Dead comment from h72a (brand new account; possibly double-posted and deleted the wrong one?):

h72a 14 minutes ago | link [dead]

Tor's TLS handshake exhibits a number of peculiarities which distinguishes it from HTTPS. The cipher list inside the TLS client hello used to be a (almost?) unique (see http://www.cs.kau.se/philwint/static/gfc/ ) and the SNI contains a random bogus domain.

packet sizes and inter-packet timings. This paper might peak your interests http://cacr.uwaterloo.ca/techreports/2012/cacr2012-08.pdf . It tries to obfuscate the network traffics by morphing them so they statistically look like Skype Traffic.

They even open sourced their code at http://crysp.uwaterloo.ca/software/CodeTalkerTunnel.html

My guess is that the timing, relative sizes, and/or destinations of packets sent distinguish one from the other.

Exactly, there's nothing really useful in this article.

For 900 EUR, however, you can buy yourself a copy of their tool.

100% agree about the uselessness of the article.

If I were to take a stab in the dark about how the tool is doing it, though - based on their "statistical" analysis comment, my guess is they're measuring sustained traffic levels / TCP connection duration. Your average encrypted web session won't look anything similar to a command-and-control bot calling home over Tor to some irc server (which is their example usage for the tool). Possibly including "known" Tor node IP addresses, as well.

In addition, there was that Ethopian DPI filtering project against Tor that happened last summer (https://blog.torproject.org/blog/update-censorship-ethiopia), with the Tor Project thinking they'd somehow fingerprinted some aspect of their TLS handshake. Maybe this knowledge is spreading.