[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Research paper "The Parrot is Dead: Observing Unobservable Network Communications"

The Parrot is Dead:

Observing Unobservable Network Communications




I found this paper a very interesting read that discusses various pluggable
transports and other methods of obscuring Tor traffic, and even contends
that all the existing "parrot" sysem that try to mimic Skype, VOIP, and HTML
traffic are more easily detected than unmasked Tor traffic itself.  It
further argues that the approach of those projects is fundamentally flawed.
One especially challenging reason in common with all of them is that the
task of mimicing the behavior of a specific client/server implentation and
interaction exactly, under all conditions, is a practically insurmountable
task.  The main reccomendation the paper makes is to do rseearch into
layering Tor/obscured traffic over a real implementation (e.g. in the audio
or video payload of a real Skype connection) -- and acknowledges that
although that may simplify the task, it will introduce new problems and not
eliminate the possibility that traffic can be identified and fingerprinted
anyway -- although those are more general thoughts than thorough research.


The abstract/direct links:

The Parrot is Dead:
Observing Unobservable Network Communications

Amir Houmansadr, Chad Brubaker, and Vitaly Shmatikov 
The University of Texas at Austin 

Winner of Best Practical Paper Award 

IEEE Symposium on Security and Privacy
May 19-22, 2013, San Francisco, CA 


In response to the growing popularity of Tor and other censorship
circumvention systems, censors in non-democratic countries have increased
their technical capabilities and can now recognize and block network traffic
generated by these systems on a nationwide scale. New censorship-resistant
communication systems such as SkypeMorph, StegoTorus, and CensorSpoofer aim
to evade censors' observations by imitating common protocols like Skype and

We demonstrate that these systems completely fail to achieve
unobservability. Even a very weak, local censor can easily distinguish their
traffic from the imitated protocols. We show dozens of passive and active
methods that recognize even a single imitated session, without any need to
correlate multiple network flows or perform sophisticated traffic analysis. 

We enumerate the requirements that a censorship-resistant system must
satisfy to successfully mimic another protocol and conclude that
"unobservability by imitation" is a fundamentally flawed approach. We then
present our recommendations for the design of unobservable communication

Paper: PDF <http://dedis.cs.yale.edu/2010/anon/papers/parrot.pdf>   (or

Slides: PowerPoint
<http://dedis.cs.yale.edu/2010/anon/papers/parrot-slides.pptx> , PDF


This work was supported by the Defense Advanced Research Agency (DARPA) and
SPAWAR Systems Center Pacific, Contract No. N66001-11-C-4018, and the MURI
program under AFOSR Grant No. FA9550-08-1-0352. 


tor-talk mailing list