commit d3afe7490775312101ede5879a8ebb75f995f59b Author: George Kadianakis desnacked@gmail.com Date: Tue Dec 13 14:39:22 2011 +0100
Replace old threat model doc. with a new one. --- doc/THREAT_MODEL | 19 ---------------- doc/obfs2_threat_model.txt | 50 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+), 19 deletions(-)
diff --git a/doc/THREAT_MODEL b/doc/THREAT_MODEL deleted file mode 100644 index d973317..0000000 --- a/doc/THREAT_MODEL +++ /dev/null @@ -1,19 +0,0 @@ -obfs2 was created to work on top of the Tor protocol (and specifically -it's TLS handshake phase). Do not use obfs2 to obfuscate other -protocols, unless you are super-sure of what you are doing. - -A list follows, of known attacks that obfs2 protects or does not -protect against. obfs2 does not protect you against unknown attacks. - -Attacks obfs2 protects against: -* Non-intelligent DPI boxes censoring based on TLS content patterns. -* In the case of a shared secret, it also protects against intelligent DPI boxes. - -Attacks obfs2 does not protect against: -* Any distinguisher based on the Tor protocol. This includes timing, packet - size and replay attacks. -* Any distinguisher based on packet entropy. -* In the case of obfs2 without a shared secret, obfs2 does not protect - against an intelligent DPI box; a DPI box that simply deobfuscates - the obfs2 protocol (for those not familiar with the protocol: this - is quite easy.). diff --git a/doc/obfs2_threat_model.txt b/doc/obfs2_threat_model.txt new file mode 100644 index 0000000..08385ae --- /dev/null +++ b/doc/obfs2_threat_model.txt @@ -0,0 +1,50 @@ +threat model: + + Adversary capabilities: + +The adversary controls the infrastructure of the network within her +jurisdiction, and she can potentially monitor, block, alter, and +inject traffic anywhere within this region. + +The censor also holds a blacklist of network protocols, which she is +interested in blocking. + + Adversary attacks: + +The censor passively monitors traffic and looks for content +signatures, in an attempt to distinguish network protocols. Upon +detecting a blacklisted protocol, the censor blocks the connection. + + Goals of obfs2: + +obfs2 attempts to counter the above attack by removing content +signatures from network traffic. obfs2 encrypts the traffic stream +with a stream cipher, which results in the traffic looking uniformly +random. + + Discussion: + +obfs2 shortcomings: + +obfs2 was designed as a pluggable transports proof-of-concept: it is +simple, useable and easily implementable. It does _not_ try to protect +against sophisticated adversaries: + +obfs2 does not try to protect against Tor protocol fingerprints, like +the packet size or packet timing. + +obfs2 does not try to protect against attackers capable of measuring +traffic entropy. + +obfs2 does not try to protect against Deep Packet Inspection machines +that expect the obfs2 protocol. Such machines can trivially retrieve +the decryption key off the traffic stream and use it to decrypt obfs2 +and detect the Tor protocol. + +In other words, obfs2 does not try to protect against anything other +than fingerprintable TLS content patterns. + +That said, obfs2 is not useless. It protects against many real-life +Tor traffic detection methods currentl deployed, since most of them +use static SSL handshake strings as signatures. +