Opened 13 months ago

#32047 new enhancement

Sharing Keys Through HTML?

Reported by: Aphrodites1995 Owned by:
Priority: Medium Milestone:
Component: Circumvention/Obfs4 Version:
Severity: Normal Keywords:
Cc: phw Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


If you read how RSA works, it is obvious that decrypting something that is not meant to be decrypted still works to get random digits that are similar length. Here, an idea would be to hide some random digits in HTML, for example into the first hundred colors in <style> or counting the number of letters inside the first fifty <p>s. These are numerical fields inside HTML that could have a string, encrypted by a Preshared RSA key (people know both the private and public key), put into it to be hidden. People will then decrypt that to get a public key to do the key sharing. While the censor cannot distinguish a regular HTML and a keysharing HTML because decrypting any regular HTML also gets you a salted public key, because both look like nothing. This is weak on its own because the censor could easily try to decrypt anything with the gotten key that originates from the requesting address, and if it works it is a tor connection, but at the same time, with two different connections originating from different addresses (could be two connections to WiFi to get different port forwarding), it is difficult for the censor to check every single connection against each HTML file for the key across the same public IP. I believe that obfs4 has this problem with the keysharing which reveals that it is a obfs4 connection.

Child Tickets

Change History (0)

Note: See TracTickets for help on using tickets.