Delivery-Date: Sat, 03 Oct 2015 18:02:12 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id B30151E09E9;
	Sat,  3 Oct 2015 18:02:10 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 24B2B381DA;
	Sat,  3 Oct 2015 22:02:03 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id B6E10381B8
 for <tor-talk@lists.torproject.org>; Sat,  3 Oct 2015 22:01:59 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id SCdV7oFF10x4 for <tor-talk@lists.torproject.org>;
 Sat,  3 Oct 2015 22:01:59 +0000 (UTC)
Received: from mail-ob0-f172.google.com (mail-ob0-f172.google.com
 [209.85.214.172])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 88DC5381B6
 for <tor-talk@lists.torproject.org>; Sat,  3 Oct 2015 22:01:59 +0000 (UTC)
Received: by obcgx8 with SMTP id gx8so105033282obc.3
 for <tor-talk@lists.torproject.org>; Sat, 03 Oct 2015 15:01:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=bentasker.co.uk; s=google;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :content-type; bh=phS+naaR/dAyRPR9sQh+zyv++IZ0qkKBmxMksJ2UOJs=;
 b=BRpkFOXTofNlR9UWCL8yIM2WyllB8mDRD81qlNsL43M6r8dZkYkz1QuCtQ4/HbI6fJ
 qwQw2FQ0w1KNDfNtCmz8J4x7iX8wA+ciy0swK8S+TTF+gHyDFCdIL2kBFRo5uUG04rjh
 5lZyuigzYYGb6Ad5huKbxToHiEO6S1wJRDeF4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:in-reply-to:references:date
 :message-id:subject:from:to:content-type;
 bh=phS+naaR/dAyRPR9sQh+zyv++IZ0qkKBmxMksJ2UOJs=;
 b=GscYycw6rkmbjzssiPhipzzs+o+J5RQPN0rCk7/W0Okigx9BlWv6DIsmC6BAb04CDN
 YFu4sl7GEqFt/5uBVTMh3PP0zbSf62m7q+NpZMpEPOOetVGf/K51M8HoPFOTa4A6JQcy
 qTdiHpI8l8pDRBxsYFGDgVYVapewdE5dCZAf7JWyUp3iIS0JcETAkLSxBqbocTE40On1
 QRGoySaX4CAB0sOeCQgcI9K8HGhZLDAh9+cNTlOLKdKRIjppHaonJGhPh3n28gTN5Nxl
 JFp3DRelpQBPb4dCjpsxk8VM6w6/za4unTN/UBEzNhC90xEJmArBOavyVIjodyqdhN5W
 cosA==
X-Gm-Message-State: ALoCoQkFX/bC8HJ0IteNY3oO5ssC+Etvv56zecDlQ8x1sYB8jO7afMniVYcy8xg/fNqwkO+5uJEi
MIME-Version: 1.0
X-Received: by 10.60.92.5 with SMTP id ci5mr13765148oeb.41.1443909717211; Sat,
 03 Oct 2015 15:01:57 -0700 (PDT)
Received: by 10.76.107.147 with HTTP; Sat, 3 Oct 2015 15:01:57 -0700 (PDT)
X-Originating-IP: [2001:470:69d7:4ca::ffd6]
In-Reply-To: <CAKcCSXrv9iDswGGwmBdRvv6Z06zURAVS3V6Yox-wT_RJFscH=g@mail.gmail.com>
References: <CAKcCSXohYs-2CiRiaMpObDkvvRRhOg23YDnOZA+wr6+=+1kqRw@mail.gmail.com>
 <CABMkiz6_nnMpghj-Q4yxKZHKhAdEschZAMybGC_JHjxVR_aJWw@mail.gmail.com>
 <CAKcCSXrv9iDswGGwmBdRvv6Z06zURAVS3V6Yox-wT_RJFscH=g@mail.gmail.com>
Date: Sat, 3 Oct 2015 23:01:57 +0100
Message-ID: <CABMkiz4prBsatyCz=WZx-6jucUiq3n2_Ox5upDOeH4KCxs1MMw@mail.gmail.com>
From: Ben Tasker <ben@bentasker.co.uk>
To: tor-talk@lists.torproject.org
X-Content-Filtered-By: Mailman/MimeDel 2.1.15
Subject: Re: [tor-talk] Making TBB undetectable!
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

> but if attacker detect that someone is trying to hide
> it's identity when entering a powerful vile's email account or when
> trying to contact a high risk journalist, that might cost lives.

But if you're doing something (in the adversary's eyes) that serious, it
probably doesn't matter whether they can tell you're using TBB or not.
Either way, they're going to look at ways to identify you. Being one of a
crowd of Tor users likely offers more protection against that than trying
to make it difficult to identify that you're using Tor.


> undetectablizer Add-on is useful for private exit nodes.

The issue I have with the idea of private exits, is that not everyone can
use them. In other words, if you're using one, then you can be (however
loosely) associated with other users of that node. You all got
access/permission somehow, so you are now incredibly reliant on other users
not slipping up, and on the owner/operator not being traced.

If you've simply paid BTC for access, you then have to be very sure you've
not slipped up (simple examples: re-used a wallet, or funded one from fiat
currency).

Personally, I'd prefer a public exit, it's harder to associate users and
there's less room for making costly mistakes.

> There are limited numbers of data requests possible (check out
> browserleaks.com or browserspy.dk). We need list all of them and
> compare with other browsers to spoof what is different.

Those are a list of the requests we know are differentiators, it doesn't
mean that others won't be discovered, you'd need to gamble that anything
found is publicly disclosed when it's found, rather than kept quiet by an
adversary. What you're essentially asking for is a browser that behaves
like TBB (i.e. the various privacy protections) whilst pretending it
behaves like a Google Nexus (for example). It's not that it'd be impossible
to do, but one tiny mistake or oversight takes you straight back to being
finger-printable, and almost uniquely so if very few are using
Unidentifiable Mode.

> As far as I know you can't fetch installed Add-ons by javascript, it
> only works for plugins so it is not detectable either. Detecting
> Add-ons is done by side channel attacks, for instance Adblock prevent
> certain scripts or Noscript prevent certain objects, attacker can
> simply call such elements and find out those Add-ons are already
> installed or not.

Yes and no. You can't just run a list of add-ons off using Javascript,
however a fairly simple side-channel attack is to try and load images from
add-ons you care about detecting. If the add-on is installed and has
contentaccessible set (and your path is valid) then it'll load, if not,
it'll fail.

So, you can fairly easily poll for various add-ons. Not sure it'd affect
your add-on, but seemed worth mentioning.

> We just change details a browser return to calls in a way that caller
> can't recognize it is telling the truth or not.

How do you do this without breaking certain sites? For example, if my JS
configures absolute positioning based on screen-size (yes, it's a bad way
of doing things, and yes I've seen sites do it) then you reporting back a
600px screen is going to look terrible on a 1280.

> In a public wifi hotspot there is only one IP address and several
> clients simultaneously visit different websites. It would be very
> difficult for an attacker to find out a private Tor exit node is
> actually a Tor exit node

You'd need to be very careful about where your private exit is located. If
it's in a datacentre, then no-one's going to mistake it for a cafe (for
example). An adversary with sufficient resources would also soon be able to
look at data-rates to and from your box, as well as sources - shouldn't
take them long to realise it's communicating with Tor relays.


> Don't forget that it is not
> impossible to locate a user if a global adversary observe a big
> portion of globe and deanonymize Tor itself but we still trust Tor for
> anonymity thus we can trust undetectablizer Add-on in most of cases to
> remain unidentifiable either.

True, the difference here being that you're talking about something that
would be happening on a much smaller scale, and attempting to closely
replicate 'normal' fingerprints. A tiny mistake would be enough to
differentiate you from the 'normal' traffic, as well as from the 'standard'
TBB profile.

>> As others have said though, the aim isn't to hide that you're using Tor
>> from your destination, and successfully doing so would (IMO) be a pretty
>> non-trivial task
>
> What? Undetectabilizer Add-on's aim is exactly hiding that we're using
> Tor from the destination site.

To be clear - I meant it wasn't Tor's aim.

> Pluggable Transports aim to hide that
> we're using Tor from network observers located between user and
> entry-guards.

But not to hide that we're using Tor from the destination.

> Making undetectablizer Add-on is a trivial task.

Making it correctly is not trivial, you have no room for mistakes,
otherwise you risk becoming more fingerprintable than vanilla TBB


> If you give us only one practical example that let destination sites
> automatically separate TBB from vanilla Firefox or safari

Assuming we're talking about an unmodified TBB? I'd start by trying to
ascertain whether no-script is enabled. Working out whether HTTPS
Everywhere is enabled should be fairly trivial too. There are, of course,
plenty of people who run those in combination outside of TBB, but it's a
reasonable starting point for narrowing things down.

Someone who's suitably motivated will spend far more time and resources
looking at the minute differences in order to build a fingerprint.





-- 
Ben Tasker
https://www.bentasker.co.uk
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

