[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: SANS Paper: Detecting Tor

On Sun, Nov 09, 2008 at 09:58:22PM -0500, Roc Admin wrote:
> I just read this article in the SANS reading room called "Detecting and
> Preventing Anonymous Proxy Usage"
> http://www.sans.org/reading_room/whitepapers/detection/32943.php
> From the article:
> Wireshark's ability to reconstitute a TCP stream was used to observe the
> content being sent and received. I noticed a string that the client sends
> out each time it establishes a connection with Tor.  The string is as
> follows: Tor1.0 U Client <identity>0
> Can anyone speak to this?

I suspect it refers to the old 0.1.2.x versions of Tor, back when we
wrote deterministic strings in our TLS certificates.

Tor 0.2.0.x and later don't do that.