[tor-dev] Internet-wide scanning for bridges
phw at nymity.ch
Sun Dec 14 18:43:03 UTC 2014
On Sat, Dec 13, 2014 at 08:54:29AM -0500, A. Johnson wrote:
> There are even better solutions than this:
> 1. Port knocking: <https://wiki.archlinux.org/index.php/Port_Knocking>
> 2. Single-packet authorization: <http://www.cypherpunks.ca/~iang/pubs/bridgespa-wpes.pdf>
> ScrambleSuit has implemented something like #2, and its paper
> (http://www.cs.kau.se/philwint/pdf/wpes2013.pdf) describes its
> authentication mechanisms as preventing detecting via network-wide
> scanning. However, I can’t say how it actually got implemented.
You could describe ScrambleSuit as single-packet authorisation on the
application layer. In the implementation, a client proves knowledge of
a shared secret in the first stream of bytes (maybe in one packet, maybe
in more), it sends to a bridge. If the client cannot prove knowledge of
the secret, the bridge won't respond.
obfs4  continues this idea.
More information about the tor-dev