On Mon, Oct 7, 2013 at 4:36 PM, Jeroen Massar jeroen@massar.ch wrote:
On 2013-10-07 16:13, GDR! wrote:
"For example, there MIGHT be a HTTP transport which transforms Tor traffic to look like regular HTTP traffic."
I missed the "MIGHT" part. Too bad this doesn't exist.
It does: StegoTorus.
Unless something has changed very recently, all publicly available copies of StegoTorus are missing critical pieces of functionality (such as the ability to use a session key that isn't HARDWIRED INTO THE SOURCE CODE), and also don't *really* implement HTTP, only something that looks like HTTP on cursory inspection but is trivial for an active attacker to detect (see Houmansadr et al., https://www.ieee-security.org/TC/SP2013/papers/4977a065.pdf ) Furthermore, last I looked at it, the "steg module" code (that is, the code that actually implements the HTTP-alike) was so riddled with security-critical bugs (of the "classic 1990s buffer overflow vulnerability" variety) that it was probably unsafe to run it on the public Internet *at all*. For these reasons, the copy of ST on my personal Github has been modified not to compile out of the box, and I am considering deleting it altogether.
Jeroen: I am aware that ISC and SRI are supposed to be working on fixes for these issues, but until the fixed code is available to the general public -- from the official Git repository on gitweb.torproject.org -- I request that you refrain from suggesting that StegoTorus solves this problem. In fact, I would prefer that you not even mention that it exists.
zw