Ideas/Topics related to chaining Pluggable Transports / flashproxy

Thank you for this interesting discussion!

Pushing forward better circumvention support in Whonix is a fine thing to better support censored users. However, the threat model you originally had in mind (that I understand as “protect people from ending up in databases as extremists because they are connecting to known Tor servers by combining pluggable transports”), most likely won’t be improved.

Se this quote.

Quote Hide Tor use from the Internet Service Provider

Using private and obfuscated bridges alone doesn't provide strong guarantees of hiding the fact you are using Tor from your ISP. Quote (https://mailman.boum.org/pipermail/tails-dev/2013-April/002950.html http://www.webcitation.org/6G67ltL45) Jacob Appelbaum:

[quote] Some pluggable transports may seek to obfuscate traffic or to morph it. However, they do not claim to hide that you are using Tor in all cases but rather in very specific cases. An example threat model includes a DPI device with limited time to make a classification choice - so the hiding is very specific to functionality and generally does not take into account endless data retention with retroactive policing.[/quote]

Pluggable transports are an arms race against censors. Unfortunately, by concept it can not reliably hide Tor for everyone from passive eavesdroppers.

So even if they are unable to enumerate all bridges and we are able to trick them now, they’ll log all traffic and reclassify it as soon as they can detect, that pluggable transports have been used in past.

Also this only forwards the problem of ending up in a database marked as extremist from the user to someone else - to the one who hosts the bridge - because the bridge will connect to the public Tor network - and therefore will end up in a database marked as extremist.

The approach in countries who do not dare to ban the Tor network for everyone as censored countries do should be better an offensive one - get more people protest their constitutional right to privacy and marked as Tor users and extremists until the word extremist is so weak, that everyone is marked as one. I don’t see how the other approach “everyone or most should hide they are Tor users” is technically possible. For what you have in mind, the best concept might be friend to friend networks such as retroshare. Using friend to friend networks on top of the internet, we could end up with a net, that can reliably keep out eavesdroppers. However, it is a different approach than Tor. Both approaches are valuable and worthwhile.

In my opinion, the flashproxy concept is flawed. Censors can simply say “no open/incoming [server] ports for customer connections” + “open ports only for people who can provide a valid reason to require one”.

1. If a firewall is enabled on the host shouldn't it block portscanners from being able to see if there is a port listening on the host?
Usually firewall block all incoming ports by default. This further complicates flash proxy. Obstacles are host firewalls and/or home routers (due to NAT).
If this is still fingerprintable anyway, then perhaps we should avoid enabling it be default. And/or advise users to use some random port number manually.
I've sent a mail to the creator of flash proxy (David) to get an answer to that question.
I don't know if Whonix's version of Debian has seccomp backported yet.
It's in seccomp wheezy-backports. I don't know about seccomp. Is it enough to install the package and all applications making use of it will benefit from it?
3. Almost all off the shelf, run of the mill home routers have UPNP enabled.
But Tor's UPNP support is still broken and no one working on it?
4. They have taken care of that hard requirement by now, allowing other services to be used. Whether they are using an alternative now, I can't say and its a question best asked on the Tor mailinglist.

Although I can see conceptually how uneasy this would make us, the messages themselves are encrypted which should leave no room for MITM. Also think of gmail as no different than the many untrusted nodes that we traverse in any transaction over the network anyway.


Ok.