On 10/13/2018 12:07 AM, Nathaniel Suchy wrote:
Currently tor traffic uses an TLS handshake hostname like the following:
$ sudo tcpdump -An "tcp" | grep "www" listening on pktap, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes .............". ...www.odezz26nvv7jeqz1xghzs.com......... .............#.!...www.bxbko3qi7vacgwyk4ggulh.com......... .6....m.....>...:.........|../* Z....W....X=..6...C../....................................0...0..0.......'....F./0.. *.H........0%1#0!..U....www.b6zazzahl3h3faf4x2.com0...160402000000Z..170317000000Z0'1%0#..U....www.tm3ddrghe22wgqna5u8g.net0..0..
A network observer could run a DNS lookup on the hostnames and see if they are real or not. So my idea would be to register a set of random hostnames which are legitimate and point the IPs somewhere to avoid looking for an NX Domain response and dropping the stream. You could even give each relay a unique subdomain and rotate these every few weeks. This may be expensive to implement but could make blocking Tor traffic with this method harder. Thoughts?
Why wouldn't it be just as easy for censors to identify the small set of registered domains that Tor relays use and block TLS connections that involve them?
I don't see how changing the domain a relay uses from aaaaaa.foo.com to bbbbbb.foo.com helps. The censor would just notice 'foo.com' and block it.
In fact, I think this would make censorship easier.
Matt