[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #32026 [Circumvention/Censorship analysis]: Using An Alternative To TCP To Avoid Packet Injection?

To: undisclosed-recipients: ;
Subject: Re: [tor-bugs] #32026 [Circumvention/Censorship analysis]: Using An Alternative To TCP To Avoid Packet Injection?
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Mon, 14 Oct 2019 06:22:59 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 14 Oct 2019 02:23:10 -0400
In-reply-to: <054.3a7e334dc046129f02fcc3797d3a75e2@torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <054.3a7e334dc046129f02fcc3797d3a75e2@torproject.org>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#32026: Using An Alternative To TCP To Avoid Packet Injection?
-----------------------------------------------+------------------------
 Reporter:  Aphrodites1995                     |          Owner:  (none)
     Type:  enhancement                        |         Status:  new
 Priority:  Medium                             |      Milestone:
Component:  Circumvention/Censorship analysis  |        Version:
 Severity:  Normal                             |     Resolution:
 Keywords:                                     |  Actual Points:
Parent ID:                                     |         Points:
 Reviewer:                                     |        Sponsor:
-----------------------------------------------+------------------------

Comment (by dcf):

 Replying to [comment:5 Aphrodites1995]:
 > If obfs4 is resistant, why doesn't it work in china? Is it because of
 the middle node problem?

 obfs4 ''does'' work in China, as far as I know, but only if you use a
 private bridge. You can't use the "obfs4" dropdown in Tor Browser, because
 that uses a hardcoded list of default bridges, and all of them are already
 blocked. Users who set up their own obfs4 bridge or have a friend do it
 are able to use obfs4, but that is only a tiny fraction of users. See
 https://censorbib.nymity.ch/#Matic2017a. The hard problem here is address
 distribution--you need to distribute proxy addresses to your potential
 users, but somehow also prevent a censor from learning all of them and
 blocking them. Tor's answer to address distribution is
 [https://bridgedb.torproject.org/ BridgeDB], but it's not good enough
 against China. (And there aren't enough running obfs4 servers listed in
 BridgeDB to make enumeration really challenging.)

 > So then why can't we just have one proxy as a node, and not do the onion
 thing, or at least make that an option? (I know TOR stands for The Onion
 Router, but it would be okay to betray the name for the sake of anti
 censorship, right? Also, is it possible for the GFW to read messages
 encrypted in TLS? If it couldn't, there is a whole lot of unreadable
 traffic out there, and obfs4 should be resistant, right?

 Of course you can separate circumvention from onion routing. There are
 plenty of circumvention systems that don't try to provide anonymity, like
 [https://psiphon.ca/ Psiphon], [https://getlantern.org/ Lantern], and
 [https://shadowsocks.org/ Shadowsocks]. And in fact they and Tor use the
 same or similar circumvention techniques. Just run one of those, if you
 don't need the additional features of Tor.

 Middlebox firewalls cannot passively decrypt TLS traffic. There ''is'' a
 lot of unreadable traffic, and that is probably why obfs4 and similar
 protocols are effective, as long as the IP address is not known to be an
 obfs4 server. But if you're a censor, once you have determined (by
 whatever means), that an IP address hosts an obfs4 server, you don't
 ''care'' about any passive protocol identification. You just block the IP
 address entirely. See https://www.bamsoftware.com/papers/fronting/#sec
 :related-work and the framing around "blocking by content" and "blocking
 by address." Blocking by address is the harder part; you need more than
 just protocol obfuscation to deal with that.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32026#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #32026 [Circumvention/Censorship analysis]: Using An Alternative To TCP To Avoid Packet Injection?
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #31924 [Applications/Tor Browser]: Update Build to Use Buster
Next by Author: Re: [tor-bugs] #31822 [Applications/Tor Browser]: Security slider is not really visible on mobile anymore (just some dots in the menu)
Previous by thread: Re: [tor-bugs] #32026 [Circumvention/Censorship analysis]: Using An Alternative To TCP To Avoid Packet Injection?
Next by thread: Re: [tor-bugs] #31261 [Internal Services/Services Admin Team]: cleanup services inventories in the wiki
Index(es):
- Author
- Thread