Hi,
On an original idea of jvoisin, we have been working on fingerprinting Tor nodes with JARM. Here is a short description of this experimental work : https://hackmd.io/TWiUy4knQ06SYk9RBxnXPQ?view
We share it here after a short talk with GeKo. The aim is to : * share technical opinions on these results * evaluate the interest to go further, e.g. using JARM fingerprinting for network health issues
If you have now read what is on the link, you could have questions as GeKo did so here some complementary thoughts:
* how would you detect bad configuration/behavior? As the fingerprint only tell us what configuration is shared between Tor nodes, we made then a packet analysis to explain the differences and detect potential misconfiguration/misbehaviour. We haven't detected anything suspicious yet just: .some rare / odd configurations (see link) .the fact that some rare fingerprints have gone offline fast, so they were perhaps misconfigured/suspicious. It was too late to make a packet analysis on those.
* should we have uniform fingerprints? The first 30 digits of the fingerprints depend on TLS version answer and used ciphers. We have only 13 such fingerprints on more than 7.000 tested relays. It seems finally pretty uniform. I think it could be used to watch if nodes have an odd fingerprint and give an alert in such case. If useful.
* do we know what actually causes fingerprints to change? Yes, as said above (TLS version and ciphers). For a detailled comparison, full results of the packet analysis are available on the link above. Fingerprints are not OS-specific, nor Tor version-specific. I would assume specific of (open|libre)ssl mainly.
Open questions: * fingerprint diversity seems normal to you in regard of the Tor TLS implementation ? * do you see any problem / dangerous behaviour in packet analysis ? * usefulness for a network health monitoring ? * ...
Would read your feedback with interest !
Corl3ss
Corl3ss:
Hi,
On an original idea of jvoisin, we have been working on fingerprinting Tor nodes with JARM. Here is a short description of this experimental work : https://hackmd.io/TWiUy4knQ06SYk9RBxnXPQ?view
We share it here after a short talk with GeKo. The aim is to :
- share technical opinions on these results
- evaluate the interest to go further, e.g. using JARM fingerprinting for network health issues
If you have now read what is on the link, you could have questions as GeKo did so here some complementary thoughts:
- how would you detect bad configuration/behavior?
As the fingerprint only tell us what configuration is shared between Tor nodes, we made then a packet analysis to explain the differences and detect potential misconfiguration/misbehaviour. We haven't detected anything suspicious yet just: .some rare / odd configurations (see link) .the fact that some rare fingerprints have gone offline fast, so they were perhaps misconfigured/suspicious. It was too late to make a packet analysis on those.
- should we have uniform fingerprints?
The first 30 digits of the fingerprints depend on TLS version answer and used ciphers. We have only 13 such fingerprints on more than 7.000 tested relays. It seems finally pretty uniform. I think it could be used to watch if nodes have an odd fingerprint and give an alert in such case. If useful.
- do we know what actually causes fingerprints to change?
Yes, as said above (TLS version and ciphers). For a detailled comparison, full results of the packet analysis are available on the link above. Fingerprints are not OS-specific, nor Tor version-specific. I would assume specific of (open|libre)ssl mainly.
Open questions:
- fingerprint diversity seems normal to you in regard of the Tor TLS implementation ?
- do you see any problem / dangerous behaviour in packet analysis ?
I am not sure. Right now nothing comes to mind if it's just looking at the TLS fingerprint.
- usefulness for a network health monitoring ?
I guess it would be useful to see what a packet anaylsis of "odd" fingerprints would look like/reveal. If fingerprints are specific to OpenSSL/LibreSSL and other libs, maybe they are able to reveal specific versions, too? Then we could scan for outdated/obsolete versions of those and warn the operators.
Georg
- ...
Would read your feedback with interest !
Corl3ss
network-health mailing list network-health@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/network-health
network-health@lists.torproject.org
-
Corl3ss -
Georg Koppen