On Mon, Jan 20, 2014 at 05:21:26PM +0100, Philipp Winter wrote: > On Mon, Jan 20, 2014 at 08:30:12AM -0500, Ian Goldberg wrote: > > On Sat, Jan 18, 2014 at 01:40:43AM +0000, Matthew Finkel wrote: > > > obfs3 is supposed to be fairly difficult to detect because entropy > > > estimation is seemingly more difficult than typically assumed, > > > and thus far from what has been seen in practice this seems to be true. > > > > Wouldn't the way to detect obfs3 be to look at packet sizes, not > > contents? obfs3 doesn't hide those at all, right? > > Yes, obfs3 doesn't hide packet sizes. As a result, Tor over obfs3 > results in packets which are multiples of Tor's 512-byte cells > (excluding TLS headers).
True. I also assume that the complete absense of a plaintext header is a potential fingerprint, as well. In no way did I intend to suggest that obf3 is completely undetectable by DPI, but based on what I know, it is the most successful PT that Tor provides. There is always room for improvement, such as what scramblesuit accomplishes, but the main point I wanted to make was that look-like-nothing transports seem to work. _______________________________________________ tor-dev mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
