[tor-commits] [obfsproxy/master] Replace old threat model doc. with a new one.
nickm at torproject.org
nickm at torproject.org
Sat Dec 17 17:49:28 UTC 2011
commit d3afe7490775312101ede5879a8ebb75f995f59b
Author: George Kadianakis <desnacked at gmail.com>
Date: Tue Dec 13 14:39:22 2011 +0100
Replace old threat model doc. with a new one.
---
doc/THREAT_MODEL | 19 ----------------
doc/obfs2_threat_model.txt | 50 ++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 50 insertions(+), 19 deletions(-)
diff --git a/doc/THREAT_MODEL b/doc/THREAT_MODEL
deleted file mode 100644
index d973317..0000000
--- a/doc/THREAT_MODEL
+++ /dev/null
@@ -1,19 +0,0 @@
-obfs2 was created to work on top of the Tor protocol (and specifically
-it's TLS handshake phase). Do not use obfs2 to obfuscate other
-protocols, unless you are super-sure of what you are doing.
-
-A list follows, of known attacks that obfs2 protects or does not
-protect against. obfs2 does not protect you against unknown attacks.
-
-Attacks obfs2 protects against:
-* Non-intelligent DPI boxes censoring based on TLS content patterns.
-* In the case of a shared secret, it also protects against intelligent DPI boxes.
-
-Attacks obfs2 does not protect against:
-* Any distinguisher based on the Tor protocol. This includes timing, packet
- size and replay attacks.
-* Any distinguisher based on packet entropy.
-* In the case of obfs2 without a shared secret, obfs2 does not protect
- against an intelligent DPI box; a DPI box that simply deobfuscates
- the obfs2 protocol (for those not familiar with the protocol: this
- is quite easy.).
diff --git a/doc/obfs2_threat_model.txt b/doc/obfs2_threat_model.txt
new file mode 100644
index 0000000..08385ae
--- /dev/null
+++ b/doc/obfs2_threat_model.txt
@@ -0,0 +1,50 @@
+threat model:
+
+ Adversary capabilities:
+
+The adversary controls the infrastructure of the network within her
+jurisdiction, and she can potentially monitor, block, alter, and
+inject trafï¬c anywhere within this region.
+
+The censor also holds a blacklist of network protocols, which she is
+interested in blocking.
+
+ Adversary attacks:
+
+The censor passively monitors traffic and looks for content
+signatures, in an attempt to distinguish network protocols. Upon
+detecting a blacklisted protocol, the censor blocks the connection.
+
+ Goals of obfs2:
+
+obfs2 attempts to counter the above attack by removing content
+signatures from network traffic. obfs2 encrypts the traffic stream
+with a stream cipher, which results in the traffic looking uniformly
+random.
+
+ Discussion:
+
+obfs2 shortcomings:
+
+obfs2 was designed as a pluggable transports proof-of-concept: it is
+simple, useable and easily implementable. It does _not_ try to protect
+against sophisticated adversaries:
+
+obfs2 does not try to protect against Tor protocol fingerprints, like
+the packet size or packet timing.
+
+obfs2 does not try to protect against attackers capable of measuring
+traffic entropy.
+
+obfs2 does not try to protect against Deep Packet Inspection machines
+that expect the obfs2 protocol. Such machines can trivially retrieve
+the decryption key off the traffic stream and use it to decrypt obfs2
+and detect the Tor protocol.
+
+In other words, obfs2 does not try to protect against anything other
+than fingerprintable TLS content patterns.
+
+That said, obfs2 is not useless. It protects against many real-life
+Tor traffic detection methods currentl deployed, since most of them
+use static SSL handshake strings as signatures.
+
More information about the tor-commits
mailing list