Delivery-Date: Fri, 01 May 2015 10:41:17 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED,FREEMAIL_FROM,RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_RP_MATCHES_RCVD
	autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id C68B51E0AB9
	for <archiver@seul.org>; Fri,  1 May 2015 10:41:14 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id B4F572093B;
	Fri,  1 May 2015 14:41:10 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 8D02C20654
 for <tor-talk@lists.torproject.org>; Fri,  1 May 2015 14:41:07 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id oe3yBlcYIWPC for <tor-talk@lists.torproject.org>;
 Fri,  1 May 2015 14:41:07 +0000 (UTC)
Received: from mail-qg0-x229.google.com (mail-qg0-x229.google.com
 [IPv6:2607:f8b0:400d:c04::229])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 54FF820407
 for <tor-talk@lists.torproject.org>; Fri,  1 May 2015 14:41:07 +0000 (UTC)
Received: by qgdy78 with SMTP id y78so38693119qgd.0
 for <tor-talk@lists.torproject.org>; Fri, 01 May 2015 07:41:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=from:to:subject:date:message-id:mime-version:content-type
 :thread-index:content-language;
 bh=9I/g5I3yL2BTE538UMyVl7SyTj71qbCAG3Cz4u9E0mI=;
 b=U5LLyOnDDZNK0+EkaysBdcvxX6sSJ55xbbCWp25/R8dQmlzSIn3ZM9vmS9bVqvwqRO
 qR8/9m0xSn1abdqRiJId3IiiRUQB03C230lnhzJbNUPsfL55JSi6AcGxtNGKpTGHt3zE
 nh7WLHr9upWzTXBQ5QX7RfAfN4yVVZASEr+Hc24pNd2bq93Slj9R5x7P5D4X8P+in5K1
 17LaUWbMLdZF/d3HJgkXwJtvkGaJxrv+evGAaJUGSnQ9EhiAnb3eAkCUexjK/k9rFMfd
 IoSUA7G090FxQSWiQH1bUtDFLmIhZ7zNEj9jNPPwlGgTFqMutCSthdPKaTwCzrrznJXi
 LlPA==
X-Received: by 10.141.28.142 with SMTP id f136mr5218576qhe.67.1430491264974;
 Fri, 01 May 2015 07:41:04 -0700 (PDT)
Received: from APT510 (c-73-163-4-150.hsd1.md.comcast.net. [73.163.4.150])
 by mx.google.com with ESMTPSA id g38sm3484562qge.4.2015.05.01.07.41.04
 for <tor-talk@lists.torproject.org>
 (version=TLSv1 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Fri, 01 May 2015 07:41:04 -0700 (PDT)
From: "Allen" <allenpmd@gmail.com>
To: <tor-talk@lists.torproject.org>
Date: Fri, 1 May 2015 10:41:03 -0400
Message-ID: <084001d0841c$d98b4c40$8ca1e4c0$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="----=_NextPart_000_0841_01D083FB.527A4880"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AdCEHNJczjpNKtFbRSOaWWoXJfQw/A==
Content-Language: en-us
X-Antivirus: avast! (VPS 150501-0, 05/01/2015), Outbound message
X-Antivirus-Status: Clean
Subject: Re: [tor-talk] What is being detected to alert upon?
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

This is a multipart message in MIME format.

------=_NextPart_000_0841_01D083FB.527A4880
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit

I didn't see an answer to this question, but I did compare the TLS Hello's
from Firefox and the Tor binary distributed by torproject.org and there are
lots of differences (see the two files attached), so I'm not sure this is
worth worrying about...


-----Original Message-----
From: Allen [mailto:allenpmd@gmail.com] 
Sent: Thursday, April 30, 2015 5:49 PM
To: tor-talk@lists.torproject.org
Subject: RE: [tor-talk] What is being detected to alert upon?

> a connection to a Tor bridge looks kind of like regular TLS traffic.

Question: I recompiled OpenSSL to remove a bunch of features that look
unnecessary and might present a security risk, such as SSL2, SSL3 and DTLS.
(In case it matters, it is OpenSSL v1.0.2a and the specific configure
options are no-ssl2 no-ssl3 no-idea no-dtls no-psk no-srp no-dso no-npn
no-hw no-engines -DOPENSSL_NO_HEARTBEATS -DOPENSSL_USE_IPV6=0).

I'm using this rebuilt DLL with Tor.  Does this compromise Tor's TLS
handshake so that it no longer looks like Firefox?  If so, what so I need to
do to allow Tor to mimic Firefox's TLS handshake?


------=_NextPart_000_0841_01D083FB.527A4880
Content-Type: text/plain;
	name="Firefox TLS Hello.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="Firefox TLS Hello.txt"

FireFox 37.0.2

- TLS: TLS Rec Layer-1 HandShake: Client Hello.
  - TlsRecordLayer: TLS Rec Layer-1 HandShake:
     ContentType: HandShake:
   - Version: TLS 1.0
      Major: 3 (0x3)
      Minor: 1 (0x1)
     Length: 206 (0xCE)
   - SSLHandshake: SSL HandShake ClientHello(0x01)
      HandShakeType: ClientHello(0x01)
      Length: 202 (0xCA)
    - ClientHello: TLS 1.2
     - Version: TLS 1.2
        Major: 3 (0x3)
        Minor: 3 (0x3)
     - RandomBytes:=20
        TimeStamp: 09/20/2025, 21:03:20 .0000 UTC=20
        RandomBytes: Binary Large Object (28 Bytes)
       SessionIDLength: 0 (0x0)
       CipherSuitesLength: 24
     - TLSCipherSuites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 { =
0xC0,0x2B }
        Cipher: 49195 (0xC02B)
     - TLSCipherSuites: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   { =
0xC0,0x2F }
        Cipher: 49199 (0xC02F)
     - TLSCipherSuites: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    { =
0xC0,0x0A }
        Cipher: 49162 (0xC00A)
     - TLSCipherSuites: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    { =
0xC0,0x09 }
        Cipher: 49161 (0xC009)
     - TLSCipherSuites: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      { =
0xC0,0x13 }
        Cipher: 49171 (0xC013)
     - TLSCipherSuites: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA      { =
0xC0,0x14 }
        Cipher: 49172 (0xC014)
     - TLSCipherSuites: TLS_DHE_RSA_WITH_AES_128_CBC_SHA        { 0x00, =
0x33 }
        Cipher: 51 (0x33)
     - TLSCipherSuites: TLS_DHE_RSA_WITH_AES_256_CBC_SHA        { 0x00, =
0x39 }
        Cipher: 57 (0x39)
     - TLSCipherSuites: TLS_RSA_WITH_AES_128_CBC_SHA            { 0x00, =
0x2F }
        Cipher: 47 (0x2F)
     - TLSCipherSuites: TLS_RSA_WITH_AES_256_CBC_SHA            { 0x00, =
0x35 }
        Cipher: 53 (0x35)
     - TLSCipherSuites: TLS_RSA_WITH_3DES_EDE_CBC_SHA           { =
0x00,0x0A }
        Cipher: 10 (0xA)
     - TLSCipherSuites: Unknown Cipher
        Cipher: 255 (0xFF)
       CompressionMethodsLength: 1 (0x1)
       CompressionMethods: 0 (0x0)
       ExtensionsLength: 137 (0x89)
     - ClientHelloExtension: Server Name(0x0000)
        ExtensionType: Server Name(0x0000)
        ExtensionLength: 19 (0x13)
        NameListLength: 17 (0x11)
        NameType: Host Name (0)
        NameLength: 14 (0xE)
        ServerName: www.kernel.org
     - ClientHelloExtension: EC Point Formats(0x000B)
        ExtensionType: EC Point Formats(0x000B)
        ExtensionLength: 4 (0x4)
        ECPointLength: 3 (0x3)
        ECPointFormat: uncompressed(0x00)
        ECPointFormat: ansiX962_compressed_prime(0x01)
        ECPointFormat: ansiX962_compressed_char2(0x02)
     - ClientHelloExtension: Elliptic Curves(0x000A)
        ExtensionType: Elliptic Curves(0x000A)
        ExtensionLength: 8 (0x8)
        CurvesLength: 6 (0x6)
        NamedCurve: secp256r1(0x0017)
        NamedCurve: secp384r1(0x0018)
        NamedCurve: secp521r1(0x0019)
     - ClientHelloExtension: SessionTicket TLS(0x0023)
        ExtensionType: SessionTicket TLS(0x0023)
        ExtensionLength: 0 (0x0)
     - ClientHelloExtension: Signature Algorithms(0x000D)
        ExtensionType: Signature Algorithms(0x000D)
        ExtensionLength: 32 (0x20)
        Data: Binary Large Object (32 Bytes)
     - ClientHelloExtension: Unknown Extension Type
        ExtensionType: Unknown Extension Type
        ExtensionLength: 1 (0x1)
        Data: Binary Large Object (1 Bytes)
     - ClientHelloExtension: Unknown Extension Type
        ExtensionType: Unknown Extension Type
        ExtensionLength: 0 (0x0)
     - ClientHelloExtension: Unknown Extension Type
        ExtensionType: Unknown Extension Type
        ExtensionLength: 41 (0x29)
        Data: Binary Large Object (41 Bytes)

------=_NextPart_000_0841_01D083FB.527A4880
Content-Type: text/plain;
	name="Tor TLS Hello.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="Tor TLS Hello.txt"

Tor win32 0.2.6.7

- TLS: TLS Rec Layer-1 HandShake: Client Hello.
  - TlsRecordLayer: TLS Rec Layer-1 HandShake:
     ContentType: HandShake:
   - Version: TLS 1.0
      Major: 3 (0x3)
      Minor: 1 (0x1)
     Length: 232 (0xE8)
   - SSLHandshake: SSL HandShake ClientHello(0x01)
      HandShakeType: ClientHello(0x01)
      Length: 228 (0xE4)
    - ClientHello: TLS 1.2
     - Version: TLS 1.2
        Major: 3 (0x3)
        Minor: 3 (0x3)
     - RandomBytes:=20
        TimeStamp: 01/26/1978, 07:04:34 .0000 UTC=20
        RandomBytes: Binary Large Object (28 Bytes)
       SessionIDLength: 0 (0x0)
       CipherSuitesLength: 48
     - TLSCipherSuites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 { =
0xC0,0x2B }
        Cipher: 49195 (0xC02B)
     - TLSCipherSuites: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   { =
0xC0,0x2F }
        Cipher: 49199 (0xC02F)
     - TLSCipherSuites: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    { =
0xC0,0x0A }
        Cipher: 49162 (0xC00A)
     - TLSCipherSuites: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    { =
0xC0,0x09 }
        Cipher: 49161 (0xC009)
     - TLSCipherSuites: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      { =
0xC0,0x13 }
        Cipher: 49171 (0xC013)
     - TLSCipherSuites: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA      { =
0xC0,0x14 }
        Cipher: 49172 (0xC014)
     - TLSCipherSuites: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA     { =
0xC0,0x12 }
        Cipher: 49170 (0xC012)
     - TLSCipherSuites: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA        { =
0xC0,0x07 }
        Cipher: 49159 (0xC007)
     - TLSCipherSuites: TLS_ECDHE_RSA_WITH_RC4_128_SHA          { =
0xC0,0x11 }
        Cipher: 49169 (0xC011)
     - TLSCipherSuites: TLS_DHE_RSA_WITH_AES_128_CBC_SHA        { 0x00, =
0x33 }
        Cipher: 51 (0x33)
     - TLSCipherSuites: TLS_DHE_DSS_WITH_AES_128_CBC_SHA        { 0x00, =
0x32 }
        Cipher: 50 (0x32)
     - TLSCipherSuites: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA   { 0x00, =
0x45 }
        Cipher: 69 (0x45)
     - TLSCipherSuites: TLS_DHE_RSA_WITH_AES_256_CBC_SHA        { 0x00, =
0x39 }
        Cipher: 57 (0x39)
     - TLSCipherSuites: TLS_DHE_DSS_WITH_AES_256_CBC_SHA        { 0x00, =
0x38 }
        Cipher: 56 (0x38)
     - TLSCipherSuites: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA   { 0x00, =
0x88 }
        Cipher: 136 (0x88)
     - TLSCipherSuites: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA        { =
0x00,0x16}
        Cipher: 22 (0x16)
     - TLSCipherSuites: TLS_RSA_WITH_AES_128_CBC_SHA            { 0x00, =
0x2F }
        Cipher: 47 (0x2F)
     - TLSCipherSuites: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA       { 0x00, =
0x41 }
        Cipher: 65 (0x41)
     - TLSCipherSuites: TLS_RSA_WITH_AES_256_CBC_SHA            { 0x00, =
0x35 }
        Cipher: 53 (0x35)
     - TLSCipherSuites: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA       { 0x00, =
0x84 }
        Cipher: 132 (0x84)
     - TLSCipherSuites: TLS_RSA_WITH_3DES_EDE_CBC_SHA           { =
0x00,0x0A }
        Cipher: 10 (0xA)
     - TLSCipherSuites: TLS_RSA_WITH_RC4_128_SHA                { =
0x00,0x05 }
        Cipher: 5 (0x5)
     - TLSCipherSuites: TLS_RSA_WITH_RC4_128_MD5                { =
0x00,0x04 }
        Cipher: 4 (0x4)
     - TLSCipherSuites: Unknown Cipher
        Cipher: 255 (0xFF)
       CompressionMethodsLength: 1 (0x1)
       CompressionMethods: 0 (0x0)
       ExtensionsLength: 139 (0x8B)
     - ClientHelloExtension: Server Name(0x0000)
        ExtensionType: Server Name(0x0000)
        ExtensionLength: 26 (0x1A)
        NameListLength: 24 (0x18)
        NameType: Host Name (0)
        NameLength: 21 (0x15)
        ServerName: www.mqmaoa6ufwefd.com
     - ClientHelloExtension: EC Point Formats(0x000B)
        ExtensionType: EC Point Formats(0x000B)
        ExtensionLength: 4 (0x4)
        ECPointLength: 3 (0x3)
        ECPointFormat: uncompressed(0x00)
        ECPointFormat: ansiX962_compressed_prime(0x01)
        ECPointFormat: ansiX962_compressed_char2(0x02)
     - ClientHelloExtension: Elliptic Curves(0x000A)
        ExtensionType: Elliptic Curves(0x000A)
        ExtensionLength: 52 (0x34)
        CurvesLength: 50 (0x32)
        NamedCurve: sect571r1(0x000E)
        NamedCurve: sect571k1(0x000D)
        NamedCurve: secp521r1(0x0019)
        NamedCurve: sect409k1(0x000B)
        NamedCurve: sect409r1(0x000C)
        NamedCurve: secp384r1(0x0018)
        NamedCurve: sect283k1(0x0009)
        NamedCurve: sect283r1(0x000A)
        NamedCurve: secp256k1(0x0016)
        NamedCurve: secp256r1(0x0017)
        NamedCurve: sect239k1(0x0008)
        NamedCurve: sect233k1(0x0006)
        NamedCurve: sect233r1(0x0007)
        NamedCurve: secp224k1(0x0014)
        NamedCurve: secp224r1(0x0015)
        NamedCurve: sect193r1(0x0004)
        NamedCurve: sect193r2(0x0005)
        NamedCurve: secp192k1(0x0012)
        NamedCurve: secp192r1(0x0013)
        NamedCurve: sect163k1(0x0001)
        NamedCurve: sect163r1(0x0002)
        NamedCurve: sect163r2(0x0003)
        NamedCurve: secp160k1(0x000F)
        NamedCurve: secp160r1(0x0010)
        NamedCurve: secp160r2(0x0011)
     - ClientHelloExtension: SessionTicket TLS(0x0023)
        ExtensionType: SessionTicket TLS(0x0023)
        ExtensionLength: 0 (0x0)
     - ClientHelloExtension: Signature Algorithms(0x000D)
        ExtensionType: Signature Algorithms(0x000D)
        ExtensionLength: 32 (0x20)
        Data: Binary Large Object (32 Bytes)
     - ClientHelloExtension: Unknown Extension Type
        ExtensionType: Unknown Extension Type
        ExtensionLength: 1 (0x1)
        Data: Binary Large Object (1 Bytes)

------=_NextPart_000_0841_01D083FB.527A4880
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

------=_NextPart_000_0841_01D083FB.527A4880--

