[tor-relays] Port for obfsproxy
Zack Weinberg
zackw at cmu.edu
Tue Oct 8 02:48:37 UTC 2013
On Mon, Oct 7, 2013 at 4:36 PM, Jeroen Massar <jeroen at massar.ch> wrote:
> On 2013-10-07 16:13, GDR! wrote:
>> "For example, there MIGHT be a HTTP transport which transforms Tor
>> traffic to look like regular HTTP traffic."
>>
>> I missed the "MIGHT" part. Too bad this doesn't exist.
>
> It does: StegoTorus.
Unless something has changed very recently, all publicly available
copies of StegoTorus are missing critical pieces of functionality
(such as the ability to use a session key that isn't HARDWIRED INTO
THE SOURCE CODE), and also don't *really* implement HTTP, only
something that looks like HTTP on cursory inspection but is trivial
for an active attacker to detect (see Houmansadr et al.,
https://www.ieee-security.org/TC/SP2013/papers/4977a065.pdf )
Furthermore, last I looked at it, the "steg module" code (that is, the
code that actually implements the HTTP-alike) was so riddled with
security-critical bugs (of the "classic 1990s buffer overflow
vulnerability" variety) that it was probably unsafe to run it on the
public Internet *at all*. For these reasons, the copy of ST on my
personal Github has been modified not to compile out of the box, and I
am considering deleting it altogether.
Jeroen: I am aware that ISC and SRI are supposed to be working on
fixes for these issues, but until the fixed code is available to the
general public -- from the official Git repository on
gitweb.torproject.org -- I request that you refrain from suggesting
that StegoTorus solves this problem. In fact, I would prefer that you
not even mention that it exists.
zw
More information about the tor-relays
mailing list