[tor-talk] Making TBB undetectable!

[behnaz Shirazi]

On 10/3/15, sh-expires-12-2015 at quantentunnel.de
<sh-expires-12-2015 at quantentunnel.de> wrote:
> On Sat, Oct 03, 2015 at 09:16:50AM +0000, behnaz Shirazi wrote:
>> If we use a socks proxy server to talk with destination instead of a
>> private Tor exit node then such an attack becomes as dangerous as when
>> you are using a detectable TBB over a public Tor exit node because the
>> number of socks proxies available out there won't be less than public
>> Tor exit nodes today.
>
> Actually, you are much easier to differentiate for an adversary
> since you use tor in combination with socks proxies, you stand out
> and now no longer belong in the group of the merry tor users. You have
> done an advesary actually a favor. Plus you induce more latency into your
> connections, which makes it easier to induce or deduce addional signal
> from your connections and makes you even more distinguishable.
>
> A exit-, site operator or a cdn can observe that latency and
> clearly  differentiate that behavior from tor and regular users.
> They'll tag you "slowpoke on an open proxy". If they hire me, I'd
> explain to them, how they can ban or tarpit you, if you annoy
> them too much so they provide better services to their honest
> visitors.

high latency doesn't mean proxy, a lots of gamers have high latency
problem just because of their poor ISP and many others complain about
slow ping because of their heavy Firewalls. even if destination
presume that a proxy or VPN is used, still in many different cases it
is much better than detecting that user is behind Tor. I remember some
NSA documents about targeting anyone who simply surfed Linux journals
but they didn't the same thing with Apple/Microsoft gossip sites. A
little bit change can make a lot of difference...

> To make it short, instead of ~999 possible exits you rely on one, or
> few. If you addionally try to obfuscate TBB, congratulations, you are
> pretty unique, and you won't notice in any fingerprint tools, since they
> don't correlate and accmulate all that stuff that the open proxy can
> learn from you.

why you think we are limited to less than ~999 possible proxy?

> On the list of historically stupid things to do with Tor, I rank you
> second place, behind the dude who tried to give out his "pre-warmed keys"
> and beating the folks that try to torrent with tor, to it.

We have nothing to lose. you are saying that if we fail they detect
that we used Tor but with current TBB setup they instantly detect that
we are using Tor.

Today all TBBs return same fingerprint, we just replace that value
with what iphones generally have. You might say socks proxy part for
exiting a Tor exit opens a new door for attackers.

When you normally use Tor your route is
>EntryGuard>MiddleRelay>ExitNode>DestinationSite and DestinationSite
is an IP address that doesn't change but ExitNode randomly changes
based on what is available. When we use a proxy/VPN before
DestinationSite we talk to DestinationSite with same IP address until
session fully ends, as any normal user always do. We want make sure
that this property can't deanonymize user itself or other Tor users.

1-as I said UnidentifiableMode is not made for everyday life, we only
use it for custom plans so we shouldn't open other tabs when doing
that, that means we won't open a real facebook profile in a different
session while in another session try contact with Guardian. This
manner foils associating anonymous sessions to unanonymous sessions.
note that if UnidentifiableMode fails to work as we expect, it only
makes user detectable and distinguishable from other users, it doesn't
leak the real location. nothing to lose here. If you are worry that
attacker look at entry-exit points of connection for correlating
traffic and deanonymizing the location then it can happen even if you
don't use any proxy to talk with destination, when your exit changes
frequently there is even more chance for attacker to finally get you
at one of his compromised exit points to deanonymize your circuit by
timing attacks.

in future versions we can let user import several proxies and use each
one for every different DestinationSite. So we can search google or
see cat videos while in a different tab write a blog post.

2-Whether undetectable TBB fails or win, it doesn't hurt detectable
TBB users if population of detectable TBB users remain almost as large
as it is today. According to what UnidentifiableMode is created for,
invisible users will be the minority in the Tor community hence
detectable TBB users won't be effected by undetectable TBB users.


On 10/3/15, Ben Tasker <ben at bentasker.co.uk> wrote:
>> If you give us only one practical example that let destination sites
>> automatically separate TBB from vanilla Firefox or safari
>
> Assuming we're talking about an unmodified TBB? I'd start by trying to
> ascertain whether no-script is enabled. Working out whether HTTPS
> Everywhere is enabled should be fairly trivial too. There are, of course,
> plenty of people who run those in combination outside of TBB, but it's a
> reasonable starting point for narrowing things down.

How difficult is disabling Noscript or HTTPSEverywhere? Before
activating UnidentifiableMode we can tell user watch out the address
bar for https sign as they always do in regular browsers and instead
of blocking WebGL or canvas we can intercept calls to canvas read
function and return a normal response (if we are going to impersonate
iphones then that value would be same for everyone as all iphones are
same device)


On 10/5/15, Spencer <spencerone at openmailbox.org> wrote:
> Interesting.
>
> You should draft this into a proposal, with some visuals of the
> interface and experience flows, and submit it to the list in search for
> a developer, unless you can bust this out yourself?  I can help anyway
> that I can.  If you are interested, hit me up off-list.
>
> Otherwise, unless there is something more tangible, I feel like people
> will keep arguing that Tor is fine as-is :)
>

if you write it for me i appreciate that :)

Therefore all undetectable users will have same fingerprint. In
ordinary TBB today all users have same fingerprint too but in
undetectable TBB instead of a suspicious Firefox fingerprint that is
black listed everywhere they will look like a natural iphone browser
that is used by many others elsewhere. For the time zone we should use
something more natural, I recommend EST as default for everyone and
allowing users to replace that value with a different common zone if
they needed.

And Tor devs don't need to do anything else. Finding a bridge for
entering the onion network or a socks proxy server to exit the pool is
on users who want hide their Tor from local authorities or destination
websites. They only need fix TBB, I guess by creating an Add-on. And
there is no need to make this Add-on built-in, we can ship it only to
those who want it as an experimental tool like OONI

in torproject's front page in side bar it says “Who Uses Tor?” and
half of those groups need undetectability :))



>> using tor to connect
>> to another semi-public entity (like an open proxy)
>>
>> The only case, were that makes sense to me is for trolling sites
>>
>Or using the internet.  What if the OP is tired of being rejected from
>visiting sites due to IP badlists and uses said proxy to appear like a
>clearnet user so as not to be restricted.  Google products (except for
>Google Images) require this.  Ix Quick and Startpage feature this.

Invisible mode have much more importance than bypassing verification
after opening accounts although the most common use case seems to be
bypassing flags. If you wear a mask and try go to shopping it clearly
cause problem but when you try talk to people about state oppression,
a mask put you in serious trouble and hiding your mask from a
government is much more difficult than hiding it from a drug store.


On 10/6/15, aka <akademiker1 at googlemail.com> wrote:
> Wasn't Mozilla working on a Firefox which uses Tor for "Private Browsing"?
> https://wiki.mozilla.org/Privacy/Roadmap/Tor
> If millions of people would use the same Firefox on the same version
> with mostly the same browser/javascript behaviour, it would make TBB
> obsolete. Wouldn't it make more sense to include those anonymity patches
> into the mainline Firefox and make them opt-in if the user uses Private
> Browsing?

If 1 billion person use TBB it doesn't mean TBB becomes undetectable.
That Mozilla project have nothing to do with undetectability (I'm
afraid they even don't know what is detectability problem in TBB).
they just want add Tor in private browsing mode for extra security
because current Firefox private mode is snake-oil. In the wiki page
they mention we should fix fingerprinting problem. Their solutions
finally makes their private mode detectable as TBB became.


On 10/6/15, sh-expires-12-2015 at quantentunnel.de
<sh-expires-12-2015 at quantentunnel.de> wrote:
>> Or using the internet.  What if the OP is tired of being rejected from
>> visiting sites due to IP badlists and uses said proxy to appear like a
>> clearnet user so as not to be restricted.  Google products (except for
>> Google Images) require this.  Ix Quick and Startpage feature this.
>
> Tor isn't responsible for that, it's a problem between your endpoint
> and you, not between you and Tor. I can't say much about specific
> services, but ixquick and startpage work flawlessly for me, maybe OP
> should stop using open proxies and re-evaluate his situation with TBB
> only? May use the "News Identity Button" more often?
>
> For services, that really limit you, you basically limit yourself
> to that service, so you are barking up the wrong tree imho.
> Tor doesn't entitle you to use a specific service, it provides
> an anonymized connection - thats another basic misconception from you
> both.
>
> So nothing to really discuss here.

You say that if NSA detect my Tor and automatically hack me then it's
only between me and NSA. Yes you are right but Tor can save me if they
hide me from them at first place.


> On another note, you are imposing youself onto a service, that may have
> choosen not to work with Tor, maybe you should iterate about that too and
> which implications your actions would have to other participants or the
> network? I really feel, you both are falling short on that angle.

Google don't care about you. If you disappear they are more happy with
that. However detectability is not only about bypassing flags. I want
solve this problem for security reasons because detection in some
cases is really dangerous. I discussed about it already