SANS Paper: Detecting Tor
Nick Mathewson
nickm at freehaven.net
Mon Nov 10 03:12:19 UTC 2008
On Sun, Nov 09, 2008 at 09:54:53PM -0500, Roc Admin wrote:
> I just read this article in the SANS reading room called "Detecting and
> Preventing Anonymous Proxy Usage"
>
> http://www.sans.org/reading_room/whitepapers/detection/32943.php
>
Cosmetic issues:
1) It's "Tor", not TOR.
2) The paper cites the website rather than any of the actual
published academic papers on Tor: lame.
3) The paper doen't say when the research was done or what version
of Tor was used, so it may not be _inaccurate_ so much as
outdated.
Actual issues:
The Tor-detection method described in this paper involves looking
for a string in the outgoing connections. You wouldn't know it
from reading the paper, but the string in question is part of the
CNAME field of a certificate sent from a client to a server. We
don't follow that protocol any more; in particular see proposal 124
and proposal 130.
Where Tor stands today:
We're a lot better at avoiding dumb regex-matching attacks in the
Tor protocol than we were before. When an 0.2.0.x client is
talking to an 0.2.0.x server, there should not be any regular
expressions that can be used to distinguish the data stream from a
regular HTTPS session.
(Some may remain; we may have missed some details. Nonetheless,
the approach described in this paper doesn't work on any recent
version of the Tor protocol.)
--
Nick
More information about the tor-talk
mailing list