Opened 4 months ago

Last modified 3 months ago

#30500 assigned task

Can the GFW still do DPI for "new" vanilla Tor?

Reported by: phw Owned by:
Priority: Low Milestone:
Component: Circumvention/Censorship analysis Version:
Severity: Normal Keywords: gfw, china
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I heard from a team of researchers that they failed to get their vanilla bridge probed by the GFW, despite connections from several vantage points in China. I set out to test this myself. Here are the results:

  1. I repeatedly established a vanilla Tor connection from a VPS in China (running 0.3.2.10) to a bridge in the U.S. (running 0.2.9.16, and later 0.4.1.0-alpha-dev).
  2. All bridge connections bootstrapped to 100%. There was neither active probing nor blocking.
  3. I then used the tool tcis on the China VPS to simulate a Tor handshake. The tool creates a TLS client hello as sent by a rather old Tor version -- I don't remember how old, exactly.
  4. After running tcis, I immediately got my bridge probed and blocked.

The above makes me wonder if newer Tor versions changed their TLS handshake in a way that the GFW's DPI rules haven't caught up yet. It would be interesting to test this hypothesis and, if it's true, to find out what Tor changed in its TLS handshake.

Child Tickets

Attachments (1)

probes.pcap (1.0 KB) - added by phw 3 months ago.
Pcap file containing a decoy connection and two subsequent active probes.

Download all attachments as: .zip

Change History (7)

comment:1 Changed 4 months ago by phw

Indeed, it looks like newer versions of Tor use a cipher list that is different from the one from several years ago.

tcis used 29 cipher suites in its TLS client hello:

"\xc0\x0a\xc0\x14\x00\x39\x00\x38\xc0\x0f\xc0\x05\x00\x35\xc0\x07" \
"\xc0\x09\xc0\x11\xc0\x13\x00\x33\x00\x32\xc0\x0c\xc0\x0e\xc0\x02" \
"\xc0\x04\x00\x04\x00\x05\x00\x2f\xc0\x08\xc0\x12\x00\x16\x00\x13" \
"\xc0\x0d\xc0\x03\xfe\xff\x00\x0a\x00\xff"

Tor 0.3.2.10 used 15 cipher suites:

"\xc0\x2b\xc0\x2f\xcc\xa9\xcc\xa8\xc0\x2c\xc0\x30\xc0\x0a\xc0\x09" \
"\xc0\x13\xc0\x14\x00\x33\x00\x39\x00\x2f\x00\x35\x00\xff"

The active prober that showed up right after the tcis "connection" used a whopping 65 suites:

"\xc0\x30\xc0\x2c\xc0\x28\xc0\x24\xc0\x14\xc0\x0a\x00\xa3\x00\x9f" \
"\x00\x6b\x00\x6a\x00\x39\x00\x38\x00\x88\x00\x87\xc0\x32\xc0\x2e" \
"\xc0\x2a\xc0\x26\xc0\x0f\xc0\x05\x00\x9d\x00\x3d\x00\x35\x00\x84" \
"\xc0\x12\xc0\x08\x00\x16\x00\x13\xc0\x0d\xc0\x03\x00\x0a\xc0\x2f" \
"\xc0\x2b\xc0\x27\xc0\x23\xc0\x13\xc0\x09\x00\xa2\x00\x9e\x00\x67" \
"\x00\x40\x00\x33\x00\x32\x00\x9a\x00\x99\x00\x45\x00\x44\xc0\x31" \
"\xc0\x2d\xc0\x29\xc0\x25\xc0\x0e\xc0\x04\x00\x9c\x00\x3c\x00\x2f" \
"\x00\x96\x00\x41\xc0\x11\xc0\x07\xc0\x0c\xc0\x02\x00\x05\x00\x04" \
"\x00\xff"

comment:2 Changed 3 months ago by phw

The research team I've been in touch with could not trigger active probing with tcis as the client and a netcat listener as the server. I suggested to use a bridge instead of a netcat listener, which resulted in active probing. This suggests that the GFW is also considering some information that's sent from the server to the client.

comment:3 Changed 3 months ago by arma

Are you saying Tor bridges / relays can look for those 65 ciphers, and refuse to continue in that case? :)

comment:4 in reply to:  2 ; Changed 3 months ago by arma

Replying to phw:

The research team I've been in touch with could not trigger active probing with tcis as the client and a netcat listener as the server. I suggested to use a bridge instead of a netcat listener, which resulted in active probing. This suggests that the GFW is also considering some information that's sent from the server to the client.

It would be interesting, for posterity, for somebody (maybe somebody in this research team you speak of) to poke at the server-side of the handshake and figure out what exactly they're relying on to decide that it's a Tor bridge. My guess is it's something in the SSL cert, e.g. the address.

Or maybe it is simply an SSL response at all? I could imagine China is trying to reduce the number of active probes they do, and if they didn't check *something* on the server side, a client inside China could just spam the internet with Tor client handshakes and then the active prober would need to probe all of it.

Changed 3 months ago by phw

Attachment: probes.pcap added

Pcap file containing a decoy connection and two subsequent active probes.

comment:5 in reply to:  3 Changed 3 months ago by phw

Replying to arma:

Are you saying Tor bridges / relays can look for those 65 ciphers, and refuse to continue in that case? :)

I don't think that would work well. I just caught two more probes and attached the resulting pcap file. It contains three TLS client hello packets: the first is a tcis decoy connection from a system in China (I rewrote the IP address to 1.1.1.1) to my Tor bridge (rewritten to 2.2.2.2). The next two packets are active probes, with their original IP addresses. Interestingly, their cipher list differs: one has 65 suites while the other one has 68 suites.

The site tlsfingerprints.io has seen the cipher list of the first probe 138,000 times and the second probe <100 times. FWIW, tlsfingerprints.io works as follows:

We collect anonymized TLS Client Hello messages from the University of Colorado Boulder campus network, in order to measure the popularity of various implementations actually used in practice.

comment:6 in reply to:  4 Changed 3 months ago by phw

Replying to arma:

Replying to phw:

The research team I've been in touch with could not trigger active probing with tcis as the client and a netcat listener as the server. I suggested to use a bridge instead of a netcat listener, which resulted in active probing. This suggests that the GFW is also considering some information that's sent from the server to the client.

It would be interesting, for posterity, for somebody (maybe somebody in this research team you speak of) to poke at the server-side of the handshake and figure out what exactly they're relying on to decide that it's a Tor bridge.


I encouraged them to have a look at it.

Note: See TracTickets for help on using tickets.