[tor-talk] Flashproxys' impact on Tors' fingerprint
Sebastian G. <bastik.tor>
bastik.tor at googlemail.com
Sat Oct 13 13:04:11 UTC 2012
David Fifield:
> On Fri, Oct 12, 2012 at 06:21:13PM +0200, Sebastian G. <bastik.tor> wrote:
>> beside the case that the connection itself looks different due to the
>> use of (web)sockets (like explained in the paper) is there any impact on
>> how one could fingerprint on Tors' traffic?
>
> No, using a flash proxy doesn't in principle make protocol detection any
> harder. We just encode the TLS byte stream and package it within a
> WebSocket stream. A filter could unpack the WebSocket stuff, reassemble
> the inside stream, and reuse whatever traffic inspection it is already
> using to block Tor.
"Good" I understood it correctly beforehand. It's more stuff the
adversary has to do either manually or the DPI box has to do more work.
> A few things work in our favor in terms of making it more cumbersome to
> fingerprint traffic within a WebSocket stream:
> * One side of each stream has each WebSocket frame XORed with a
> pseudorandom key. (This isn't something we do specially, this
> is just a part of the WebSocket protocol:
> https://tools.ietf.org/html/rfc6455#section-5.3)
> * On some browsers that do not support binary WebSocket frames
> (https://tools.ietf.org/html/rfc6455#section-5.6), the payload
> is base64-encoded and sent in text frames, so a censor has to
> decode the base64 too (or, perhaps, just block WebSocket
> connections that appear to contain only base64).
That sounds good.
>> (If it doesn't make fingerprinting more difficult...) how complicated
>> would it to have another layer in flashproxy that helps in this regard?
>
> As I see it, there are two axes to censorship circumvention, which are
> IP/port blocking, and protocol inspection. obfsproxy, for example, aims
> to defeat protocol inspection, but still uses a relatively small,
> relatively static set of obfsproxy bridges. Flash proxies have the
> opposite problem: flash proxy addresses are hard to block because they
> change all the time, but they don't do anything to disguise the traffic
> within.
Given a wide distribution of the badge it's impossible to block all of
them before new ones pop-up.
> A combined solution to both problems would be very nice. For example, we
> could use obfsproxy-style obfuscation inside of the WebSocket stream. We
> can't, ultimately, disguise the fact that the outermost layer is
> WebSocket, but we can disguise the payloads. To do such a thing is not
> conceptually difficult, it just requires a proposal, and someone willing
> to do it, and deployment of code to the necessary places.
>
> Unfortunately, though TLS-wrapped WebSocket is standard, we can't easily
> use it because the clients that the flash proxy connects to do not have
> CA-issued certs.
My question was related to disguising the traffic and it was answered
very well.
>> (I want to avoid another thread an it's close enough.) What else could
>> be implemented in WebSockets to have a wide range of "legitimate" use?
>> (In order to make it painful for an adversary to block WebSockets)
>
> I don't really know the range of things WebSocket is used for. One cool
> application I've seen is this: https://github.com/kanaka/noVNC which is
> a VNC client that uses WebSocket and HTML canvas.
Cool.
Thank you.
Regards,
Sebastian (bastik_tor)
More information about the tor-talk
mailing list