[tor-dev] Best way to client-side detect Tor user without using check.tpo ?

Fabio Pietrosanti (naif) - lists lists at infosecurity.ch
Sat Feb 7 12:59:05 UTC 2015

Hi all,

we're introducing client-side checking if a user it's on Tor or not on
the GlobaLeaks Javascript client.

As far as i understood since some time ago, the right way to do it was
to detect a TBB user with some fingerprinting technique, however those
are going to disappear/being avoided/fixed right?

So, the TorButton approach is to load
https://check.torproject.org/?TorButton=true .

However we're looking for a way that enable to check if we are on Tor
without having to load a network resource.

That's very important because there are use-case of GlobaLeaks where the
application is being "integrated" into investigative media website (that
are under HTTPS) and the Whistleblower is given "some plausible
deniability" regarding the fact he's leaking something or visiting a news.

For that reason, we cannot check if a user it's on Tor by loading an
external network resource such as
https://check.torproject.org/?TorButton=true because it would destroy
the plausible deniability things.

There's a right way to detect if a user it's on Tor, from a Browser,
without loading an external network resource?

Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - https://globaleaks.org - https://tor2web.org - https://ahmia.fi

More information about the tor-dev mailing list