Slashdot Mirror

← Back to Stories (view on slashdot.org)

Encrypted Traffic No Longer Safe From Throttling

Posted by CmdrTaco on from the didn't-think-it-was dept.

coderrr writes "New research could allow ISPs to selectively block or slow down your encrypted traffic even if they cannot snoop on your transmitted data. Italian researchers have found a way to categorize the type of traffic that is hidden inside an encrypted SSH session to around 90% accuracy. They are achieving this by analyzing packet sizes and inter-packet intervals instead of looking at the content itself. Challenges remain for ISPs to implement this technology, but it's clear that encrypting your traffic inside an SSH session or VPN connection is not a solution to protect net neutrality."

9 of 268 comments (clear)

  1. Re:They can already throttle encrypted traffic. by Fryth · · Score: 5, Interesting

    You'd think that's how they're doing it, but it doesn't seem to be the case. Rogers customer here, and my SFTP (FTP over SSH) connections go at full-tilt, while BitTorrent has slowed down to a crawl (0-1 KB/sec) on my connection in the past (yes, using the latest uTorrent/Azureus Vuze client, with standard BT MSE/PE encryption enabled).

    I don't know what's going on, but I suspect they've already figured out something that these Italian guys are researching now, and they've been able to identify BitTorrent from other encrypted traffic.

  2. Re:Would have happened anyway. by Andy+Dodd · · Score: 4, Interesting

    Actually, encrypted or not, the way the Sandvine (I think that was the name?) system used by Comcast worked was it just did a traffic analysis - If your upload connection was more than X% saturated for N seconds, the Sandvine appliance would start spoofed RST injection to kill off connections. The only way around this would be a full blown VPN that used an encrypted transport layer. (Encrypted BitTorrent, SSH, and nearly all encrypted protocols except the various VPN systems are an encrypted application stream over an unencrypted TCP session. Even some VPNs use an unencrypted TCP session to tunnel through, making them vulnerable to RST injection.)

    --
    retrorocket.o not found, launch anyway?
  3. The security hole will soon get fixed by petes_PoV · · Score: 4, Interesting
    > have found a way to categorize the type of traffic that is hidden inside an encrypted SSH session ... They are achieving this by analyzing packet sizes and inter-packet intervals instead of looking at the content itself

    And in the next (or two) release of SSH implementations, this weakness will, no doubt, be fixed.

    Professional cryptographers have known for decades that you don't just switch on your transmitter when you want to send a secret message - no matter how well encrypted it is. The mere fact of traffic is frequently a sizeable tell-tale itself. Instead, you keep your transmitter on 24*7 sending encrypted garbage, with the ability to interleave genuine messages when the need arises. I'm sure that in a short time, the SSH people will remove the ability to profile the transmission to glean anything usable from it.

    --
    politicians are like babies' nappies: they should both be changed regularly and for the same reasons
  4. Re:Why bother? by aplusjimages · · Score: 5, Interesting

    how would this work for gaming online? 16 different IP destinations and I play for hours on in. My understanding of Xbox Live is that it is P2P and if they throttle my Halo 3 game, I'm gonna get pwned even more than normal.

    --
    Can I bum a sig?
  5. Re:Look, this is a dead end. by dyfet · · Score: 4, Interesting

    Actually, strange you should suggest this, I was working on a small and rather generic package to tunnel data between hosts in this very way, constant rate/constant packet size tunneling, with empty data filled with random noise, and with non-packet-aligned encrypted data overlayed when there is data to actually send. I was going to call it tstunnel. Yes, it is somewhat of an extreme response to an extreme problem.

  6. Re:Non-timing critical? by omnirealm · · Score: 5, Interesting

    > introducing random jitter would go some way to subverting this, no?

    Exactly. I took a few minutes to glance over the paper. Their feature
    extraction stage consists of two predictable attributes: packet size
    and time between packets. Modifying the traffic sent at the
    application layer (SSH itself does not even need to be touched) can
    trivially ambiguate the extracted features so as to throw off the
    classification attempt. This is simply a road bump; as soon as it gets
    into use, application-layer proxies will pop up to circumvent it.

    They also seemed to have inventented their own home-brew statistical
    analysis. I was disappointed that they did not go into detail as to
    why they largely ignored the entire field of Machine Learning
    (NaiveBayes? Perceptron? kNN? Why not try using these?) when coming up
    with their classification model.

    --
    An unjust law is no law at all. - St. Augustine
  7. Re:Why bother? by fast+turtle · · Score: 4, Interesting

    My ISP already throttles my connection by price. I've currently got 256/768 as that suits my needs. If they were to start throttling any more of my net access (I'm paying for unlimited at 256/768) I'd have their asses in court in a hurry for false advertising and violation of contract, which I have kept the hard copy of from the day I signed up for service.

    I was one of the first adopters to get broadband when it became available 6 years ago in my area and according to the original contract (have hardcopy on file) they planned offering tierred service with it being a simple change in minimum speeds and thus not requiring a new contract. I also informed them that I'm worse then a squeaky wheel, I'm like a brake that's gone metal to metal since I'm semi-retired and disabled with plenty of time on my hands to pursue things every time they try to change my contract without consent.

    --
    Mod me up/Mod me down: I wont frown as I've no crown
  8. Re:Why bother? by TheLink · · Score: 5, Interesting

    1) Those plugins don't do very much uploading whereas bittorrent users do.
    2) Those plugins that do "fetch ahead" tend to stick to fetching from the same few sites - they may make lots of connections but they are to the same few sites (ad webserver, content webserver, icon/widget server etc), and they stop at some point - otherwise your browser would be downloading the entire internet (and AFAIK they don't do that). And really they definitely don't upload much.

    Personally I think the US ISPs are scumbags not because they throttle, but because it seems they took USD 200 billion and promised to deliver 45Mbps up/down.

    But after taking that 200 billion, more than ten years later their users have still only got DSL and cable, and they're getting throttled.

    Too bad most of the users don't appear to know how screwed they really got. They should ask for the ISPs to build the infrastructure NOW.

    But I suppose given a big enough crime, you are more likely to get away with it :).

    Cheat one person of money and it's jail time. Cheat 10 people and it's longer jail time. Cheat 100000 people, and you become a rich CEO and the board gives you a big fat bonus.

    Kill one person you get a life sentence or death row. Kill 20 people, people start asking for you to be executed. Get thousands of people killed, who knows you might get elected president :).

    --
  9. Re:Look, this is a dead end. by Koiu+Lpoi · · Score: 4, Interesting

    Huh, that's funny. My understanding, from talking with many people who work for a certain (unnamed) ISP, the biggest problem is streaming media, not bittorrent, and as such most users would NOT find metered internet to be cheaper at all.