[network-health] JARM fingerprinting of Tor nodes

Georg Koppen gk at torproject.org
Fri Mar 5 09:00:27 UTC 2021 

Corl3ss:
> Hi,
> 
> 
> On an original idea of jvoisin, we have been working on fingerprinting Tor nodes with JARM.
> Here is a short description of this experimental work : https://hackmd.io/TWiUy4knQ06SYk9RBxnXPQ?view
> 
> We share it here after a short talk with GeKo.
> The aim is to : 
> * share technical opinions on these results
> * evaluate the interest to go further, e.g. using JARM fingerprinting for network health issues
> 
> If you have now read what is on the link, you could have questions as GeKo did so here some complementary thoughts:
> 
> * how would you detect bad configuration/behavior?
> As the fingerprint only tell us what configuration is shared between Tor nodes, we made then a packet analysis to explain the differences and detect potential misconfiguration/misbehaviour.
> We haven't detected anything suspicious yet just:
>    .some rare / odd configurations (see link)
>    .the fact that some rare fingerprints have gone offline fast, so they were perhaps misconfigured/suspicious. It was too late to make a packet analysis on those.
>  
> * should we have uniform fingerprints?
> The first 30 digits of the fingerprints depend on TLS version answer and used ciphers. We have only 13 such fingerprints on more than 7.000 tested relays.
> It seems finally pretty uniform. I think it could be used to watch if nodes have an odd fingerprint and give an alert in such case. If useful.
> 
> * do we know what actually causes fingerprints to change?
> Yes, as said above (TLS version and ciphers). For a detailled comparison, full results of the packet analysis are available on the link above. Fingerprints are not OS-specific, nor Tor version-specific. I would assume specific of (open|libre)ssl mainly.
> 
> 
> Open questions:
> * fingerprint diversity seems normal to you in regard of the Tor TLS implementation ?
> * do you see any problem / dangerous behaviour in packet analysis ?

I am not sure. Right now nothing comes to mind if it's just looking at
the TLS fingerprint.

> * usefulness for a network health monitoring ?

I guess it would be useful to see what a packet anaylsis of "odd"
fingerprints would look like/reveal. If fingerprints are specific to
OpenSSL/LibreSSL and other libs, maybe they are able to reveal specific
versions, too? Then we could scan for outdated/obsolete versions of
those and warn the operators.

Georg

> * ...
> 
> 
> Would read your feedback with interest !
> 
> 
> Corl3ss
> 
> 
> _______________________________________________
> network-health mailing list
> network-health at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/network-health
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/network-health/attachments/20210305/a5d0625c/attachment.sig>

More information about the network-health mailing list