[network-health] JARM fingerprinting of Tor nodes
gk at torproject.org
Fri Mar 5 09:00:27 UTC 2021
> On an original idea of jvoisin, we have been working on fingerprinting Tor nodes with JARM.
> Here is a short description of this experimental work : https://hackmd.io/TWiUy4knQ06SYk9RBxnXPQ?view
> We share it here after a short talk with GeKo.
> The aim is to :
> * share technical opinions on these results
> * evaluate the interest to go further, e.g. using JARM fingerprinting for network health issues
> If you have now read what is on the link, you could have questions as GeKo did so here some complementary thoughts:
> * how would you detect bad configuration/behavior?
> As the fingerprint only tell us what configuration is shared between Tor nodes, we made then a packet analysis to explain the differences and detect potential misconfiguration/misbehaviour.
> We haven't detected anything suspicious yet just:
> .some rare / odd configurations (see link)
> .the fact that some rare fingerprints have gone offline fast, so they were perhaps misconfigured/suspicious. It was too late to make a packet analysis on those.
> * should we have uniform fingerprints?
> The first 30 digits of the fingerprints depend on TLS version answer and used ciphers. We have only 13 such fingerprints on more than 7.000 tested relays.
> It seems finally pretty uniform. I think it could be used to watch if nodes have an odd fingerprint and give an alert in such case. If useful.
> * do we know what actually causes fingerprints to change?
> Yes, as said above (TLS version and ciphers). For a detailled comparison, full results of the packet analysis are available on the link above. Fingerprints are not OS-specific, nor Tor version-specific. I would assume specific of (open|libre)ssl mainly.
> Open questions:
> * fingerprint diversity seems normal to you in regard of the Tor TLS implementation ?
> * do you see any problem / dangerous behaviour in packet analysis ?
I am not sure. Right now nothing comes to mind if it's just looking at
the TLS fingerprint.
> * usefulness for a network health monitoring ?
I guess it would be useful to see what a packet anaylsis of "odd"
fingerprints would look like/reveal. If fingerprints are specific to
OpenSSL/LibreSSL and other libs, maybe they are able to reveal specific
versions, too? Then we could scan for outdated/obsolete versions of
those and warn the operators.
> * ...
> Would read your feedback with interest !
> network-health mailing list
> network-health at lists.torproject.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the network-health