[tor-bugs] #32026 [Circumvention/Censorship analysis]: Using An Alternative To TCP To Avoid Packet Injection?
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Oct 14 06:22:59 UTC 2019
#32026: Using An Alternative To TCP To Avoid Packet Injection?
-----------------------------------------------+------------------------
Reporter: Aphrodites1995 | Owner: (none)
Type: enhancement | Status: new
Priority: Medium | Milestone:
Component: Circumvention/Censorship analysis | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-----------------------------------------------+------------------------
Comment (by dcf):
Replying to [comment:5 Aphrodites1995]:
> If obfs4 is resistant, why doesn't it work in china? Is it because of
the middle node problem?
obfs4 ''does'' work in China, as far as I know, but only if you use a
private bridge. You can't use the "obfs4" dropdown in Tor Browser, because
that uses a hardcoded list of default bridges, and all of them are already
blocked. Users who set up their own obfs4 bridge or have a friend do it
are able to use obfs4, but that is only a tiny fraction of users. See
https://censorbib.nymity.ch/#Matic2017a. The hard problem here is address
distribution--you need to distribute proxy addresses to your potential
users, but somehow also prevent a censor from learning all of them and
blocking them. Tor's answer to address distribution is
[https://bridgedb.torproject.org/ BridgeDB], but it's not good enough
against China. (And there aren't enough running obfs4 servers listed in
BridgeDB to make enumeration really challenging.)
> So then why can't we just have one proxy as a node, and not do the onion
thing, or at least make that an option? (I know TOR stands for The Onion
Router, but it would be okay to betray the name for the sake of anti
censorship, right? Also, is it possible for the GFW to read messages
encrypted in TLS? If it couldn't, there is a whole lot of unreadable
traffic out there, and obfs4 should be resistant, right?
Of course you can separate circumvention from onion routing. There are
plenty of circumvention systems that don't try to provide anonymity, like
[https://psiphon.ca/ Psiphon], [https://getlantern.org/ Lantern], and
[https://shadowsocks.org/ Shadowsocks]. And in fact they and Tor use the
same or similar circumvention techniques. Just run one of those, if you
don't need the additional features of Tor.
Middlebox firewalls cannot passively decrypt TLS traffic. There ''is'' a
lot of unreadable traffic, and that is probably why obfs4 and similar
protocols are effective, as long as the IP address is not known to be an
obfs4 server. But if you're a censor, once you have determined (by
whatever means), that an IP address hosts an obfs4 server, you don't
''care'' about any passive protocol identification. You just block the IP
address entirely. See https://www.bamsoftware.com/papers/fronting/#sec
:related-work and the framing around "blocking by content" and "blocking
by address." Blocking by address is the harder part; you need more than
just protocol obfuscation to deal with that.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32026#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list