I don't think you can reliably tell without information from the network; indeed, to the extent that you can tell *at all* without information from the network, I would expect that to be considered a bug.
The tactic that occurs to me is, have the investigative media website's server stick a marker of some sort into its webpages whenever it is being accessed from a Tor exit. That would avoid needing to load an additional network resource. However, I don't think I understand your threat model. Who observes the whistleblower, from where, and why wouldn't they just red-flag *all* use of Tor?
On Sat, Feb 7, 2015 at 7:59 AM, Fabio Pietrosanti (naif) - lists lists@infosecurity.ch wrote:
Hi all,
we're introducing client-side checking if a user it's on Tor or not on the GlobaLeaks Javascript client.
As far as i understood since some time ago, the right way to do it was to detect a TBB user with some fingerprinting technique, however those are going to disappear/being avoided/fixed right?
So, the TorButton approach is to load https://check.torproject.org/?TorButton=true .
However we're looking for a way that enable to check if we are on Tor without having to load a network resource.
That's very important because there are use-case of GlobaLeaks where the application is being "integrated" into investigative media website (that are under HTTPS) and the Whistleblower is given "some plausible deniability" regarding the fact he's leaking something or visiting a news.
For that reason, we cannot check if a user it's on Tor by loading an external network resource such as https://check.torproject.org/?TorButton=true because it would destroy the plausible deniability things.
There's a right way to detect if a user it's on Tor, from a Browser, without loading an external network resource?
-- Fabio Pietrosanti (naif) HERMES - Center for Transparency and Digital Human Rights http://logioshermes.org - https://globaleaks.org - https://tor2web.org - https://ahmia.fi
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev