The Parrot is Dead: Observing Unobservable Network Communications
http://www.cs.utexas.edu/~shmat/abstracts.html http://dedis.cs.yale.edu/2010/anon/papers/parrot-abs I found this paper a very interesting read that discusses various pluggable transports and other methods of obscuring Tor traffic, and even contends that all the existing "parrot" sysem that try to mimic Skype, VOIP, and HTML traffic are more easily detected than unmasked Tor traffic itself. It further argues that the approach of those projects is fundamentally flawed. One especially challenging reason in common with all of them is that the task of mimicing the behavior of a specific client/server implentation and interaction exactly, under all conditions, is a practically insurmountable task. The main reccomendation the paper makes is to do rseearch into layering Tor/obscured traffic over a real implementation (e.g. in the audio or video payload of a real Skype connection) -- and acknowledges that although that may simplify the task, it will introduce new problems and not eliminate the possibility that traffic can be identified and fingerprinted anyway -- although those are more general thoughts than thorough research. The abstract/direct links: The Parrot is Dead: Observing Unobservable Network Communications Amir Houmansadr, Chad Brubaker, and Vitaly Shmatikov The University of Texas at Austin Winner of Best Practical Paper Award IEEE Symposium on Security and Privacy <http://www.ieee-security.org/TC/SP2013> May 19-22, 2013, San Francisco, CA Abstract In response to the growing popularity of Tor and other censorship circumvention systems, censors in non-democratic countries have increased their technical capabilities and can now recognize and block network traffic generated by these systems on a nationwide scale. New censorship-resistant communication systems such as SkypeMorph, StegoTorus, and CensorSpoofer aim to evade censors' observations by imitating common protocols like Skype and HTTP. We demonstrate that these systems completely fail to achieve unobservability. Even a very weak, local censor can easily distinguish their traffic from the imitated protocols. We show dozens of passive and active methods that recognize even a single imitated session, without any need to correlate multiple network flows or perform sophisticated traffic analysis. We enumerate the requirements that a censorship-resistant system must satisfy to successfully mimic another protocol and conclude that "unobservability by imitation" is a fundamentally flawed approach. We then present our recommendations for the design of unobservable communication systems. Paper: PDF <http://dedis.cs.yale.edu/2010/anon/papers/parrot.pdf> (or http://www.cs.utexas.edu/~shmat/shmat_oak13parrot.pdf) Slides: PowerPoint <http://dedis.cs.yale.edu/2010/anon/papers/parrot-slides.pptx> , PDF <http://dedis.cs.yale.edu/2010/anon/papers/parrot-slides.pdf> This work was supported by the Defense Advanced Research Agency (DARPA) and SPAWAR Systems Center Pacific, Contract No. N66001-11-C-4018, and the MURI program under AFOSR Grant No. FA9550-08-1-0352. _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk