[tor-project] Turning on timing obfuscation (iat-mode=1) for some default bridges

Tue Nov 15 00:56:03 UTC 2016

I propose that we turn on the obfs4's optional packet size and timing
obfuscation on some of the default Tor Browser bridges.

The packet size and timing obfuscation can be off (iat-mode=0) or on
(iat-mode=1). Currently, all of the default bridges, and probably ≈100%
of BridgeDB bridges, have it turned off (iat-mode=0).

As far as I know, iat-mode=1 has never really been tried in practice.
The reason I propose trying it is the current blocking situation in
Kazakhstan. According to reports, obfs4 (along with meek and vanilla
Tor) are blocked there--not only the built-in default bridges, but also
secret bridges from BridgeDB. A user on IRC has been experimenting with
the Kazakh firewall; the blocking seems to be some sort of probabilistic
traffic analysis--it doesn't always block and the rate of blocking
depends on the network load. That user would like to have iat-mode=1 set
on some of the default bridges to see if it gets through the firewall.

Here are details on the Kazakhstan situation:
https://bugs.torproject.org/20348

So I'm thinking it's a good idea to turn on iat-mode=1 on, say, 20% of
the default bridges. That'll also be a good hedge against potential
future blocking, as we can see if the bridges that use size and timing
obfuscation are more resistant. It is safe for the server to turn on
iat-mode=1 while the client still has iat-mode=0; the obfuscation will
only apply in one direction but the connection will still work.

----
Addendum on how to activate iat-mode=1 on the server

If you built obfs4proxy from source, and you are using commit a7a2575cab
or later, you just need to add one line to your torrc:
	ServerTransportOptions obfs4 iat-mode=1
Unfortunately this commit is not yet in a released version.

If you are using a released version, such as obfs4proxy-0.0.6, then you
need to specify every other possible parameter in addition to iat-mode.
Find the file <datadir>/pt_state/obfs4_state.json, and convert the JSON
syntax into key=value syntax in a ServerTransportOptions, for example if
obfs4_state.json contains
	{"node-id":"0af6c84b644856255dd858b2b189725db6ded51a","private-key":"d04e61ea38757ef67131a3032709e26bbf77a370aadf3950180fbf797973b365","public-key":"fedde584dc36265f9071ab6f7d845a9ae9e3cea5b9c956b252c1c7849aa2d006","drbg-seed":"5bb4dd59f507a89660c4d313f598ed56f4e9e0a620e129af","iat-mode":0}
then add this to torrc:
	ServerTransportOptions obfs4 node-id=0af6c84b644856255dd858b2b189725db6ded51a private-key=d04e61ea38757ef67131a3032709e26bbf77a370aadf3950180fbf797973b365 public-key=fedde584dc36265f9071ab6f7d845a9ae9e3cea5b9c956b252c1c7849aa2d006 drbg-seed=5bb4dd59f507a89660c4d313f598ed56f4e9e0a620e129af iat-mode=1
You will know you need to do this if, when you try to set iat-mode=1 by
itself, you get the tor.log error:
	[warn] Server managed proxy encountered a method error. (obfs4 missing argument 'private-key')