[tor-talk] Making TBB undetectable!
Ben Tasker
ben at bentasker.co.uk
Thu Oct 1 18:18:48 UTC 2015
> Randomization, or some one click equivalent, is the only real option here
when usability is considered; the manual effort each session is undesirable
at the very least :)
The problem you have there, is what to randomize, and how to do it in such
a way that it does not itself become identifiable.
To use an example, think about when you run cover traffic (whether over Tor
or a VPN), the initial temptation is to have random levels of data
travelling over the link. The problem there being it's not a 'natural'
looking flow of data when you analyse it. So when you use the link, your
natural usage is identifiable in the analysis.
So you go for something more 'natural', but natural's hard to fake, so your
cover traffic has an identifiable set of patterns, meaning on analysis you
can discount it and still tell when the tunnel is being used for real
traffic.
When we're talking about making the browser unidentifiable as TBB, the very
act of having something in the fingerprint that changes to prevent
correlation between sessions provides an avenue by which it can be
identified as TBB:
Let's say you override reported screen width so it lies, and then use TBB
to sign in to (sake of example) Facebook. Every time you start a new
session and sign in to Facebook, your screen size is going to be different.
That's *very* unusual. User's screen sizes will change from time to time
(because they're in a window rather than full-screen, or on a laptop
instead of a PC) but to be different every time?
What about if you're signed in to FB in one tab, and browsing news in
another. The news page has a Like button on it, and Facebook get a
completely different screen size reported. You might just have the news on
fullscreen, and FB windowed, but again, for it to happen every time is an
unusual pattern.
A bit of research would soon tell them you're using TBB even if they hadn't
thought to see if the traffic was coming from an exit node.
> Making people blend into the crowd of regular internet users is best but
only if we resolve the traffic source; i.e., Tor exits.
That's quite an issue to solve though. Even if we assume that the IP's of
tor nodes weren't being published anymore, analysis of traffic patterns on
a busy site would likely soon let you work out the IP's of some exits.
Granted, you wouldn't immediately know whether those sources were Tor exits
or simply proxies being used by multiple users, but finding out wouldn't be
impossible. A determined adversary wanting to map out Tor exits could
simply initiate a lot of connections via Tor and keep a record of where the
other end (under their control) sees connections come from.
Not as accurate as downloading the relay list, but depending on your aims
you wouldn't need 100% coverage, so in the absence of the list it'd
probably do. It raises the cost of identifying Tor exits, but only so long
as the resulting list isn't then published (and kept up to date).
As others have said though, the aim isn't to hide that you're using Tor
from your destination, and successfully doing so would (IMO) be a pretty
non-trivial task
On Thu, Oct 1, 2015 at 6:07 PM, Spencer <spencerone at openmailbox.org> wrote:
> Hi,
>
>
>>> behnaz Shirazi:
>>> a Tor user who temporarily use a natural
>>> fingerprint to become undetectable for a while won't deanonymize
>>> itself nor the rest of other Tor users who use a detectable version of
>>> TBB because when a natural fingerprint is used once then there will be
>>> no enough information available for data miners to link pseudonyms for
>>> deanonymization,
>>>
>>>
> Is a 'Natural Fingerprint' like a clearnet fingerprint, in that it
> identifies you as a regular, non-tor, internet user, making you part of the
> larger herd?
>
>
>>> and for sure Tor users who need undetectability won't
>>> use the undetectablizer Add-on all the time hence detectable TBB users
>>> won't become unique.
>>>
>>>
> I see this as a blocker, as this add-on is most likely detectable, yeah?
> If not, how, in the same, less, or maybe a bit more, amount of resources do
> you feel this could be accomplished? Manually, this becomes quite the task
> as time progresses. Is this something that would be added to a mail
> [something], like OpenPGP or TorBirdy are, because I feel like this would
> be detectable somehow, too.
>
>
>> Ben Tasker:
>> Used once, sure. But over time, it's likely going to get used more than
>> once,
>>
>>
> This seems to be part of the design, as one-of-a-kind fingerprints,
> through Tor exits or not, are detectable, though probably not identifiable.
>
>
>> unless you're planning on inserting some sort of randomisation to try
>> and prevent that (by making some aspect different each session),
>>
>>
> Randomization, or some one click equivalent, is the only real option here
> when usability is considered; the manual effort each session is undesirable
> at the very least :)
>
>
>> using "UnidentifiableMode"
>>
>>
> 'UnidentifiableMode' sounds like a good working name for such a feature.
>
>
>> Making something "Undetectable"
>> is very, very hard as your margin for error is 0 (because 0.01 gives
>> something that someone could use to make it identifiable). Making
>> something
>> common so you can blend into the crowd makes it easier to avoid
>> (potentially) costly mistakes.
>>
>>
> Making people blend into the crowd of regular internet users is best but
> only if we resolve the traffic source; i.e., Tor exits.
>
>
>> Blending into the crowd is not without it's value.
>>
>>
> But surely some of these fingerprints will be shared by real users. So,
> it seems like a reasonable request, should we resolve the usability and
> *traffic issues.
>
> Wordlife,
> Spencer
>
>
> --
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
--
Ben Tasker
https://www.bentasker.co.uk
More information about the tor-talk
mailing list