On Fri, 25 Jul 2014 10:00:01 +0200 Lunar lunar@torproject.org wrote:
isis:
We can't just make Tor Browser stop accepting obfs2 because some people are using obfs2 bridges right now. But we shouldn't add more people to the set of users of a broken protocol.
Obfs3 is also "broken", it's just that we haven't yet seen a DPI box do it IRL.
That's news to me. Any pointers?
Well, the protocol is ok, but it is vulnerable to active probing (eg: See something they don't recognize, flag the destination IP/Port, call back later). Doing so on a mass scale is *quite* expensive since the obfs3 handshake isn't exactly cheap, but probably is in the reach of a nation-state adversary (China springs to mind).
There also are a few interesting statistical attacks that are possible vs the obfs3 protocol if you make guesses about the inner payload, but such things are unnecessary for obfs3 (and ScrambleSuit/obfs4 both have some defenses against those, although not all are enabled as a performance tradeoff).
Regards,