Rethinking Obfuscation

[Paul Swanson <psw@protonmail.com>]

[-- Attachment #1: Type: text/plain, Size: 2969 bytes --]

Hi,

I'd just like to revisit a topic that recently came on the mailing list, traffic obfuscation.

Firstly, I'd like to state that I'm merely a grateful user of Wireguard, not a contributor.

That's relevant because the only way I can get reliable, uncensored Internet is with the help of Wireguard. And the only reason that is so, is because Wireguard is not yet a popular protocol.

I don't want to be so bold as to make an outright "feature request" for traffic obfuscation, but I would like to make my case for it's acceptance.

Right now, in many countries there are extreme filtering practices in place. And I realise that there's an argument for addressing this at a policy level but sadly that thinking is just not useful for literally billions of people (https://freedomhouse.org/report/freedom-net/freedom-net-2016). It's a different political context.

It's easy to feel comfortable from a western democratic context with our relative sense of freedom, but our governments have already built the most pervasive instruments of mass surveillance ever known. We've a lot of trust and people who've brazenly betrayed us. We're just building security infrastructure on the assumption we'll be continued to be allowed to use it for privacy.

For old VPN protocols such as IPSEC, OpenVPN and the like there's no hope. These are easily blocked by breaking the handshake processes, at the very least. Systems like TOR are praised by privacy advocates but are all but useless in the face of state-level / ISP filtering.

So while the problem might originate at a political level, this is not always resolvable. And right now there's precious little offering a technical solution. The only reliable approach I'm seeing widely employed is proprietary implementations of Open Source VPNs. VPN providers are making various obfuscation tweaks to things like OpenVPN to enable there services to work in places like China. The problem here is at least two fold. Firstly, it's proprietary! Need I say more here. Secondly, I don't see why any rational person should have confidence in these companies' cryptographic expertise.

I'd humbly like to propose a change in philosophy:

That obfuscation is a necessary, intermediary safeguard on the road to policy change.

That at least making provision for compatibility with obfuscation tools is relevant to the mission of projects such as Wireguard.

That providing expertise or guidance on how to obfuscate the Wireguard protocol, in the least miserable way, is a good and worthwhile thing.

Once again, thanks for all your work on the project. I love working with the userspace tools, they're well thought through. I love how resilient and well the protocol performs in the real world with miserable network latencies and giant evil firewalls. I love that it's open source.

I just hope I can keep using it where it really counts.

Paul S.


Sent from [ProtonMail](https://protonmail.com), encrypted email based in Switzerland.

[-- Attachment #2: Type: text/html, Size: 3771 bytes --]