[tor-bugs] #32047 [Circumvention/Obfs4]: Sharing Keys Through HTML?

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Oct 12 05:00:51 UTC 2019 

#32047: Sharing Keys Through HTML?
----------------------------+-------------------------------------
 Reporter:  Aphrodites1995  |          Owner:  (none)
     Type:  enhancement     |         Status:  new
 Priority:  Medium          |      Component:  Circumvention/Obfs4
  Version:                  |       Severity:  Normal
 Keywords:                  |  Actual Points:
Parent ID:                  |         Points:
 Reviewer:                  |        Sponsor:
----------------------------+-------------------------------------
 If you read how RSA works, it is obvious that decrypting something that is
 not meant to be decrypted still works to get random digits that are
 similar length. Here, an idea would be to hide some random digits in HTML,
 for example into the first hundred colors in <style> or counting the
 number of letters inside the first fifty <p>s. These are numerical fields
 inside HTML that could have a string, encrypted by a Preshared RSA key
 (people know both the private and public key), put into it to be hidden.
 People will then decrypt that to get a public key to do the key sharing.
 While the censor cannot distinguish a regular HTML and a keysharing HTML
 because decrypting any regular HTML also gets you a salted public key,
 because both look like nothing. This is weak on its own because the censor
 could easily try to decrypt anything with the gotten key that originates
 from the requesting address, and if it works it is a tor connection, but
 at the same time, with two different connections originating from
 different addresses (could be two connections to WiFi to get different
 port forwarding), it is difficult for the censor to check every single
 connection against each HTML file for the key across the same public IP. I
 believe that obfs4 has this problem with the keysharing which reveals that
 it is a obfs4 connection.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32047>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list