Slashdot Mirror
Google's Obfuscated TCP
agl42 writes "Obfuscated TCP attempts to provide a cheap opportunistic encryption scheme for HTTP. Though SSL has been around for years, most sites still don't use it by default. By providing a less secure, but computationally and administratively cheaper, method of encryption, we might be able to increase the depressingly small fraction of encrypted traffic on the Internet. There's an introduction video explaining it."
Wouldn't this result in a greater amount of, say, phishing sites?
The problem isn't computation - its a training thing. People who will encrypt will encrypt. Those who wont, wont.
Something better they could do: give out http ssl certs for free under their own root cert (which major browsers trust). The big barrier to ssl for small sites is cost - in some cases the cost of an ssl cert will exceed all other costs.
On one day Google is evil and doesn't care about privacy, and on the other day it cares about privacy...
Are we supposed to like Google or not now?
I'm confused :(
Firefox isn't helping the lack of SSL on the web by throwing a ridiculous warning when using self signed certs. Browsers should treat self signed certs as 'unsigned with the added bonus that communications can't be eavesdropped' instead of freaking out that you might not know who you are talking too.
self signed certs aren't appropriate for processing credit cards... but not every site that has forms needs that... and simply removing eavesdroppers would be a step in the right direction.
Opportunistic encryption was the original goal of the FreeS/WAN project. It was not realised, and the eventual forks (OpenSwan and strongSwan) are now aimed more at running IPSEC tunnels.
Patched server? Patched browser? Special DNS entries? Wow. I bet all the people that found SSL too difficult to implement will jump at this.
The video starts out saying that increased encryption is needed thanks in part to warrantless government surveillance. It then goes on to describe a system that assumes no MITM attacks can exist. The fact is, however, that governments are entirely capable of performing MITM attacks, as can telecommunications companies; and if it becomes popular we may see more techniques that allow individuals to perform MITM attacks. While this algorithm has significant merit, care needs to be taken to avoid a false sense of security.
How is this google's? Sure it is hosted on code.google.com but I see no link to google itself doing this.
Hosting companies get a limited about of IPv4 addresses from ripe, making it a pain the ass to assign a dedicated ip (which is needed for ssl) to every website they host.
Roll on IPv6
What the hell are people thinking making information in videos like this?! There is no added value at all; it just makes it exponentially more difficult to get the information!
This one however took the cake. The video is a black screen and narration... with a few random words or tags thrown up.
I know Google owns You Tube and all... but this has to be one of the dumbest uses of the medium I have seen and continue to see.
Sad. Web, meet TV.
This is not GOOGLE's Obfuscated TCP, this is a small one-man project HOSTED on Google Code.
That guy's gonna get tons of traffic for what's maybe a good idea but not endorsed or supported by Google.
All Hail Discordia. Hail Eris. Fnord.
By providing a less secure, but computationally and administratively cheaper, method of encryption, we might be able to increase the depressingly small fraction of encrypted traffic on the Internet.
If the encryption is computationally cheaper, then the decryption is computationally cheaper. I'd rather people know that what they're sending over the 'net can be sniffed than have them think that because example.com uses Rot13 encryption their traffic is private.
As mentioned in the video - this is intended to be transparent to the user. They'll be no indicator claiming it's a secure connection, no url or port change, etc.
So, basically we have the same concept as SSL, except instead of trusting the CA signature on the certificate, we trust DNS.
Forging a CA signature on a certificate would be a BIG DEAL.
Forging a DNS entry, especially with ISP cooperation(read government snooping), is DEAD SIMPLE.
So we replace real security with, well, a CPU hog that's only a smidge better than running everything in the clear. It only keeps out the MOST casual, lazy, and uninterested snooper.
TLS deals with this problem. It's just not widely supported, although perhaps more common than ipv6.
oh man, if you'd seen what lays under some websites, you'd be surprised as how it's not encrypting the transmission that is computationally expensive.
I mean ... do they really exists? Except for the paranoids ... I've never seen such attack make headlines.
Point is: I don't mind people seeing me using my free net, naked and full of anarchy ... I just don't want them to see my credit card number ... and my bank uses secure HTTP.
It is less secure because the keys are not verified, so a man-in-the-middle attack would work, but a passive attack (just listening) would not. It sounds like it uses DNS to verify the keys, so it may become (more?) secure if DNSSEC were implemented.
If the encryption is computationally cheaper, then the decryption is computationally cheaper. I'd rather people know that what they're sending over the 'net can be sniffed than have them think that because example.com uses Rot13 encryption their traffic is private.
A few key points:
I read the technical details and they talk about an advert being encoded in the CNAME, to distribute a curve25519 key and a port number. But they could have done much simpler using technology that already exists: encode the 160-bit SHA1 fingerprint of an X.509 certificate and a port number in the CNAME (only 32 chars needed in base32). Then connect to this port using HTTPS and simply verify that the certificate matches the fingerprint ! Advantages:
Ust-jay se-uay ode-cay.
It must have been something you assimilated. . . .
Seriously, not trying to troll, but wasn't this problem solved more completely by IPSEC back in 2000? Why hasn't IPSEC been adopted more? Why should this solution fare any better?
What does this have to do with Google other than being hosted on code.google.com?
I'd trust Google as far as I could throw them with any keys to encryption. They're so good at privacy!
we might be able to increase the depressingly small fraction of encrypted traffic on the Internet.
I agree that this would indeed be a good thing for several reasons. An encrypted message in a medium where most everything is plaintext may attract the attention of attackers or, worse, be seen as "suspicious" by a government. (Certainly the U.S. and the PATRIOT Act spring to mind, but let's not forget the truly oppressive governments such as China's and any number of third-world dictatorships.) If online privacy via encryption comes to be a right that everyone gets used to enjoying—much like how almost all mail is sent in sealed envelopes, whether or not its contents are sensitive—then it will be that much harder, for technical and/or social reasons, for an authority to take away. If Obfuscated TCP is even a token step in that direction (and it seems to be a bit better than that), then it is probably a good thing overall.
Someone earlier today on Slashdot was plugging Cory Doctorow's Little Brother, and I'm going to follow that example (you can read it for free!) as part of it advances the same idea.
self signed certs aren't appropriate for processing credit cards
VanillaMastercard throws up some warning on Firefox
So not one but two tags as "story," huh?
Failure formatting five FAQs of financial facts.
NOT Google's, just their code hosting. Title says it all.
It's interesting how the same idea gets "reinvented" over and over. Opportunistic encryption using advertised DH public numbers is just such a thing.
ObsTCP is just a reinvention of SKIP.
See here via the Wayback Machine since the concept is long dead and buried.
http://web.archive.org/web/20021129230049/http://www.skip-vpn.org/
Wow, just like many keynote presentations.
There was very little useful meat to it.
"By providing a less secure, but computationally and administratively cheaper, method of encryption, we might be able to..." give people a false sense of security.
Remember, weak encryption can be worse than none as Mary Queen of Scots found out at the cost of her life (see http://www.nikon.com/about/feelnikon/light/chap04/sec01.htm).
Google is entering 2 areas it shouldn't. 1, Al Gore invented the internet as we all know. 2, the pirate bay just announced their plan to encrypt the entire internet, and as they've stuck to their other projects I eagerly await the day they follow through with their encryption plan, which as of now is a great idea... and thats about it. But I'm sure we'll see more....
The warning is not ridiculous. An SSL connection doesn't derive its security solely from the fact that it's encrypted. It's equally important that the web site actually belongs to the entity it claims to belong to.
No, I take that back. It's a lot more important. How many identity thieves rely on packet sniffers? And how many rely on phishing? The ratio must be something like a million to 1. And any phisher can create a "secure" web site.
It might be convenient if there were a separate mechanism for sites that need to verify their identify, and sites that just want an encrypted connection so hackers can't sniff passwords. But there isn't. The inconvenience isn't a big one, because setting up a certificate just isn't that hard. The only reason nobody does it it because of the useless mechanism (those little approval boxes all computer users are programmed to ignore) that makes the whole certificate mechanism a joke.
Somebody needed to invent a mechanism to make sure that naive users don't open security holes. Somebody at mozilla.org invented one, and it works. The fact that it's a PITA is proof that it works. Deal with it.
This is equivalent, in a security sense, to SSH/TLS with self-signed certs. There's no protection against man-in-the-middle attacks, but there is some protection against passive eavesdroppers.
Unfortunately, man-in-the-middle attacks are most likely in the same situation that allows easy passive eavesdropping - public WiFi access points.
Also, they've chosen completely different cryptographic standards than SSH/TLS uses, with different key handling. Until many qualified people have gone over exactly how that all works, it can't be trusted. There's a long history of botched crypto schemes. Is this, for example, subject to playback attacks? We don't know. Worse, it involves putting more trust in DNS, which is already a problem.
If something like this is desirable, it might be worthwhile to have a version of Apache that generated a random self-signed SSH/TLS cert for every hosted domain, and a version of Firefox which tried to use an SSH connection for every connection and accepted self-signed certs, but displayed a weaker icon than the "lock" icon; perhaps a picture of a knot. That would use existing technology and wouldn't be hard to do.
kdawson, you are a king(queen?) among idiots. And the submitter, agl42, is a bastard prince(ss).
how did it escape both of you that google code != Google?
The reason girls and Windows users don't understand UNIX is because all the documentation is in Man files.
If the encryption is computationally cheaper, then the decryption is computationally cheaper.
Not at all true, 3DES is much more secure than about 90% of the more computationally expensive encryption options.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
If you'd listened to the video, you'd have learned that the proposal uses Elliptic curve cryptography which is considered to require smaller keys to provide a similar level of security to the integer methods used in SSL. It does not automatically follow that, "If the encryption is computationally cheaper, then the decryption is computationally cheaper." If you'd listened to the proposal, you'd also have learned that it does not intend to replace SSL/TLS for strongly authenticated transactions, but only replace currently unencrypted traffic.
Comment removed based on user account deletion
...we might be able to increase the depressingly small fraction of encrypted traffic on the Internet
Here we go: American paranoia again. I just don't get this country...
Not true. Go read up on elliptic curve encryption.
If the objective is to prevent large-scale keyword sniffing, then you can obfuscate it with compression.
The support is already built into the browsers.
Yes I know its not encryption, but if everything was gzip'd then it would cost the listener more to decrypt it. Plus gzip'd data would not invite any added attention.
You can even move host mid certificate and it will still work if you install it correctly on the new host.
You can use SSL for multiple domains on a single IP number, but you will have to get a cert for each domain.
And you can get certs quite cheaply.
Just make SSL cert cheaper and get rid of all the multiple server licensing and crap.
Make the damn thing ran by a non-profit organization and cut the cost.
Self signed certificates means LESS security, UNLESS you have verified the certificate (or its fingerprint) out of band.
Why?
Ranking:
1. Signed certificates are, in theory (but not in practice), safe.
2. No certificate means your communication may be sniffed.
3. Self-signed / Wrong URL certificates indicates that someone is a man-in-the-middle.
Yes, there might be some cheapass on the other end. However, that is up to you to verify. If you out-of-band verify that, and manually add the certificate on your end, then the 3 would go up to a number 1 - after verifying the fingerprint. Until that, it's an indication that it's a man in the middle.
In other words, that someone is actively sniffing the conversation.
The entire idea that self-signed certificates gives ANY security is insane! If someone is able to intercept the traffic and listen to it - they are most probably able to be a man in the middle. In other words - it provides absolutely no security what-so-ever ! ... unless it's verified out of band, but then it would be added to your local certificate store, and thus be a number 1.
That you have been rated as 5 is completely nuts. You don't understand the security model, and neither does the moderators.
slashdot needs more techies.
"Rune Kristian Viken" - http://www.nwo.no - arca
What I want is for the browser to give me a warning if the cert (self-signed or CA signed - separate warning controls) is a NEW one, or it has CHANGED since the last time (and the browser should keep copies of the previous certs for comparison).
;) ).
CA signed certs give a false sense of security too.
1) Verisign have already proven they can't be trusted to do things right.
2) AFAIK with popular browsers you don't get a warning if the cert changes or even the CA changes as long as the cert is signed by a CA installed in the browser.
Of course in the greater scheme of things your banking and other sites probably have bigger security holes in practice that make all these cert problems look like "small potatoes".
SQL injection. "Mother's maiden name" to reset password (yes I know you can use something different from your mother's maiden name - but people who forget their passwords regularly will forget that too
That's a silly argument. The fact is that self-signed certificates are more secure and more useful than plain HTTP, therefore, browsers shouldn't put up the silly warnings that they do.
Browsers could simply indicate http, https-with-self-signed, and https-with-authentication differently in the user interface.
Not necessarily. It's my understanding that 256 bit elliptic curve keys give about the same security as 2048 bit RSA ones... at a substantial computational discount.
(Whether this understanding is true or not you'll have to look up yourself, but it seems plausible on the surface.)
Self signed certs can not be authenticated...
I really wish you people would stop whining...
Signed,
Someone with an actual clue about cryptography.
Oh?
You are so clueful about crypto that you don't know what fingerprints and out-of-band authentication are?
My.
Self-signed SSL certs work marvelously in a number of use cases:
A) When an admin or user adds the cert to a client machine (like a laptop) in a secure environment.
B) When fingerprints are verified out of band, such as over the phone, over alternate sites and protocols, printed correspondence, etc...
C) When its only necessary to know that you are communicating with the same party you were last time.
Granted that 'C' may be a rare and less secure case, but the first two are easy to perform and can meet a high standard for authentication.
Why is this tagged as story?....fine fine there is a type tag done by the system. Which really should be hidden until it is actually used for something... But this is tagged story again. It happend a few stories down as well. Is there really a need to tell us it is an article twice ontop of the fact that it is a site full of stories?
It was just some dude talking with the occasional text showing up on the screen. YouTube as a medium for information dissemination is for complex ideas that require a visual aid. Not for making me stop my music to "read" an article.
If the encryption is computationally cheaper, then the decryption is computationally cheaper. What four Slashdot moderators voted this stupid comment up?
If you watch the video, your brain will leak out through your ears. It's terrible. Why produce a video which seems to be a black screen with a dark blue line wiggling when the person talks? Why pick a person with a crappy British accent and a speech impediment? Who's going to understand? Why flash up a couple of words here and there like "SSL" and "HTTP"? Why produce such a steaming pile of crap and call it an "introductory video"?
Instead, whoever is the video star in this could have written down their ideas in plain text. That would allow for easy reading and comprehension by people all over the world. Maybe I can read quickly. Maybe I don't want to sit around waiting for you to lisp and stammer through your presentation. Maybe I'd understand it better if I read it than if I heard it on a crappy video. Maybe I don't want to waste my bandwidth downloading several megabytes of video, where the same information in plain text might be a few kilobytes.
But seriously, you'd be amazed at the amount of FUCKTARDED nonsense "enterprises" do in the name of "security." (Need I mention TSA?)
It strikes me as fundamentally STUPID that SSL-like technology hasn't been fully incorporated into DNS. When I register a domain name, the person who can most authoritatively state who I am is me. DNS is the universal mechanism for me to declare what host(s) are qualified to represent my domain, so why do we have a completely separate, cumbersome, and counter-intuitive infrastructure for SSL?
Explaining what a signed SSL certificate is to most (non-techie) people takes several hours, if you want them to actually understand it. It's stupid that this complex, expensive, cumbersome security framework is basically all we have to secure sites on the Internet. It's no wonder that few sites do it!
But if, when you registered your domain, you automatically received a root-signed wildcard SSL certificate that you installed into your DNS server, you would instantly eliminate nearly all DNS spoofing attacks, and improve the security of the entire Internet.
You could still use the current SSL certificates system for additional security, but why not start with a reasonably secure system by default? It's just dumb that we aren't doing this already. Benefits of such a aystem:
1) When you pick up the DNS record for the domain, it would have a public certificate for the domain in the response. All DNS replies would come with a signature accompanied. This would effectively eliminate DNS spoofing.
2) When the browser hits the website, the browser already has the signed certificate (from the DNS query) and so is already "pre-set" to view the website. As a result, the website just has to either kick out the response (when not using encryption) with a signature in the headers (so you at least know you're getting the real deal) or you can use some encryption. Either way, the header should be present. You know you have the real deal, whether or not others can view it. This all but eliminates website spoofing, even if you don't encrypt the whole connection.
Either way, either with or without encryption, you still have improved the security of the connection simply by adding a small header.
Why isn't anybody doing this?
I have no problem with your religion until you decide it's reason to deprive others of the truth.
No, This is about making the net more neutral.
ISP cannot look into obfuscated traffic, and thus cannot traffic shape it. (note that torrent/eMule is also obfuscated enabled)
ISP/NSA cannot datamine obfuscated traffic. Only targetted traffic can be obfuscated.
State censors cannot block traffic based on keywords. (chinese wall)
It is more a "why not?" statement.
Just a side comment. A consulting client, an accounting firm, asked about using encryption for emails etc... so I explained the steps necessary to generate a key pair, get the public key signed by a CA while getting their clients to do the same thing. This is BEFORE doing anything else. The reply? "Forget it!"
Another client, a medical clinic uses an insurance clearing house to process claims. The clearinghouse uses an ssl site for the clinic to upload their data. Unfortunately while the site uses ssl the actual data is sent using ftp and the data is in plaintext!
It gives me such a warm fuzzy feeling to know that programmers can be tech savvy enough to construct an ssl site but not competent enough to figure out how to transfer files over the ssl connection.
I am unfortunately culpable because I'd rather keep my clients rather than stand on principle. Even after I brought the situation to the clinic's attention the situation hasn't changed.
Bzzzt, wrong, thanks for playing. I written an app that makes the process as easy as starting a sniffer,
Really? and what kind of hardware does it require to play man in the middle to all connections on a multi-gigabit line?
This is what we are talking about. Whether it is illegal mass-surveillance from the government, or just your isp trying to inject targeted advertisement in the web pages you browse, man in the middle is just not an option for blanket surveillance at the moment.
Also, it is detectable, while sniffing is not. If all users are intercepted with a MITM attack, as soon as one of them verifies the key fingerprint through a side channel it will become public knowledge that everyone is being intercepted.
ask novell, microsoft, or cisco...what could possibly go wrong with hiding a poor authentication scheme from a user?
Good people go to bed earlier.
The user interface gives you a false sense of security. Or, better yet, the unimaginative developers can't invent an interface that doesn't give the user a false sense of security. Don't mind that those same developers have complete control on the interface and can access quite well how secure the page is, and thus, they could tell the user exactly how much security he has.
On this case, a self signed page is exacly as secure as an unencrypted one. So what is stopping Firefox to present both situations on the same way?
Rethinking email
Case 'C' happens all the time. Let's say somebody out there creates a site where people goes to read articles and post comments. Now, those comments can be signed, but you'll need a login and a password. Also, you don't want to let somebody else gather your password, so he could impersonate you. That is case 'C'.
Rethinking email
"Though SSL has been around for years, most sites still don't use it by default"
Isn't Apache still used on the majority of web servers? And doesn't Apache have a huge bug (or design flaw, whatever) where VirtualHosts don't work through SSL (IE: an Apache server can only serve ONE HTTPS site, and infinite HTTP sites)?
As rsmith-mac and I am sure many others have said:
"The W3C needs to separate authentication and encryption in the standards themselves, that's the only proper and safe way to change things."
How often do we find that it actually works better to "kill two birds with one stone?"
Make each work on its own. They both serve a different need.
"Waitress I need two more boat-drinks..."
Isn't it illegal for a company to transmit confidential personal information about clients over an insecure network?
0. SSL with cert which you recognize/know
1. SSL with cert signed by a trusted certificate authority
2. SSL with self-signed cert
3. Plain HTTP
I don't trust the "trusted certificate authority" all that much. It's much better to have remembered the certificate you used last time -- why don't browsers do this? SSH does...
It's a great idea.
Plenty of people will say "without authentication, encryption is useless". This is not true.
"Without authentication - encryption cannot protect your sensitive data" - this IS true.
With non-authenticated encryption - anyone can middle you. Easily. you won't notice.
The benefit is a large scale one, and has to do with numbers and methods. The government could possibly muster enough resources to MITM the whole internet... but doing so would be detectable, provable, and very differnet legally than just taking a passive copy of the bits on the wire, as they do now.
This method of using crypto won't prevent a focused attacker from getting at your bits... and by focused, I don't mean sophisticated.. just someone who's taking a moment to look at you, or the network you are on, rather than a massive amount of data and users at once.
What it will do is change the playing field, and Change the methods an ISP or other person must use to sniff our data and snoop on our bits... change it in a way that's beneficial for the end user.
That's an important change.
Yes, and in the cases you have described, Firefox will not show any warnings at all. It will treat it as trusted since you've already verified the certificate.
Incorrect. If the method of installing and/or verifying a cert is initiated by accessing the website in question, then the draconian/inappropriate warning will appear.
In fact all of those cases I listed (like verifying a fingerprint from printed correspondence) are normally done with the browser - it's the simplest way. You click the lock icon, then match the fingerprint in the dialog window to what is on paper or spoken to you over the phone: Voila, validated certificate.
If you think that signed certs can't be used for a man in the middle attack you have no clue who is in bed with the American based cert companies. Hint, they all have 3 letter names.
Because when it comes to modern encryption "secure" means "would take every computer on the planet longer than the age of the universe to break" and "less secure" might mean "would take every computer on the planet a few months to break".
// MD_Update(&m,buf,j);
Cheaper than SSL, and also weaker. Something that many people are willing to use and probably only NSA can crack. Delicious! Thanks Google.
Persian Project Management Software as a Service
"depressingly small fraction of encrypted traffic on the Internet"
Yes. Encrypt everything. NOTHING should be plain text. Openness sucks. You could then sell passwords...want online at all?...decryption key is ten dollars. Google decryption key...two dollars. Or would the decryption key just be time limited? Ten minutes of decryption: ten dollars!
Anyway, great thinking, there, Einstein.
Neither of those provide authentication of transport protocol flags (such as TCP RST), allowing denial-of-service attacks to be conducted against a connection regardless of the strength of the content encryption.
This approach DOES actually protect the transport from malicious interference, but that has its own issues.
retrorocket.o not found, launch anyway?
I'm not going to get involved with the whole "this vs. self-signed certs with SSL" thing.
One thing that SSL and SSH both do NOT do is protect the transport. Encrypt all you want, nothing stops you from getting Sandvined (having your traffic analyzed and then RSTs being sent based purely on bandwidth usage).
This approach actually implements authentication of transport protocol communications, such as RST flags. Thus it is not possible (or at least not nearly as easy as it used to be) for someone to send a spoofed RST at you and kill your connection.
The bad thing about this is:
It means the entire transport protocol must be reimplemented including congestion control and flow control.
There's a good chance that there will be buggy/"intentionally greedy" implementations out there where congestion control behaves badly, flooding the network.
retrorocket.o not found, launch anyway?
I can't say for sure because the congressional acts are written in legalese which I have a hard time with, but yes I think so.
I'm not sure about Sarbanes-Oxley but HIPAA certainly does.
Edwin