Bug#1004374: [Pkg-privacy-maintainers] Bug#1004374: obfs4proxy: Traffic is trivially distinguishable (Elligator2 public key representative leak)

[Ana Custura]

Hi,

I've been in touch with Debian Security last week, they suggested an 
update to unstable first. I'm now working on packaging the dependencies 
for version 0.0.11 and shipping an update.


Thanks,

Ana

On 26/01/2022 07:00, intrigeri wrote:

Package: obfs4proxy
Version: 0.0.8-1+b6
Severity: important
Tags: security

Hi,

Please see
https://lists.torproject.org/pipermail/anti-censorship-team/2022-January/000213.html

tl;dr:


All existing versions prior to the migration to the new code […] are
fatally broken, and trivial to distinguish via some simple math.

Given obfs4proxy's explicit traffic obfuscation goal, this looks like
an important security issue to me.

(For those who might be wondering: whether/when this bug is fixed in
Debian does not impact Tails since we've switched to using the
obfs4proxy binary from the Tor Browser tarball.)

Thanks for maintaining obfs4proxy in Debian,
cheers!

___
Pkg-privacy-maintainers mailing list
pkg-privacy-maintain...@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-privacy-maintainers

Bug#1004374: obfs4proxy: Traffic is trivially distinguishable (Elligator2 public key representative leak)

[intrigeri]

Package: obfs4proxy
Version: 0.0.8-1+b6
Severity: important
Tags: security

Hi,

Please see
https://lists.torproject.org/pipermail/anti-censorship-team/2022-January/000213.html

tl;dr:

> All existing versions prior to the migration to the new code […] are
> fatally broken, and trivial to distinguish via some simple math.

Given obfs4proxy's explicit traffic obfuscation goal, this looks like
an important security issue to me.

(For those who might be wondering: whether/when this bug is fixed in
Debian does not impact Tails since we've switched to using the
obfs4proxy binary from the Tor Browser tarball.)

Thanks for maintaining obfs4proxy in Debian,
cheers!