[network-health] JARM fingerprinting of Tor nodes

Corl3ss corl3ss at corl3ss.com
Sun Feb 14 19:37:10 UTC 2021 

Hi,


On an original idea of jvoisin, we have been working on fingerprinting Tor nodes with JARM.
Here is a short description of this experimental work : https://hackmd.io/TWiUy4knQ06SYk9RBxnXPQ?view

We share it here after a short talk with GeKo.
The aim is to : 
* share technical opinions on these results
* evaluate the interest to go further, e.g. using JARM fingerprinting for network health issues

If you have now read what is on the link, you could have questions as GeKo did so here some complementary thoughts:

* how would you detect bad configuration/behavior?
As the fingerprint only tell us what configuration is shared between Tor nodes, we made then a packet analysis to explain the differences and detect potential misconfiguration/misbehaviour.
We haven't detected anything suspicious yet just:
   .some rare / odd configurations (see link)
   .the fact that some rare fingerprints have gone offline fast, so they were perhaps misconfigured/suspicious. It was too late to make a packet analysis on those.
 
* should we have uniform fingerprints?
The first 30 digits of the fingerprints depend on TLS version answer and used ciphers. We have only 13 such fingerprints on more than 7.000 tested relays.
It seems finally pretty uniform. I think it could be used to watch if nodes have an odd fingerprint and give an alert in such case. If useful.

* do we know what actually causes fingerprints to change?
Yes, as said above (TLS version and ciphers). For a detailled comparison, full results of the packet analysis are available on the link above. Fingerprints are not OS-specific, nor Tor version-specific. I would assume specific of (open|libre)ssl mainly.


Open questions:
* fingerprint diversity seems normal to you in regard of the Tor TLS implementation ?
* do you see any problem / dangerous behaviour in packet analysis ?
* usefulness for a network health monitoring ?
* ...


Would read your feedback with interest !


Corl3ss
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/network-health/attachments/20210214/f1a5d787/attachment.sig>

More information about the network-health mailing list