[tor-relays] Dear OBFS4 bridge operators, please enable timing and packet-size obfuscations to help clients facing timing analysis attacks.

To: "tor-relays@xxxxxxxxxxxxxxxxxxxx" <tor-relays@xxxxxxxxxxxxxxxxxxxx>

Subject: [tor-relays] Dear OBFS4 bridge operators, please enable timing and packet-size obfuscations to help clients facing timing analysis attacks.

From: George Hartley via tor-relays <tor-relays@xxxxxxxxxxxxxxxxxxxx>

Date: Mon, 23 Sep 2024 10:15:34 +0000

Cc: George Hartley <hartley_george@xxxxxxxxx>

Delivered-to: archiver@xxxxxxxx

Delivery-date: Mon, 23 Sep 2024 14:50:29 -0400

Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=lists.torproject.org; s=2022-eugeni; t=1727117422; bh=8VDv5d3i4xlRnYPy6B7yUi31u+SpTqB29mBfTdb1GmI=; h=Date:To:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:Cc:From; b=hwV6DCH3xEiiKSLtMi6ZvHVBJxJEGMkGmt6Ft7p0blyLvwNExgOnLL30DCiGORL7K 3b/2rXNoRcvU9f2PbHc95VlNWFTljT8tf0rwuZwS7iz1wW2Xjm+8MRW2ixOaV/EDx3 RqKySXR5ryaGy07Nby9mY2t88D7R3JDNE3rhwxiAbWtCOQbsc/bQA6fi2aHdb5ZVDq srtbcyh0E6Es/VNOvzIj14oRX9mn1WDQwSVoBzNGzzAVqTuB0JuHZ6eU63O7Ag/I/k IZuGTTaXQO+xtUaMLpd+cawVuBdtBNoRThhkaM6krJJnP2xw8TDJEhBj8YMr+C9PUB nq9EoqBgdYqCQ==

Feedback-id: 68993610:user:proton

List-archive: <http://lists.torproject.org/pipermail/tor-relays/>

List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>

List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>

List-post: <mailto:tor-relays@lists.torproject.org>

List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>

List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>

Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx

Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

Hello Tor community,

this e-mail applies to you if you are running an obfs4 (now known under the name lyrebird) bridge or want to do so in the future.

Some recent posts on this list has shown that traffic timing analysis can be used to locate a users or onion services guard nodes or bridges. This is not really something new.

For bridge users, there is a way to try to protect themselves against this, but your bridge configuration must support it.

By enabling iat-mode on your obfs4 /lyrebird bridge, then maybe DPI (Deep Packet Inspection) hardware can sometimes be defeated either entirely, or at least the process of tracking users can be slowed down.

OBFS4/Lyrebird support two times of traffic obfuscation:

ServerTransportOptions obfs4 iat-mode=1

This will make your bridge send MTU sized packets, in order to make
true packet size analysis harder.

There is also what the author of obfs4/Lyrebird called "paranoid mode":
ServerTransportOptions obfs4 iat-mode=2
For each write, a variable length packet will be sent, which will result
in both making true packet size and round trip time analysis harder.

If your bridge is distributed by BridgeDB, the next time someone receives
a batch of bridges with your bridge in it, the bridge-line will have the iat-mode variable set to the one
you set on your bridge server.

Your bridge will still work even if you enable these defenses and a user chooses
to set iat-mode to 0 in his bridge line.

There is a small performance penalty for both mode 1 and 2, but nothing very severe.

I believe this, along with Vanguards, and so on, is needed to keep users and services somewhat secure.

Let me know what you think.

George

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays