From: Dennis Jackson <dennis.jackson@cs.ox.ac.uk>
To: George Walker <georgewalkeriv@gmail.com>
Cc: wireguard@lists.zx2c4.com
Subject: Re: Let's talk about obfuscation again
Date: Thu, 6 Sep 2018 16:34:50 +0100 [thread overview]
Message-ID: <20180906163450.3f20480b@T-200> (raw)
In-Reply-To: <706D2A48-7DAA-436A-BB99-2AE80822B524@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2182 bytes --]
On Thu, 6 Sep 2018 17:19:57 +0200
Fredrik Strömberg <stromberg@mullvad.net> wrote:
>> First of all, censorship circumvention is an important societal
>> problem to solve. It is also clearly outside of the scope of
>> WireGuard. Any suggested protocol change with that motive will
>> increase the complexity of the code base, which increases the risk
>> of vulnerabilities. This would hurt all WireGuard users.
Amen!
On Thu, 6 Sep 2018 10:45:24 -0400
George Walker <georgewalkeriv@gmail.com> wrote:
> The objective of cleaning as described seems to be to make the
> protocol indistinguishable from exchanging random payloads. But are
> there any common protocols of commercial importance that are so
> inscrutable? If I saw such random-looking UDP payloads on the wire I
> would suspect malware c&c, file sharing (who remembers FreeNet?), or
> a tunnel, depending on data volume and direction —nothing I would
> hesitate to block (or flag as suspicious) if I were running a big
> traffic classifier.
There is a few different purposes served by this transform:
a) By having a uniformly random stream, its much easier to plug in to
various mimicry tools (as you suggest) since you know the input data
doesn't contain any meaning. There's some good work from the Tor people
on this kind of thing. For example, 'cleaned' traffic could be made to
look like TLS, without doubly encrypting every packet with the TLS key,
instead the UDP data can be passed through directly.
b) From a surveillance perspective, it becomes harder to identify and
record traffic. The classification goes from being "WG-VPN" to "???".
This makes the analysts job a bit harder. Increasing labour costs is
probably more painful for such entities than anything else.
c) It forces a censor to move from a blacklisting approach to a
whitelisting approach. As you say, this won't stymie the great firewall
of China but developing a rule to block traffic which looks "too
random" without too many false positives requires a lot of resources
and we can exploit this.
Best,
Dennis
--
PGP Fingerprint: 5B93 F0B9 D6A8 9BC1 546B C98C 6105 A775 8CD2 46AC
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
next prev parent reply other threads:[~2018-09-06 15:34 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-06 0:06 StarBrilliant
2018-09-06 8:43 ` Dennis Jackson
2018-09-06 14:45 ` George Walker
2018-09-06 15:19 ` Fredrik Strömberg
2018-09-07 8:49 ` StarBrilliant
2018-09-06 15:34 ` Dennis Jackson [this message]
2018-09-06 16:10 ` Jason A. Donenfeld
[not found] <mailman.1542.1536245115.2201.wireguard@lists.zx2c4.com>
2018-09-06 15:24 ` Brian Candler
2018-09-06 21:16 ` James Cloos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180906163450.3f20480b@T-200 \
--to=dennis.jackson@cs.ox.ac.uk \
--cc=georgewalkeriv@gmail.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).