[tor-dev] Idea which may or may not of been discussed

David Fifield david at bamsoftware.com
Sat Oct 13 17:09:33 UTC 2018


On Sat, Oct 13, 2018 at 12:21:49PM -0400, Matt Traudt wrote:
> Why wouldn't it be just as easy for censors to identify the small set of
> registered domains that Tor relays use and block TLS connections that
> involve them?

And in general, IMO pluggable transports are the right layer to address
this, not the Tor TLS layer. The way Tor uses TLS is already way more
complicated than it needs to be, partly because of past attempts to
build obfuscation into the core protocol rather than handling it as a
separate layer.
https://trac.torproject.org/projects/tor/wiki/org/projects/Tor/TLSHistory

The certificate server name is a pretty easy distinguishing feature--but
it's not the only one. But there are other ways in which the Tor TLS
handshake stands out, even if you use real server names with legit
certs. It's not easy to hack OpenSSL into perfectly imitating e.g., a
Firefox TLS fingerprint. That's why meek uses an instance of Firefox to
do its TLS, and why https://github.com/refraction-networking/utls
exists.


More information about the tor-dev mailing list