Hello Devers,

This is my first status update. I wanted to send one after my intro but first, it wasn't clear for me where I should setup my git and then I had few (ok two but it's still too much) hard drive failures. So here is the long combined version of first two update (Sorry :-S )

1 . So when first I got Stegotorus and I managed to compile it with few modification required by gcc 4.7. [1]. It did not function practically on my computer. Some data was being exchanged between client and server but I was not able to browse any page.

I spent few days to figure out the problem. It wasn't easy for various obvious reasons. I forced limiting the number of connections, and that made it semi-functional able to browse simple pages.

Eventually, it turned out, that it was known bug and I got the patch and it started working without problem.

2. My second task was to find a http proxy code, that I can use to implement different http modifications that Stegotorus protocol should be able to handle. I looked into the code of few proxies including Polipo, shim, privoxy, ziproxy. Polipo and shim had a simpler code but each had its own problem. Meanwhile, I tested Stegotorus upon Polipo and confirmed that its traffic doesn't survive Polipo's proxying.

I decided to start with much simpler proxy. First started to implement one using twisted, but I found a sample proxy as a part of libevent code which finally, I decided to use for my tests.

Next step, I integrated the proxy code to Stegotorus code. I also added a simple proxy test to the set of unitary tests of Stegotorus. I confirm it failed.

3. I spent some time reading following papers on the effects of weekly configured (security-wise) / evil http proxies on http(s) traffic, to get some insight in http proxy role:

* Talking o yourself for fun and profit. * Pretty-Bad-Proxy: An overlooked adversary in browsers' HTTPS deployments. * Divide and Conquer: HTTP response splitting, web cache poisoning attacks, and related topics.

It was while we were waiting for Stegotorus code to become public.

4. I spend last week, to debug the problem with Stegotorus and libevent sample proxy. After, sharing my finding with Zack, it turned out that the proxy cannot handle the situation when one side, shuts down the buffer for writing but still reads from it. So, I modified the proxy code [3] and now Stegotorus passes the proxy test.

During coming two weeks, I'm going through the steg protocol code and tries to improve the code, following Zack's advice. Also, I'll try to implement more sophisticated proxy test, like one that involves header manipulation.

Sorry for the long update. It was like a 6 week report. Next one will be much shorter.

Stay tuned and enjoy the June! vmon

1. https://github.com/vmon/stegotorus/commit/2f3932c433f743fd8bee54fffb75e565a8... 2. https://github.com/vmon/stegotorus/commit/9267db9d5d6d2c3ea959d30e1b84340123... 3. https://github.com/vmon/stegotorus/commit/f86479782b27385d92679acaae8802ade5...