[tor-talk] Making TBB undetectable!

sh-expires-12-2015 at quantentunnel.de sh-expires-12-2015 at quantentunnel.de
Sat Oct 3 20:51:34 UTC 2015


On Sat, Oct 03, 2015 at 09:16:50AM +0000, behnaz Shirazi wrote:
> If we use a socks proxy server to talk with destination instead of a
> private Tor exit node then such an attack becomes as dangerous as when
> you are using a detectable TBB over a public Tor exit node because the
> number of socks proxies available out there won't be less than public
> Tor exit nodes today.

Actually, you are much easier to differentiate for an adversary
since you use tor in combination with socks proxies, you stand out
and now no longer belong in the group of the merry tor users. You have 
done an advesary actually a favor. Plus you induce more latency into your
connections, which makes it easier to induce or deduce addional signal
from your connections and makes you even more distinguishable.

A exit-, site operator or a cdn can observe that latency and
clearly  differentiate that behavior from tor and regular users.
They'll tag you "slowpoke on an open proxy". If they hire me, I'd
explain to them, how they can ban or tarpit you, if you annoy
them too much so they provide better services to their honest
visitors.

Tor protects you from all that by using different circuits, with
different latencies which results in different exits that needs
much more effort to observe and tag indivdual behavior.

You completly subvert that protection, since you always use a
proxy or maybe a series of proxies, or an exclusive exit, no matter
which destination, you have constant endpoints, if you prefer a
bridge and obfuscation, you may also attach attributes to your
connetction that may be observable (haven't worked with bridges
yet, I leave them for the people who need them). Maybe next
summer holiday.

Your overreliance and misplaced trust in open proxies sticks
properties to your tor connections you don't want. A clever adversary
will attack you from the open proxy due to previouls accumulated 
usage patterns. If you try to circumvent exit policies, a
smart proxy operator will downgrade or MITM you.

He may deny you updates for TBB when you need them, using his proxies
he may drop an exploitkit and ransomware on you.

To make it short, instead of ~999 possible exits you rely on one, or
few. If you addionally try to obfuscate TBB, congratulations, you are
pretty unique, and you won't notice in any fingerprint tools, since they
don't correlate and accmulate all that stuff that the open proxy can
learn from you.

On the list of historically stupid things to do with Tor, I rank you
second place, behind the dude who tried to give out his "pre-warmed keys"
and beating the folks that try to torrent with tor, to it.


More information about the tor-talk mailing list