[tor-dev] Projects to combat/defeat data correlation

Matthew Finkel matthew.finkel at gmail.com
Wed Jan 22 02:17:34 UTC 2014


On Mon, Jan 20, 2014 at 05:21:26PM +0100, Philipp Winter wrote:
> On Mon, Jan 20, 2014 at 08:30:12AM -0500, Ian Goldberg wrote:
> > On Sat, Jan 18, 2014 at 01:40:43AM +0000, Matthew Finkel wrote:
> > > obfs3 is supposed to be fairly difficult to detect because entropy
> > > estimation is seemingly more difficult than typically assumed,
> > > and thus far from what has been seen in practice this seems to be true.
> >
> > Wouldn't the way to detect obfs3 be to look at packet sizes, not
> > contents?  obfs3 doesn't hide those at all, right?
> 
> Yes, obfs3 doesn't hide packet sizes.  As a result, Tor over obfs3
> results in packets which are multiples of Tor's 512-byte cells
> (excluding TLS headers).

True. I also assume that the complete absense of a plaintext header is
a potential fingerprint, as well. In no way did I intend to suggest that
obf3 is completely undetectable by DPI, but based on what I know, it is
the most successful PT that Tor provides. There is always room for
improvement, such as what scramblesuit accomplishes, but the main
point I wanted to make was that look-like-nothing transports seem to
work.


More information about the tor-dev mailing list