[guardian-dev] Possible Orbot/orweb deanonymization - verizon supercookie

PaulD dietricp at efn.org
Mon Jan 26 13:58:32 EST 2015


I have reason to believe that it is possible to deanonymize an orbot
user using the verizon supercookie. Possibly other "supercookies" as well.

Provided that:
 (a) the phone is communicating on mobile data, not wifi
 (b) user visits an http page (not https)
 (c) no other anonymity tools such as vpns stand in the way.

Unclear whether root permissions matter. My phone is NOT rooted.

My sample size is really small. just my phone. With that said, it seems
that it is possible to deanonymize a pretty big chunk of tor users,
without serious effort.

The bottom line is that I visited the "do you have the verizon
Supercookie" website with orweb, and it appears that I do.

http://lessonslearned.org/sniff
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Clipboard01.png
Type: image/png
Size: 406003 bytes
Desc: not available
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20150126/990714b2/attachment-0001.png>


More information about the guardian-dev mailing list