[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Flashproxys' impact on Tors' fingerprint

To: David Fifield <david@xxxxxxxxxxxxxxx>
Subject: Re: [tor-talk] Flashproxys' impact on Tors' fingerprint
From: "Sebastian G. <bastik.tor>" <bastik.tor@xxxxxxxxxxxxxx>
Date: Sat, 13 Oct 2012 15:04:11 +0200
Cc: tor-talk@xxxxxxxxxxxxxxxxxxxx
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 13 Oct 2012 09:04:22 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; bh=EQZM//URsTqSX1zN2hGIDoVB+5omOLwC53M6d6JlmcY=; b=c7mFuyPjHvkv2cfjd2dr4KnIhrjR7AHW75jl1I7h3h0bQ4TtqiGVTE3z8Xxv9C2k5G zjj15LO+YZiwbN88nv6L74DB6kHQ1fMk0QklbGOMWKVM2rTy7nmP/3ttzR68FR999uWN c4XNLLfaNcQAZ+QAylTtm0gTILGotHUy5A/OOsEMdpyvYo5iZOuMs+KiYzXMnKTOLFHe LxBwbcDM0myFIR2QB0OA1ChbU7trPt7q0RMI3sZu8Cwf65WssfjBixHahXNo/aUiXous C9Te78XwBnI9krwtQSLXkPRSzw3GJV73d7wgVna0b2Atvz+0X+cvsxZsOdhxTtVbiANc VJig==
In-reply-to: <20121013091803.GH2160@xxxxxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <50784379.7030109@xxxxxxxxxxxxxx> <20121013091803.GH2160@xxxxxxxxxxxxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20121010 Thunderbird/16.0.1

David Fifield:
> On Fri, Oct 12, 2012 at 06:21:13PM +0200, Sebastian G. <bastik.tor> wrote:
>> beside the case that the connection itself looks different due to the
>> use of (web)sockets (like explained in the paper) is there any impact on
>> how one could fingerprint on Tors' traffic?
> 
> No, using a flash proxy doesn't in principle make protocol detection any
> harder. We just encode the TLS byte stream and package it within a
> WebSocket stream. A filter could unpack the WebSocket stuff, reassemble
> the inside stream, and reuse whatever traffic inspection it is already
> using to block Tor.

"Good" I understood it correctly beforehand. It's more stuff the
adversary has to do either manually or the DPI box has to do more work.

> A few things work in our favor in terms of making it more cumbersome to
> fingerprint traffic within a WebSocket stream:
> 	* One side of each stream has each WebSocket frame XORed with a
> 	  pseudorandom key. (This isn't something we do specially, this
> 	  is just a part of the WebSocket protocol:
> 	  https://tools.ietf.org/html/rfc6455#section-5.3)
> 	* On some browsers that do not support binary WebSocket frames
> 	  (https://tools.ietf.org/html/rfc6455#section-5.6), the payload
> 	  is base64-encoded and sent in text frames, so a censor has to
> 	  decode the base64 too (or, perhaps, just block WebSocket
> 	  connections that appear to contain only base64).

That sounds good.

>> (If it doesn't make fingerprinting more difficult...) how complicated
>> would it to have another layer in flashproxy that helps in this regard?
> 
> As I see it, there are two axes to censorship circumvention, which are
> IP/port blocking, and protocol inspection. obfsproxy, for example, aims
> to defeat protocol inspection, but still uses a relatively small,
> relatively static set of obfsproxy bridges. Flash proxies have the
> opposite problem: flash proxy addresses are hard to block because they
> change all the time, but they don't do anything to disguise the traffic
> within.

Given a wide distribution of the badge it's impossible to block all of
them before new ones pop-up.

> A combined solution to both problems would be very nice. For example, we
> could use obfsproxy-style obfuscation inside of the WebSocket stream. We
> can't, ultimately, disguise the fact that the outermost layer is
> WebSocket, but we can disguise the payloads. To do such a thing is not
> conceptually difficult, it just requires a proposal, and someone willing
> to do it, and deployment of code to the necessary places.
> 
> Unfortunately, though TLS-wrapped WebSocket is standard, we can't easily
> use it because the clients that the flash proxy connects to do not have
> CA-issued certs.

My question was related to disguising the traffic and it was answered
very well.

>> (I want to avoid another thread an it's close enough.) What else could
>> be implemented in WebSockets to have a wide range of "legitimate" use?
>> (In order to make it painful for an adversary to block WebSockets)
> 
> I don't really know the range of things WebSocket is used for. One cool
> application I've seen is this: https://github.com/kanaka/noVNC which is
> a VNC client that uses WebSocket and HTML canvas.

Cool.

Thank you.

Regards,
Sebastian (bastik_tor)

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] Flashproxys' impact on Tors' fingerprint
  - From: Sebastian G. <bastik.tor>
- Re: [tor-talk] Flashproxys' impact on Tors' fingerprint
  - From: David Fifield

Prev by Author: [tor-talk] Flashproxys' impact on Tors' fingerprint
Next by Author: Re: [tor-talk] Porn make the world more free: Tor Porn Bundle?
Previous by thread: Re: [tor-talk] Flashproxys' impact on Tors' fingerprint
Next by thread: Re: [tor-talk] Flashproxys' impact on Tors' fingerprint
Index(es):
- Author
- Thread