[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: SANS Paper: Detecting Tor

To: or-talk@xxxxxxxxxxxxx
Subject: Re: SANS Paper: Detecting Tor
From: Roger Dingledine <arma@xxxxxxx>
Date: Sun, 9 Nov 2008 22:06:34 -0500
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Sun, 09 Nov 2008 22:06:39 -0500
In-reply-to: <50e60b790811091858j7e95e8ffr4a32144c81c2120f@xxxxxxxxxxxxxx>
References: <50e60b790811091854x4abbb87ance4743d27580876d@xxxxxxxxxxxxxx> <50e60b790811091858j7e95e8ffr4a32144c81c2120f@xxxxxxxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Mutt/1.5.13 (2006-08-11)

On Sun, Nov 09, 2008 at 09:58:22PM -0500, Roc Admin wrote:
> I just read this article in the SANS reading room called "Detecting and
> Preventing Anonymous Proxy Usage"
> 
> http://www.sans.org/reading_room/whitepapers/detection/32943.php
> 
> From the article:
> Wireshark's ability to reconstitute a TCP stream was used to observe the
> content being sent and received. I noticed a string that the client sends
> out each time it establishes a connection with Tor.  The string is as
> follows: Tor1.0 U Client <identity>0
> 
> Can anyone speak to this?

I suspect it refers to the old 0.1.2.x versions of Tor, back when we
wrote deterministic strings in our TLS certificates.

Tor 0.2.0.x and later don't do that.

--Roger

References:
- SANS Paper: Detecting Tor
  - From: Roc Admin
- Re: SANS Paper: Detecting Tor
  - From: Roc Admin

Prev by Author: Re: Kudos on memory usage in 0.2.X
Next by Author: Re: Dir servers on private networks
Previous by thread: Re: SANS Paper: Detecting Tor
Next by thread: Re: SANS Paper: Detecting Tor
Index(es):
- Author
- Thread