[guardian-dev] Possible Orbot/orweb deanonymization - verizon supercookie
Nathan of Guardian
nathan at guardianproject.info
Fri Feb 13 10:21:29 EST 2015
On Mon, Jan 26, 2015, at 01:51 PM, PaulD wrote:
> I have reason to believe that it is possible to deanonymize an orbot
> user using the verizon supercookie. Possibly other "supercookies" as
> well.
Can you confirm that Orweb is working properly on your device, by
visiting https://check.torproject.org ?
Also, can you tell me more about the device/OS version?
> Provided that:
> (a) the phone is communicating on mobile data, not wifi
> (b) user visits an http page (not https)
> (c) no other anonymity tools such as vpns stand in the way.
>
> Unclear whether root permissions matter. My phone is NOT rooted.
>
> My sample size is really small. just my phone. With that said, it seems
> that it is possible to deanonymize a pretty big chunk of tor users,
> without serious effort.
>
> The bottom line is that I visited the "do you have the verizon
> Supercookie" website with orweb, and it appears that I do.
>
> http://lessonslearned.org/sniff
--
Nathan of Guardian
nathan at guardianproject.info
More information about the guardian-dev
mailing list