[guardian-dev] Possible Orbot/orweb deanonymization - verizon supercookie

Nathan of Guardian nathan at guardianproject.info
Fri Feb 13 10:21:29 EST 2015


On Mon, Jan 26, 2015, at 01:51 PM, PaulD wrote:
> I have reason to believe that it is possible to deanonymize an orbot
> user using the verizon supercookie. Possibly other "supercookies" as
> well.

Can you confirm that Orweb is working properly on your device, by
visiting https://check.torproject.org ?

Also, can you tell me more about the device/OS version?

> Provided that:
>  (a) the phone is communicating on mobile data, not wifi
>  (b) user visits an http page (not https)
>  (c) no other anonymity tools such as vpns stand in the way.
> 
> Unclear whether root permissions matter. My phone is NOT rooted.
> 
> My sample size is really small. just my phone. With that said, it seems
> that it is possible to deanonymize a pretty big chunk of tor users,
> without serious effort.
> 
> The bottom line is that I visited the "do you have the verizon
> Supercookie" website with orweb, and it appears that I do.
> 
> http://lessonslearned.org/sniff


-- 
  Nathan of Guardian
  nathan at guardianproject.info


More information about the guardian-dev mailing list