[tor-relays] Port for obfsproxy

Jeroen Massar jeroen at massar.ch
Tue Oct 8 14:49:23 UTC 2013 

On 2013-10-07 22:48, Zack Weinberg wrote:
> On Mon, Oct 7, 2013 at 4:36 PM, Jeroen Massar <jeroen at massar.ch> wrote:
>> On 2013-10-07 16:13, GDR! wrote:
>>> "For example, there MIGHT be a HTTP transport which transforms Tor
>>> traffic to look like regular HTTP traffic."
>>>
>>> I missed the "MIGHT" part. Too bad this doesn't exist.
>>
>> It does: StegoTorus.
> 
> Unless something has changed very recently, all publicly available
> copies of StegoTorus are missing critical pieces of functionality
> (such as the ability to use a session key that isn't HARDWIRED INTO
> THE SOURCE CODE),

Indeed, the version you created had this and many other issues, these
have been addressed, but indeed not made publicly available yet, though
Tor Project members have had updates to it already.

As you are very aware unfortunately the people working on the system
have restrictions on code releases, they are doing their best to get it
out in the open though.

> and also don't *really* implement HTTP,  only something that
> looks like HTTP on cursory inspection but is trivial
> for an active attacker to detect (see Houmansadr et al.,
> https://www.ieee-security.org/TC/SP2013/papers/4977a065.pdf )

A very well known paper, and a really good one too. The solution to this
is a component called JumpBox, and the initial codename was MockingBird,
I guess you can derive from that what the problem is that it solves:
"How to kill a Mockingbird" :)

> Furthermore, last I looked at it, the "steg module" code (that is, the
> code that actually implements the HTTP-alike) was so riddled with
> security-critical bugs (of the "classic 1990s buffer overflow
> vulnerability" variety) that it was probably unsafe to run it on the
> public Internet *at all*.

And it is good that several other people have been fixing up those
problems before releasing it into the wild of people who depend on
security and anonymity. More code audits are underway and also needed
though before it gets there.

> For these reasons, the copy of ST on my
> personal Github has been modified not to compile out of the box, and I
> am considering deleting it altogether.

That is a good idea, releasing/publishing code of that quality is IMHO
quite irresponsible. It is good that one needs to specifically set it up
on either side though before using it, as that gives an insight to the
quality of the code.

> Jeroen: I am aware that ISC and SRI are supposed to be working on
> fixes for these issues, but until the fixed code is available to the
> general public -- from the official Git repository on
> gitweb.torproject.org -- I request that you refrain from suggesting
> that StegoTorus solves this problem. In fact, I would prefer that you
> not even mention that it exists.

As you state yourself, if the code quality is that bad, why is it
currently up there in that form?

The people who work on that code and are improving the many mistakes
that where in there unfortunately have to go through code review before
releasing things. That does not mean it does not exist or does not
function properly. Code releases are coming, hopefully sooner than later
though.

Getting the code out there under more eyes is something that will happen.

>From another reply:
> Oh, and, the cryptographic choices made in the ST paper are, in
> retrospect, quite poor: for instance, I had no idea when I picked it
> that AES-GCM was so troublesome in software, and all of the elliptic
> curve stuff has since been obsoleted by Elligator.

Which just shows that new research improves things and that while
implementing something that one can realize that certain design choices
might not be perfect for the situation originally thought up. Hence, why
one keeps on improving on things to avoid those shortcomings.

> Anyone interested in hacking on steganographic transports nowadays
> would be well-advised to begin from something else, such as Yawning
> Angel's LODP.

While it is a project with a lot of merit, in a lot of locations UDP
will simply not be going in or out of a country...

It is thus a project with quite different goals and resolving a very
different problem, than what StegoTorus is trying to resolve.

And the more of these things the merrier, as it will just increase the
chance of bypassing the filters that are in place.

Greets,
 Jeroen

More information about the tor-relays mailing list