[Tails-dev] Potential OpSec issue - Identifying Tails Tor vs…

Delete this message

Reply to this message
Author: Lee Brotherston
Date:  
To: tails-dev
Subject: [Tails-dev] Potential OpSec issue - Identifying Tails Tor vs "other" Tor
Hi,

I'm not sure if this is within your threat model or not, but I have noticed       
that I can reliably differentiate between the tails distributed Tor and the Tor   
Browser bundle distributed to both OS X & Windows (I presume the same applies     
to others, I have not yet tested though).                                         


In short, I have been working on TLS Fingerprinting and have noticed that the     
tails version of Tor does not support MD5withRSA as a signature algorithm in      
the client_hello packet, while Tor Browser Bundle does when connecting from the   
desktop to the Tor network.                                                       


Of course the end webservers will not see this, as this is part of the Tor        
connection itself, not the encapsulated HTTPS traffic.  However....  Someone      
positioned on Local LAN, within the ISP, or any other position between the        
desktop and the Tor network (e.g. government surveillance) could differentiate    
a tails user from other Tor users.                                                


If you would like more information, I would be more than happy to provide it.     


Thanks                                                                            


  Lee