-talk@lists.torproject.org
Message-ID: <20150430185346.GM10036@mail2.eff.org>
References: <55427070.5050907@georgetown.edu> <55427148.2010000@georgetown.edu>
 <5542734B.6050403@riseup.net> <554273E4.9000204@georgetown.edu>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <554273E4.9000204@georgetown.edu>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [tor-talk] What is being detected to alert upon?
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

Frederick Zierold writes:

> Unfortunately, I cannot see their signature set.  They have it locked
> down.  They claim they are not detecting it by IP address.

It's hard to know what methods they might be using without more data
about their accuracy and which bridges (and transports) they do or don't
detect.

Without a pluggable transport to obfuscate the traffic, a connection to
a Tor bridge looks kind of like regular TLS traffic.  However, there are
(or have been) particular anomalies that a network operator might look
for to try to detect Tor use.

Roger and Jacob had a presentation a few years ago about techniques that
were known to have been used to detect Tor traffic up to that point:

https://svn.torproject.org/svn/projects/presentations/slides-28c3.pdf

A notable example was the use of a particular Diffie-Hellman parameter
in the TLS session negotiation, which at least one government network
operator managed to use to detect Tor.  There may still be other things
in the TLS behavior (or other aspects of the protocol traffic, like
the size and timing of what goes over the connection after TLS session
establishment?) that are distinctive, or distinctive enough if you don't
require perfect accuracy.

Another possibility that's alluded to there is active probing -- with
traditional Tor nodes speaking the plain Tor protocol, you can connect
to a service that your network users connect to, and try speaking the
Tor protocol to it.  If it responds, it's a Tor node. :-)

-- 
Seth Schoen  <schoen@eff.org>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x107
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

