PAS-26 implemented a list of unresolvable FQDN's extracted from SSL communications.
A natural extension to that would be to look for likely connections to a tor entry node (or a bridge).
Assuming obfsproxy etc aren't in use, the following should be true for any entry connection
- SNI name will be present, start with www. but be unresolvable (and random looking, but not sure we can test for that)
- Node will return a certificate with a Common Name following the same rules as above but will
not match the name used in SNI
- Certificate issuer, again, will follow the rules above but won't match either the SNI or CN
Meeting all those requirements means it's
probably a connection to Tor, so the dest IP should be checked against a list of known Tor nodes for confirmation (haven't decided yet whether to have the script do that itself).
For all unresolvable domains, we'll need to walk ssltraffic on a per-connection basis (because if the IP's change, that's interesting to note too) and match against the ruleset above
Activity