Tor Tests Undetectably Encrypted Connections In Iran

Sparrowvsrevolution writes "Ahead of the anniversary of Iran's revolution, the country's government has locked down its already-censored Internet, blocking access to many services and in some cases cutting off all encrypted traffic on the Web of the kind used by secure email, social networking and banking sites. In response, the information-freedom-focused Tor Project is testing a new tool it's calling 'obfsproxy,' or obfuscated proxy, which aims to make SSL or TLS traffic appear to be unencrypted traffic like HTTP or instant messaging data. While the tool currently only disguises SSL as the SOCKS protocol, in future versions it will aim to disguise encrypted traffic as any protocol the user chooses. Tor executive director Andrew Lewman says the idea is to 'make your Ferrari look like a Toyota by putting an actual Toyota shell over the Ferrari.'" Reader bonch adds: "A thread on Hacker News provides first-hand accounts as well as workarounds."

Sounds like a tool for P I R A T E S !!

[elrous0]

The MPAA has already called in the FBI, CIA, NSA, and a cadre of hired Senators to put a stop to this illegal piracy-facilitating tool--which, if it's not stopped, will cost millions of American jobs and perhaps collapse the entire economy. Our children's futures are at stake here, people!!!

Re:Sounds like a tool for P I R A T E S !!

[rathaven]

Not to mention their access to porn...

Re:Sounds like a tool for P I R A T E S !!

[jcreus]

Hmm. Let's take down computers, operating systems, browsers... They also use them!

Re:Sounds like a tool for P I R A T E S !!

[phrostie]

Wasn't it the Government that first created it?

from their about page:

"Tor was originally designed, implemented, and deployed as a third-generation onion routing project of the U.S. Naval Research Laboratory. It was originally developed with the U.S. Navy in mind, for the primary purpose of protecting government communications. Today, it is used every day for a wide variety of purposes by normal people, the military, journalists, law enforcement officers, activists, and many others. "

Re:Sounds like a tool for P I R A T E S !!

[MightyYar]

Hi there! 48
All is well in the Islamic Republic! 65
Our glorious leader has won another election! 6c
Praise Allah! 70

Re:Sounds like a tool for P I R A T E S !!

[chichilalescu]

dear slashdot,
can we please have a +1 "sad but true" option?

Re:Sounds like a tool for P I R A T E S !!

[TubeSteak]

Don't forget that the US State Department is the de-facto sponsor of TOR.
TOR gets most of its funding from groups that get most of their funding from the State Dept.

Re:Sounds like a tool for P I R A T E S !!

[Jah-Wren+Ryel]

Wasn't it the Government that first created it?

The US government also funded the Taliban (to fight the Russians) and the Israeli goverment funded Hamas (to fight the PLO).

Re:Sounds like a tool for P I R A T E S !!

[willaien]

You'll have to do with +1 insightful.

Re:Sounds like a tool for P I R A T E S !!

[Luckyo]

Then look at their imaginary size (our yearly piracy losses are bigger then world's GDP says report given to congress!), then look at modern economy being about imaginary values rather then real values (stock market, derivatives, futures...).

Then get a big bottle of your favourite alcohol and drown the sorrow.

The root of the problem

[hobarrera]

While this is a great effort, and I really congratulate the Tor proyect for all that they've done and continue to do, this still is nowhere close to the solution on the real issue here: governments that over and over again limit people's freedom of speech and privacy.

Re:The root of the problem

What do you propose we Western geeks do about the government of Iran?

Re:The root of the problem

[capnchicken]

Unfortunately you always have to build things in spite of people, and can never count on altruism because there will always be bad actors, and those bad actors always have the chance of gaining power. It's the human condition, the only thing you can do is route around it. I agree we should address it from many fronts, but technological circumvention, while maybe only alleviating symptoms, seems to be very effective.

Re:The root of the problem

[John3]

Write code that messes with their technology, perhaps something that might wreak havoc on centrifuges or other industrial machinery?

Re:The root of the problem

[Culture20]

Tor proyect

That sounds like commie talk, comrade.

Re:The root of the problem

[Anthony+Mouse]

While this is a great effort, and I really congratulate the Tor proyect for all that they've done and continue to do, this still is nowhere close to the solution on the real issue here: governments that over and over again limit people's freedom of speech and privacy.

That is sort of missing the big picture. Yes, you have to fight governments that oppress and censor... but this is one of the ways you do it. It's a lot easier to convince someone that censorship is wrong if it is, in any event, totally ineffective -- because you take away any possible upside. It no longer becomes a weighing of the benefits of censorship against its costs, because the benefits are destroyed by developing this type of technology. Censorship becomes something that has only costs, and there ceases to be any incentive for a self-interested government to impose it.

Disguise encrypted as unencrypted?

[Arancaytar]

How do you hide something unreadable within something readable? ... damn, you're going to make me RTFA, aren't you? :P

Re:Disguise encrypted as unencrypted?

[Pseudonym+Authority]

You mean something like steganography?

Re:Disguise encrypted as unencrypted?

[pushing-robot]

It's steganography. They've created a strong AI capable of passing as human and conversing intelligently with other copies of itself. Each AI instance develops relationships with others, sharing email and IMs about its loves and hates, passions and dreams, even photos of virtual family and pets. All of which can contain a hidden payload of your private data.

But enough technical mumbo-jumbo. What matters is you'll now be able to surf porn sites without anyone knowing.

Re:Disguise encrypted as unencrypted?

[X0563511]

encapsulation.

Here's one way to do it:

Send the SSL data in a standard HTTP stream. Even better, base64 encode the data, so it looks like actual text.

To block this means either blocking HTTP as a whole, or building/buying some expensive stuff that can understand HTTP and do some kind of content analysis on it.

Re:Disguise encrypted as unencrypted?

[betterunixthanunix]

Think of it in terms of error correcting codes. You and I agree on a secret linear code, and we then add our codewords to a noisy channel (at the lowest power possible to allow decoding to occur). If the noise power is high enough, then our codewords should be undetectable in the channel; but we can still recover the codewords because we know what error correcting code is being used (it is widely believed that detecting the codewords without knowledge of the code is hard; this is just a restatement of the Learning With Errors problem). Our secret key is a description of the code (which is just a matrix) and we can even turn this into a public key system.

Now, the trick is to determine if the system is still secure when the noise is sampled in some specific way that we cannot control. Is the background noise in a voice chat suitable? What about packet delays (which might be manipulated by your ISP to break the system)? The method described above works fine as a cryptosystem, but there is more work to be done if you want a stegosystem.

Re:Disguise encrypted as unencrypted?

[trum4n]

...as opposed to closing your eyes and chucking darts at the same list.

However, it does extend the operating life of your LCD.

Re:Disguise encrypted as unencrypted?

[KhabaLox]

If the noise in the LSB tends to be Brownian and you replace it with white noise, that's going to be detectable

Replacing brown noise with white noise? Sounds pretty racist to me.

Re:Disguise encrypted as unencrypted?

[anubi]

The first thing I thought while I was loading this topic was steganography. So I asked my browser to find this word and discovered you beat me to it.

A really good question now is how do you allow any internet traffic at all? Nearly anything can be encoded with steganographic information.

There was one guy on the net a few years ago named "Fravia" that went on in detail how to make steganographic communications programs on the fly. Wonderful work.

After reading his essays, which he so graciously shared with the world, I knew every hardcore computer oriented freedom fighter would archive his works. This technology would assure that as long as there was communication at all, no repressive regime would be able to censor it, or even know what was going on right under their nose.

Seems about right

[bigredradio]

The more you tighten your grip, $dictator, the more $locations will slip through your fingers. - $rebel_princess.

If they're undetectable...

[eternaldoctorwho]

...then how do they get tested deterministically? They MUST be undetectable, because the summary headlines are never ever wrong, nor do they exaggerate.

Automated steganography

[niteq]

It'd be slow, for sure, but encapsulating messages inside of images using steganography libraries should be very feasible as a means of tunneling.

not the smartest headline

[v1]

Tor Tests Undetectably Encrypted Connections In Iran

"Undetectably encrypted". No. There really is no such thing. "Obfuscated", "disguised", ok I'll take those, but not "undetectably". Makes it sound like it's flat out impossible to figure out the traffic contains encrypted data.

I'm sure cisco and motorola etc will send their people over there this weekend to make upgrades to the censorware they sold them last year. They provide such good customer service to our adversaries when there's a buck to be made. (isn't there a law against this? they push so hard politically in one direction all the while the american businesses drive a dagger in the back of their goals)

Re:not the smartest headline

[X0563511]

A proper encryption without a header of some kind, and without the key, looks like random noise. You can suspect it's encrypted, but you cannot know for certain (ignoring context. even then, the context only suggests, not proves)

So, pedantically, I suppose it IS possible. But not over in practical land.

Re:not the smartest headline

[betterunixthanunix]

Makes it sound like it's flat out impossible to figure out the traffic contains encrypted data.

Well, in terms of steganography, we can speak of "strong" or "provably secure" steganography which can guarantee that no process can decide if a hidden message exists in the cover traffic with non-negligible advantage. If you have a low enough SNR, detecting the existence of the signal at all become impossible; the only trick is to ensure that someone with the secret key can still extract that signal.

Re:not the smartest headline

[betterunixthanunix]

Over in practical land, you need a noisy channel where the amount of noise is high enough to overpower efforts to detect your hidden signal, but where someone with special knowledge (knowledge of the secret key) can perform run an error correcting code to recover the hidden signal. This is not at all implausible; we already know how to make cryptosystems based on random linear codes; the real work would be ensuring that security is maintained even when you use the channel's naturally occurring noise to hide the signal (which may not be guaranteed).

Iran's government is afraid, and thereby stupid

[cryfreedomlove]

This arms race of censorship and counter measures will have one definitive outcome: the best and the brightest of Iranian youth will find a way to emigrate because they don't want to live in an isolated theocracy. The resulting brain drain will set them back a century. This is what happens to governments driven by fear. Those in power in Iran fear their own people the most.

Re:Iran's government is afraid, and thereby stupid

[Animats]

the best and the brightest of Iranian youth will find a way to emigrate because they don't want to live in an isolated theocracy.

They already did, decades ago. When the US-supported Shah of Iran was overthrown, many Iranians came to the US.

Re:Iran's government is afraid, and thereby stupid

[glop]

Actually when the Shah was overthrown, most of the brightest people in Iran celebrated. That's because he was a really bad dictator and the only reason most people in the West are not aware of it is because he was very pro-American and very friendly with most western countries.
The problem with revolutions is that it's hard to stabilize things afterwards. And there is no guarantee that the nice and respectful people will take over to draft a Constitution that grants freedom for the people. That's when many of the brightest in Iran got really disappointed and the religious extremists took the power.

You can read the account of one of those brightest people who left Iran years later: http://en.wikipedia.org/wiki/Marjane_Satrapi
Marjane's account seemed pretty fair and balanced to me (based on the differences with the cliches I had heard, what I know about the publishers, the variety of the anecdotes and their "true to life" aspect).

As I read the blurb ...

[Ungrounded+Lightning]

How do you hide something unreadable within something readable? ... damn, you're going to make me RTFA, aren't you? :P

As I read the blurb (I have no inside knowledge) they're not making the PAYLOAD look unencrypted. They're circumventing the type-of-flow identification mechanisms built into router filtering by encapsulating the encrypted data within an outer layer (and addressed to the port of) another protocol. (They may even have put a layer on top of the existing service so that, unless it identifies the flow as an encapsulated TOR flow, it actually PERFORMS the service.)

The result would be that, if they intercept the flow and try to parse it as what it purports to be, it may not make sense. But if their router look at the parts of the packets that are characteristic of what the flow purports to be, it will identify it as normal traffic and let it through. And if the router tries doing something like a keyword search through the bodies of the packets it won't get hits because the bodies are encrypted.

You can use this approach with any protocol that can handle the traffic patters of a TOR connection (possibly with added padding packets to make the characteristics look more like the purported flow).

Downsides might be:

1) If you do a masked TOR only server on the port they might try to connect to the purported flow and detect that this server is not what it seems.

2) If you do a diverting pancake you need a way to flag for the pancake that this is the masked TOR flow. If that's well known they might write a filter for it. (Eric Wustrow, Scott Wolchok, Ian Goldberg, and J. Alex Halderman have developed a steganographic method for applying such a tag. It is embedded in their own "TELEX" network-based firewall bypasser but might be adapted to this purpose. paper a href="https://telex.cc/"code")

If the censor can't see it, it will get blocked.

[davidwr]

"If we can't parse it, it gets blocked."

In the old days, Cuban international phone calls were monitored. At least one person started talking a language other than English or Spanish and the operator broke in and told them to speak English or Spanish or get cut off.

Source: Something I read in a reputable newspaper or magazine back in the 1970s or 1980s.

Translation of parent's ascii codes

$ perl -e 'print "\x48\x65\x6c\x70\n"'
Help
$