[tor-dev] Internet-wide scanning for bridges

Philipp Winter phw at nymity.ch
Sun Dec 14 18:43:03 UTC 2014


On Sat, Dec 13, 2014 at 08:54:29AM -0500, A. Johnson wrote:
> There are even better solutions than this:
>   1. Port knocking: <https://wiki.archlinux.org/index.php/Port_Knocking>
>   2. Single-packet authorization: <http://www.cypherpunks.ca/~iang/pubs/bridgespa-wpes.pdf>
> 
> ScrambleSuit has implemented something like #2, and its paper
> (http://www.cs.kau.se/philwint/pdf/wpes2013.pdf) describes its
> authentication mechanisms as preventing detecting via network-wide
> scanning. However, I can’t say how it actually got implemented.

You could describe ScrambleSuit as single-packet authorisation on the
application layer.  In the implementation, a client proves knowledge of
a shared secret in the first stream of bytes (maybe in one packet, maybe
in more), it sends to a bridge.  If the client cannot prove knowledge of
the secret, the bridge won't respond.

obfs4 [0] continues this idea.

[0] https://gitweb.torproject.org/pluggable-transports/obfs4.git/tree/doc/obfs4-spec.txt

Cheers,
Philipp


More information about the tor-dev mailing list