Opened 10 years ago

Closed 9 years ago

#2760 closed task (implemented)

Proof of concept transport plugin: superencryption

Reported by: arma Owned by: asn
Priority: High Milestone: Deliverable-May2011
Component: Circumvention/Pluggable transport Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Nick started work on a socks proxy that will add its own layer of encryption on top of the Tor transport. The goal is to separate the task of making Tor unrecognizable on the wire from the task of achieving Tor's desired authentication and confidentiality requirements.

I think asn picked it up from there, and it's now called obfsproxy.

One of its goals is to act as a proof of concept for our modular transport proposal (#2758), but I also want to actually ship it with the Tor bundles for users in blocking countries, so they have a chance against the next DPI-using adversary.

What's the current status? Is it ready to get its own Trac component and its own Tor git repository?

Child Tickets

Attachments (1)

obfsproxytext (2.5 KB) - added by asn 9 years ago.

Download all attachments as: .zip

Change History (14)

comment:1 Changed 10 years ago by arma

Priority: normalmajor

comment:2 Changed 10 years ago by asn


obfsproxy, as a project, is basically two products atm:
a) the SOCKS proxy
b) an implementation of brl's OpenSSH obfuscation [1], which will be
used on the Tor TLS handshake.

The status is the following:

  • SOCKS proxy:
  • Most of the SOCKS code is done. You are basically getting a

functional SOCKS proxy if you pull the repo atm. But:

  • On the unit tests side, there are unit tests for the SOCKS5/IPv4

part, but we still miss SOCKS4 and IPv6 ones. nickm said that I can
call it his task. We also miss a couple of obfsproxy internal unit
tests [2].

  • OpenSSH obfuscation transport plugin:
  • It's code is ready. It's unit tests are ready. It also seems to work.
  • Tor side:
  • The Tor code that will allow the clients to handshake through the

obfsproxy is not written. nickm told me that Tor can currently use
SOCKS proxies, but I haven't had the time to check how and if it
fits our use. We basically need Tor to pipe only it's
TLS handshake into obfsproxy, no?

  • Others/Future:
  • The current network code of obfsproxy has brl's transport plugin

hardcoded all over it. In the future (or now), we should abstract
this so that obfsproxy is modular and can easily support more
plugins. I've made an attempt to abstract it here: [3].
obfsproxy can work alright without this as well - just with brl's
plugin - but in the future we want it modular and compliant with

Basically, if we do the last unit tests, refactor/audit the code
a bit and check the Tor side, I'd say it's shippable if it's urgent.

By the way, I was really not aware of #2759 (or well, I was, but I
didn't know it was actively developed) or #2468. I'll try to steal
some time and check them out today.

Personally, I'm in the middle of the exams period here, so I'm
spending most of my time on the library studying boring stuff. I'll
be able to actually get back to this next week.

  • passes the mic to nick *

[2]: I had to check my notes for all these, so it might not be The
Definite List Of Things Left Todo.
I've thought of some minor improvements, but I need
more thinking time on how to abstract this correctly,
what operations should all the plugins have, when should they
be called etc.
All in all I haven't touch this for a while; I'm waiting for
Nick's comments.

comment:3 Changed 10 years ago by asn

Oh yeah, it _has_ a Tor git repo:

comment:4 Changed 10 years ago by nickm

wrt the "a tor git repo", arma probably means "a tor git repo that doesnt' say "nickm" in it."

For any Tor support, we need two more things. At a bare minimum, we need the ability to tell Tor that a given bridge uses a socks proxy, without making that socks proxy happen globally for all connections. There's a way to do that specified in the pluggable transport proposal document. Also, we need to tell Tor not to worry that all clients seem to be coming from the same address. There's a way to overcome that also specified in the pluggable transport document, or we could just see about disabling the parts of Tor that care based on an option.

comment:5 Changed 10 years ago by nickm

(oh, to be clear, this isn't quite the same as brl's obfuscation. See the spec for more info there.)

comment:6 Changed 10 years ago by asn

I don't know if this is the correct place to put this, but in my gitorious pluggable branch:
I have implemented some of the pluggable-transport spec. Basically, config.c now understands the new Bridge and ClientTransportPlugin lines, and it also pipes data according to the pluggable transports defined.

I've also done some more stuff in:

comment:7 Changed 10 years ago by arma

Component: Tor ClientPluggable transport
Owner: set to asn

comment:8 in reply to:  description Changed 10 years ago by arma

Replying to arma:

Is it ready to get its own [...] Tor git repository?

We made an official obfsproxy git repo, cloned from Nick's version:

I look forward to the day when Nick merges in some of asn's commits. :)

comment:9 Changed 9 years ago by nickm

I merged asn's commits. This thing can be successfully used to superencrypt and obfuscate. It's a pain in the neck to configure Tor to use it properly, but it's possible to do. Anything remaining on this one before we can call it "done well enough to call it a proof of concept"?

comment:10 Changed 9 years ago by arma

It would be good to have simple instructions for a demo -- "build this, run that, set your Tor client up like this, set up your bridge like this, look over here to see that it's working".

Changed 9 years ago by asn

Attachment: obfsproxytext added


comment:11 Changed 9 years ago by asn

I attached a file with instructions. It's not exactly beautiful or terribly non-technical friendly, but maybe it's a good start.
Now if only someone could enrich it, correct it and make it nice and web-y!

comment:12 Changed 9 years ago by nickm

Thanks, asn! I've put this in the obfsproxy git repo as doc/tor-obfs-howto.txt

comment:13 Changed 9 years ago by nickm

Resolution: implemented
Status: newclosed

I think we can call this completed at least at the "proof-of-concept" level. closing this ticket.

Note: See TracTickets for help on using tickets.