On Mon, Jan 20, 2014 at 05:21:26PM +0100, Philipp Winter wrote:
On Mon, Jan 20, 2014 at 08:30:12AM -0500, Ian Goldberg wrote:
On Sat, Jan 18, 2014 at 01:40:43AM +0000, Matthew Finkel wrote:
obfs3 is supposed to be fairly difficult to detect because entropy estimation is seemingly more difficult than typically assumed, and thus far from what has been seen in practice this seems to be true.
Wouldn't the way to detect obfs3 be to look at packet sizes, not contents? obfs3 doesn't hide those at all, right?
Yes, obfs3 doesn't hide packet sizes. As a result, Tor over obfs3 results in packets which are multiples of Tor's 512-byte cells (excluding TLS headers).
True. I also assume that the complete absense of a plaintext header is a potential fingerprint, as well. In no way did I intend to suggest that obf3 is completely undetectable by DPI, but based on what I know, it is the most successful PT that Tor provides. There is always room for improvement, such as what scramblesuit accomplishes, but the main point I wanted to make was that look-like-nothing transports seem to work.