[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] What is being detected to alert upon?

Frederick Zierold writes:

> Unfortunately, I cannot see their signature set.  They have it locked
> down.  They claim they are not detecting it by IP address.

It's hard to know what methods they might be using without more data
about their accuracy and which bridges (and transports) they do or don't

Without a pluggable transport to obfuscate the traffic, a connection to
a Tor bridge looks kind of like regular TLS traffic.  However, there are
(or have been) particular anomalies that a network operator might look
for to try to detect Tor use.

Roger and Jacob had a presentation a few years ago about techniques that
were known to have been used to detect Tor traffic up to that point:


A notable example was the use of a particular Diffie-Hellman parameter
in the TLS session negotiation, which at least one government network
operator managed to use to detect Tor.  There may still be other things
in the TLS behavior (or other aspects of the protocol traffic, like
the size and timing of what goes over the connection after TLS session
establishment?) that are distinctive, or distinctive enough if you don't
require perfect accuracy.

Another possibility that's alluded to there is active probing -- with
traditional Tor nodes speaking the plain Tor protocol, you can connect
to a service that your network users connect to, and try speaking the
Tor protocol to it.  If it responds, it's a Tor node. :-)

Seth Schoen  <schoen@xxxxxxx>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x107
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to