... | ... | @@ -2,7 +2,7 @@ |
|
|
|
|
|
For a few reasons, TLS as it stands is a difficult protocol for Tor to use.
|
|
|
|
|
|
== REASON 1: IT IS HARD TO LOOK LIKE OTHER TLS INSTANCES FROM THE POV OF PASSIVE ATTACKS ==
|
|
|
## REASON 1: IT IS HARD TO LOOK LIKE OTHER TLS INSTANCES FROM THE POV OF PASSIVE ATTACKS
|
|
|
|
|
|
The first is that TLS exists in a stupendously vast number of
|
|
|
externally visible profiles. If you're running a protocol that an
|
... | ... | @@ -16,7 +16,7 @@ I'll go through the history of the stupid ways that Tor has tried to |
|
|
use TLS over the years. This will read like a comedy of errors;
|
|
|
please don't judge our missteps too harshly.
|
|
|
|
|
|
=== Stage 1: (Tor versions 0.0.1 through 0.2.0.19) ===
|
|
|
### Stage 1: (Tor versions 0.0.1 through 0.2.0.19)
|
|
|
|
|
|
What we would really
|
|
|
like to do, if we didn't need to worry about censorship, is to have a
|
... | ... | @@ -41,7 +41,7 @@ RFC2409, section 6.2. |
|
|
|
|
|
We made some concessions to avoiding fingerprinting during this phase. For example, we removed some fixed strings from our certificates' DNs.
|
|
|
|
|
|
=== Stage 2: (Tor 0.2.0.20 through 0.2.3.6) ===
|
|
|
### Stage 2: (Tor 0.2.0.20 through 0.2.3.6)
|
|
|
Our particular use of two-certificate chains, our unusual cipher list,
|
|
|
and our our funny-looking certs made Tor pretty easy to profile.
|
|
|
|
... | ... | @@ -97,7 +97,7 @@ https://lists.torproject.org/pipermail/tor-talk/2009-November/015864.html |
|
|
Protocol details at
|
|
|
https://gitweb.torproject.org/torspec.git/tree/proposals/130-v2-conn-protocol.txt
|
|
|
|
|
|
=== Stage 3: (Tor 0.2.3.6 to present) ===
|
|
|
### Stage 3: (Tor 0.2.3.6 to present)
|
|
|
|
|
|
When we started getting detected and blocked based on our use of
|
|
|
renegotiation, we switched to an improved handshake, where the outer
|
... | ... | @@ -116,7 +116,7 @@ if we didn't need to blend in with other TLS handshakes. |
|
|
Protocol details at
|
|
|
https://gitweb.torproject.org/torspec.git/tree/proposals/176-revising-handshake.txt
|
|
|
|
|
|
=== Stage 4: ===
|
|
|
### Stage 4:
|
|
|
|
|
|
There are more features that are getting used to distinguish Tor from
|
|
|
other TLS traffic. They include:
|
... | ... | @@ -126,7 +126,7 @@ other TLS traffic. They include: |
|
|
|
|
|
We're hoping to address these in 0.2.4.x.
|
|
|
|
|
|
== REASON 2: IT IS HARD TO RESIST ACTIVE PROBING ==
|
|
|
## REASON 2: IT IS HARD TO RESIST ACTIVE PROBING
|
|
|
|
|
|
Most censorious attackers are passive, and seem to be using modified
|
|
|
commercial software to detect and block Tor connections. On the other
|
... | ... | @@ -141,7 +141,7 @@ complete the handshake ... or to even confirm that it isn't talking to |
|
|
a regular webserver. The presentation of this information can't be
|
|
|
visible to a passive observer.
|
|
|
|
|
|
== SOME OBVIOUS AND NOT-SO-OBVIOUS POINTS: ==
|
|
|
## SOME OBVIOUS AND NOT-SO-OBVIOUS POINTS:
|
|
|
|
|
|
There are, as near as I can tell, two main classes of censorious
|
|
|
adversary: the GFW, and everybody else. Everybody else seems either
|
... | ... | |