The upstream obfs4 repository has a fix to the Elligator2 public key representative leak (https://github.com/agl/ed25519/issues/27).
https://gitlab.com/yawning/obfs4/-/commit/393aca86cc3b1a5263018c10f87ece09ac...
All releases prior to this commit are trivially distinguishable with simple math, so upgrading is strongly recommended. The upgrade is fully backward-compatible with existing implementations, however the non-upgraded side will emit traffic that is trivially distinguishable from random.
The file internal/README.md elaborates:
All existing versions prior to the migration to the new code (anything that uses agl's code) are fatally broken, and trivial to distinguish via some simple math. For more details see Loup Vaillant's writings on the subject. Any bugs in the implementation are mine, and not his.
Representatives created by this implementation will correctly be decoded by existing implementations. Public keys created by this implementation be it via the modified scalar basepoint multiply or via decoding a representative will be somewhat non-standard, but will interoperate with a standard X25519 scalar-multiply.
As the obfs4 handshake does not include the decoded representative in any of it's authenticated handshake digest calculations, this change is fully-backward compatible (though the non-upgraded side of the connection will still be trivially distinguishable from random).
Quoting David Fifield (2022-01-14 03:27:09)
The upstream obfs4 repository has a fix to the Elligator2 public key representative leak (https://github.com/agl/ed25519/issues/27).
I started the conversation with the maintainers in debian to update the package: https://alioth-lists.debian.net/pipermail/pkg-privacy-maintainers/2022/00382...
On Fri, Jan 14, 2022 at 12:17:57PM +0100, meskio wrote:
Quoting David Fifield (2022-01-14 03:27:09)
The upstream obfs4 repository has a fix to the Elligator2 public key representative leak (https://github.com/agl/ed25519/issues/27).
I started the conversation with the maintainers in debian to update the package: https://alioth-lists.debian.net/pipermail/pkg-privacy-maintainers/2022/00382...
Thanks, meskio. It was also brought to my attention that Debian's latest version of obfs4proxy is 0.0.8, which does not have the necessary active probing mitigations that we released in 0.0.11. This should also be treated as a security issue. https://packages.debian.org/search?keywords=obfs4proxy
https://gitlab.com/yawning/obfs4/-/commit/1a6129b66ff3e66c347b54fbae203c1c61... https://censorbib.nymity.ch/#Frolov2020a https://github.com/net4people/bbs/issues/26
Quoting David Fifield (2022-01-14 21:50:32)
On Fri, Jan 14, 2022 at 12:17:57PM +0100, meskio wrote:
Quoting David Fifield (2022-01-14 03:27:09)
The upstream obfs4 repository has a fix to the Elligator2 public key representative leak (https://github.com/agl/ed25519/issues/27).
I started the conversation with the maintainers in debian to update the package: https://alioth-lists.debian.net/pipermail/pkg-privacy-maintainers/2022/00382...
Thanks, meskio. It was also brought to my attention that Debian's latest version of obfs4proxy is 0.0.8, which does not have the necessary active probing mitigations that we released in 0.0.11. This should also be treated as a security issue. https://packages.debian.org/search?keywords=obfs4proxy
Thanks for the info. I'll talk with the packagers about that. They mention having a problem with the fork of uTLS and it's license to be able to update the package. But let's see if is this can be solved somehow.
On Mon, Jan 17, 2022 at 11:53:55AM +0100, meskio wrote:
Quoting David Fifield (2022-01-14 21:50:32)
On Fri, Jan 14, 2022 at 12:17:57PM +0100, meskio wrote:
Quoting David Fifield (2022-01-14 03:27:09)
The upstream obfs4 repository has a fix to the Elligator2 public key representative leak (https://github.com/agl/ed25519/issues/27).
I started the conversation with the maintainers in debian to update the package: https://alioth-lists.debian.net/pipermail/pkg-privacy-maintainers/2022/00382...
Thanks, meskio. It was also brought to my attention that Debian's latest version of obfs4proxy is 0.0.8, which does not have the necessary active probing mitigations that we released in 0.0.11. This should also be treated as a security issue. https://packages.debian.org/search?keywords=obfs4proxy
Thanks for the info. I'll talk with the packagers about that. They mention having a problem with the fork of uTLS and it's license to be able to update the package. But let's see if is this can be solved somehow.
I think obfs4proxy should work with upstream github.com/refraction-networking/utls if you remove these two calls:
https://gitlab.com/yawning/obfs4/-/blob/cbf3f3cfa09cf48c42aebd1b96fd7952f1dd... utls.EnableVartimeGroups() utls.EnableVartimeAES()
anti-censorship-team@lists.torproject.org
-
David Fifield -
meskio