On Tue, Oct 8, 2013 at 10:49 AM, Jeroen Massar jeroen@massar.ch wrote:
On 2013-10-07 22:48, Zack Weinberg wrote:
On Mon, Oct 7, 2013 at 4:36 PM, Jeroen Massar jeroen@massar.ch wrote:
On 2013-10-07 16:13, GDR! wrote:
"For example, there MIGHT be a HTTP transport which transforms Tor traffic to look like regular HTTP traffic."
I missed the "MIGHT" part. Too bad this doesn't exist.
It does: StegoTorus.
Unless something has changed very recently, all publicly available copies of StegoTorus are missing critical pieces of functionality (such as the ability to use a session key that isn't HARDWIRED INTO THE SOURCE CODE),
Indeed, the version you created had this and many other issues, these have been addressed, but indeed not made publicly available yet, though Tor Project members have had updates to it already.
I'm glad to hear that improvements have been made.
All I am asking is that you refrain from suggesting that StegoTorus solves anyone's problems -- and ideally that you refrain from bringing it up at all -- until the improved version is publicly available. I do not want anyone to get the idea that the current public version is safe to use.
As you are very aware unfortunately the people working on the system have restrictions on code releases, they are doing their best to get it out in the open though.
If development continues to be done behind closed doors, I rather think no one will be inclined to trust the end product.
That is a good idea, releasing/publishing code of that quality is IMHO quite irresponsible. It is good that one needs to specifically set it up on either side though before using it, as that gives an insight to the quality of the code.
It is still there mainly because I don't want to pull the rug out from under vmon, who I believe is also still working on it. vmon, can you comment on your current plans and the extent to which you need that code there?
Anyone interested in hacking on steganographic transports nowadays would be well-advised to begin from something else, such as Yawning Angel's LODP.
While it is a project with a lot of merit, in a lot of locations UDP will simply not be going in or out of a country...
It is thus a project with quite different goals and resolving a very different problem, than what StegoTorus is trying to resolve.
Based on my experience with StegoTorus, I think LODP will be a better *infrastructure* on which to build steganography. (Specifically, UDP as the transport between what ST calls the "chopper" and the "steg modules" should make a bunch of message-framing headaches just disappear.)
zw