Opened 8 days ago

Last modified 8 days ago

#30500 assigned task

Can the GFW still do DPI for "new" vanilla Tor?

Reported by: phw Owned by:
Priority: Low Milestone:
Component: Circumvention/Censorship analysis Version:
Severity: Normal Keywords: gfw, china
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I heard from a team of researchers that they failed to get their vanilla bridge probed by the GFW, despite connections from several vantage points in China. I set out to test this myself. Here are the results:

  1. I repeatedly established a vanilla Tor connection from a VPS in China (running 0.3.2.10) to a bridge in the U.S. (running 0.2.9.16, and later 0.4.1.0-alpha-dev).
  2. All bridge connections bootstrapped to 100%. There was neither active probing nor blocking.
  3. I then used the tool tcis on the China VPS to simulate a Tor handshake. The tool creates a TLS client hello as sent by a rather old Tor version -- I don't remember how old, exactly.
  4. After running tcis, I immediately got my bridge probed and blocked.

The above makes me wonder if newer Tor versions changed their TLS handshake in a way that the GFW's DPI rules haven't caught up yet. It would be interesting to test this hypothesis and, if it's true, to find out what Tor changed in its TLS handshake.

Child Tickets

Change History (1)

comment:1 Changed 8 days ago by phw

Indeed, it looks like newer versions of Tor use a cipher list that is different from the one from several years ago.

tcis used 29 cipher suites in its TLS client hello:

"\xc0\x0a\xc0\x14\x00\x39\x00\x38\xc0\x0f\xc0\x05\x00\x35\xc0\x07" \
"\xc0\x09\xc0\x11\xc0\x13\x00\x33\x00\x32\xc0\x0c\xc0\x0e\xc0\x02" \
"\xc0\x04\x00\x04\x00\x05\x00\x2f\xc0\x08\xc0\x12\x00\x16\x00\x13" \
"\xc0\x0d\xc0\x03\xfe\xff\x00\x0a\x00\xff"

Tor 0.3.2.10 used 15 cipher suites:

"\xc0\x2b\xc0\x2f\xcc\xa9\xcc\xa8\xc0\x2c\xc0\x30\xc0\x0a\xc0\x09" \
"\xc0\x13\xc0\x14\x00\x33\x00\x39\x00\x2f\x00\x35\x00\xff"

The active prober that showed up right after the tcis "connection" used a whopping 65 suites:

"\xc0\x30\xc0\x2c\xc0\x28\xc0\x24\xc0\x14\xc0\x0a\x00\xa3\x00\x9f" \
"\x00\x6b\x00\x6a\x00\x39\x00\x38\x00\x88\x00\x87\xc0\x32\xc0\x2e" \
"\xc0\x2a\xc0\x26\xc0\x0f\xc0\x05\x00\x9d\x00\x3d\x00\x35\x00\x84" \
"\xc0\x12\xc0\x08\x00\x16\x00\x13\xc0\x0d\xc0\x03\x00\x0a\xc0\x2f" \
"\xc0\x2b\xc0\x27\xc0\x23\xc0\x13\xc0\x09\x00\xa2\x00\x9e\x00\x67" \
"\x00\x40\x00\x33\x00\x32\x00\x9a\x00\x99\x00\x45\x00\x44\xc0\x31" \
"\xc0\x2d\xc0\x29\xc0\x25\xc0\x0e\xc0\x04\x00\x9c\x00\x3c\x00\x2f" \
"\x00\x96\x00\x41\xc0\x11\xc0\x07\xc0\x0c\xc0\x02\x00\x05\x00\x04" \
"\x00\xff"
Note: See TracTickets for help on using tickets.