[tor-bugs] #30500 [Circumvention/Censorship analysis]: Can the GFW still do DPI for "new" vanilla Tor?
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Jun 25 16:28:39 UTC 2019
#30500: Can the GFW still do DPI for "new" vanilla Tor?
-----------------------------------------------+--------------------------
Reporter: phw | Owner: (none)
Type: task | Status: assigned
Priority: Low | Milestone:
Component: Circumvention/Censorship analysis | Version:
Severity: Normal | Resolution:
Keywords: gfw, china | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-----------------------------------------------+--------------------------
Comment (by phw):
Replying to [comment:3 arma]:
> Are you saying Tor bridges / relays can look for those 65 ciphers, and
refuse to continue in that case? :)
I don't think that would work well. I just caught two more probes and
attached the resulting pcap file. It contains three TLS client hello
packets: the first is a tcis decoy connection from a system in China (I
rewrote the IP address to 1.1.1.1) to my Tor bridge (rewritten to
2.2.2.2). The next two packets are active probes, with their original IP
addresses. Interestingly, their cipher list differs: one has 65 suites
while the other one has 68 suites.
The site tlsfingerprints.io has seen the cipher list of
[https://tlsfingerprint.io/id/f47f08ae690b4756 the first probe 138,000
times] and [https://tlsfingerprint.io/id/4e542eaea37cdd51 the second probe
<100 times]. FWIW, tlsfingerprints.io works as follows:
> We collect anonymized TLS Client Hello messages from the University of
Colorado Boulder campus network, in order to measure the popularity of
various implementations actually used in practice.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30500#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list