SANS Paper: Detecting Tor

[Nick Mathewson]

On Sun, Nov 09, 2008 at 09:54:53PM -0500, Roc Admin wrote:
> I just read this article in the SANS reading room called "Detecting and
> Preventing Anonymous Proxy Usage"
> 
> http://www.sans.org/reading_room/whitepapers/detection/32943.php
> 

Cosmetic issues:
   1) It's "Tor", not TOR.
 
   2) The paper cites the website rather than any of the actual
      published academic papers on Tor: lame.

   3) The paper doen't say when the research was done or what version
      of Tor was used, so it may not be _inaccurate_ so much as
      outdated.

Actual issues:

   The Tor-detection method described in this paper involves looking
   for a string in the outgoing connections.  You wouldn't know it
   from reading the paper, but the string in question is part of the
   CNAME field of a certificate sent from a client to a server.  We
   don't follow that protocol any more; in particular see proposal 124
   and proposal 130.

Where Tor stands today:

   We're a lot better at avoiding dumb regex-matching attacks in the
   Tor protocol than we were before.  When an 0.2.0.x client is
   talking to an 0.2.0.x server, there should not be any regular
   expressions that can be used to distinguish the data stream from a
   regular HTTPS session.

   (Some may remain; we may have missed some details.  Nonetheless,
   the approach described in this paper doesn't work on any recent
   version of the Tor protocol.)

-- 
Nick