On Fri, Oct 17, 2014 at 12:13:55PM -0400, Ian Grant wrote: > On Fri, Oct 17, 2014 at 4:24 AM, Bret Lambert <bret.lamb...@gmail.com> wrote: > > On Thu, Oct 16, 2014 at 02:48:22PM +0200, Martin Schr??der wrote: > >> 2014-10-16 13:16 GMT+02:00 Kevin Chadwick <ma1l1i...@yahoo.co.uk>: > >> The impossibility to scan for services - which the NSA/GHCQ/... do. > > > > It's a good thing that traffic analysis isn't a thing, then. Otherwise > > they'd be able to check if traffic purporting to go to port 80/443 > > doesn't look like HTTP traffic, or something. > > They don't have any clue which traffic to analyze though, so this > traffic is a needle in a haystack.
Well, if, as Herr Schroeder seems to be implying, this is used to avoid port scans, I'd look for traffic to/from address:port which don't show up on scans. > Also, the VPN could be tunneled > over HTTP if necessary. I know of at least one company which sells a product which doesn't just read headers, but classifies traffic based upon behavior, e.g., "small request receives large response -> bulk transfer", or "series of tiny packets which receive a single, larger response -> interactive session". I assume nation-states have developed similar capabilities. The ability to use statistical methods to eavesdrop on encrypted SIP sessions comes to mind as an example of traffic analysis as a tool to defeat adversaries who are attempting to secure their communications.
