Hi,
I'm not sure if this is within your threat model or not, but I have noticed
that I can reliably differentiate between the tails distributed Tor and the Tor
Browser bundle distributed to both OS X & Windows (I presume the same applies
to others, I have not yet tested though).
In short, I have been working on TLS Fingerprinting and have noticed that the
tails version of Tor does not support MD5withRSA as a signature algorithm in
the client_hello packet, while Tor Browser Bundle does when connecting from the
desktop to the Tor network.
Of course the end webservers will not see this, as this is part of the Tor
connection itself, not the encapsulated HTTPS traffic. However.... Someone
positioned on Local LAN, within the ISP, or any other position between the
desktop and the Tor network (e.g. government surveillance) could differentiate
a tails user from other Tor users.
If you would like more information, I would be more than happy to provide it.
Thanks
Lee
