diff --git a/censor.bib b/censor.bib index c9e689a..1b0a3fc 100644 --- a/censor.bib +++ b/censor.bib @@ -1,3 +1,21 @@ +@inproceedings{Singh2017a, + author = {Rachee Singh and Rishab Nithyanand and Sadia Afroz and Paul Pearce and Michael Carl Tschantz and Phillipa Gill and Vern Paxson}, + title = {Characterizing the Nature and Dynamics of {Tor} Exit Blocking}, + booktitle = {USENIX Security Symposium}, + publisher = {USENIX}, + year = {2017}, + url = {https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-singh.pdf}, +} + +@inproceedings{Pearce2017b, + author = {Paul Pearce and Ben Jones and Frank Li and Roya Ensafi and Nick Feamster and Nick Weaver and Vern Paxson}, + title = {Global Measurement of {DNS} Manipulation}, + booktitle = {USENIX Security Symposium}, + publisher = {USENIX}, + year = {2017}, + url = {https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-pearce.pdf}, +} + @inproceedings{Darer2017a, author = {Alexander Darer and Oliver Farnan and Joss Wright}, title = {{FilteredWeb}: A Framework for the Automated Search-Based Discovery of Blocked {URLs}}, @@ -510,7 +528,7 @@ publisher = {ACM}, booktitle = {Ethics in Networked Systems Research}, year = {2015}, - url = {http://www.icir.org/vern/papers/censorship-meas.nsethics15.pdf}, + url = {https://www.icir.org/vern/papers/censorship-meas.nsethics15.pdf}, } @article{Ensafi2015a, @@ -532,7 +550,7 @@ number = {2}, publisher = {De Gruyter Open}, year = {2015}, - url = {http://www.icir.org/vern/papers/meek-PETS-2015.pdf}, + url = {https://www.icir.org/vern/papers/meek-PETS-2015.pdf}, } @inproceedings{Backes2009a, @@ -682,7 +700,7 @@ booktitle = {Traffic Monitoring and Analysis}, publisher = {IEEE}, year = {2013}, - url = {http://cseweb.ucsd.edu/~kbenson/papers/tma13.pdf}, + url = {https://cseweb.ucsd.edu/~kbenson/papers/tma13.pdf}, } @inproceedings{Bonneau2011a, @@ -864,7 +882,7 @@ publisher = {USENIX}, title = {Automated Named Entity Extraction for Tracking Censorship of Current Events}, year = {2011}, - url = {http://static.usenix.org/event/foci11/tech/final_files/Espinoza.pdf}, + url = {https://www.usenix.org/legacy/events/foci11/tech/final_files/Espinoza.pdf}, } @inproceedings{Feamster2002a, @@ -893,7 +911,7 @@ publisher = {Springer}, title = {Evading Censorship with Browser-Based Proxies}, year = {2012}, - url = {http://crypto.stanford.edu/flashproxy/flashproxy.pdf}, + url = {https://crypto.stanford.edu/flashproxy/flashproxy.pdf}, } @inproceedings{Fifield2013a, @@ -902,7 +920,7 @@ publisher = {Springer}, title = {{OSS}: Using Online Scanning Services for Censorship Circumvention}, year = {2013}, - url = {http://freehaven.net/anonbib/papers/pets2013/paper_29.pdf}, + url = {https://www.freehaven.net/anonbib/papers/pets2013/paper_29.pdf}, } @inproceedings{Filasto2012a, @@ -920,7 +938,7 @@ booktitle = {Computer and Communications Security}, year = {2013}, publisher = {ACM}, - url = {http://www-users.cs.umn.edu/~hopper/ccs13-cya.pdf}, + url = {https://www-users.cs.umn.edu/~hopper/ccs13-cya.pdf}, } @inproceedings{Hasan2013a, @@ -948,7 +966,7 @@ publisher = {The Internet Society}, title = {I want my voice to be heard: {IP} over Voice-over-{IP} for unobservable censorship circumvention}, year = {2013}, - url = {http://people.cs.umass.edu/~amir/papers/FreeWave.pdf}, + url = {https://people.cs.umass.edu/~amir/papers/FreeWave.pdf}, } @inproceedings{Houmansadr2013b, @@ -957,7 +975,7 @@ publisher = {IEEE}, title = {The Parrot is Dead: Observing Unobservable Network Communications}, year = {2013}, - url = {http://people.cs.umass.edu/~amir/papers/parrot.pdf}, + url = {https://people.cs.umass.edu/~amir/papers/parrot.pdf}, } @inproceedings{Houmansadr2014a, @@ -1002,7 +1020,7 @@ publisher = {USENIX}, title = {Decoy Routing: Toward Unblockable {Internet} Communication}, year = {2011}, - url = {http://static.usenix.org/event/foci11/tech/final_files/Karlin.pdf}, + url = {https://www.usenix.org/legacy/events/foci11/tech/final_files/Karlin.pdf}, } @inproceedings{Kathuria2011a, @@ -1011,7 +1029,7 @@ publisher = {USENIX}, title = {Bypassing {Internet} Censorship for News Broadcasters}, year = {2011}, - url = {http://static.usenix.org/event/foci11/tech/final_files/Kathuria.pdf}, + url = {https://www.usenix.org/legacy/events/foci11/tech/final_files/Kathuria.pdf}, } @inproceedings{Khattak2013a, @@ -1057,7 +1075,7 @@ publisher = {USENIX}, title = {Three Researchers, Five Conjectures: An Empirical Analysis of {TOM-Skype} Censorship and Surveillance}, year = {2011}, - url = {http://static.usenix.org/event/foci11/tech/final_files/Knockel.pdf}, + url = {https://www.usenix.org/legacy/events/foci11/tech/final_files/Knockel.pdf}, } @inproceedings{Koepsell2004a, @@ -1130,7 +1148,7 @@ publisher = {Springer}, title = {Fighting Censorship with Algorithms}, year = {2010}, - url = {http://mahdian.org/censorship.pdf}, + url = {https://censorbib.nymity.ch/pdf/Mahdian2010a.pdf}, } @inproceedings{McCoy2011a, @@ -1139,7 +1157,7 @@ publisher = {Springer}, title = {{Proximax}: A Measurement Based System for Proxies Dissemination}, year = {2011}, - url = {http://cseweb.ucsd.edu/~klevchen/mml-fc11.pdf}, + url = {https://cseweb.ucsd.edu/~klevchen/mml-fc11.pdf}, } @inproceedings{Moghaddam2012a, @@ -1240,7 +1258,7 @@ booktitle = {Computer and Communications Security}, year = {2012}, publisher = {ACM}, - url = {http://www-users.cs.umn.edu/~hopper/decoy-ccs12.pdf}, + url = {https://www-users.cs.umn.edu/~hopper/decoy-ccs12.pdf}, } @inproceedings{Seltzer2011a, @@ -1249,7 +1267,7 @@ publisher = {USENIX}, title = {Infrastructures of Censorship and Lessons from Copyright Resistance}, year = {2011}, - url = {http://static.usenix.org/event/foci11/tech/final_files/Seltzer.pdf}, + url = {https://www.usenix.org/legacy/events/foci11/tech/final_files/Seltzer.pdf}, } @inproceedings{Serjantov2002a, @@ -1259,7 +1277,7 @@ title = {Anonymizing Censorship Resistant Systems}, year = {2002}, pages = {111--120}, - url = {http://www.iptps.org/papers-2002/120.pdf}, + url = {https://censorbib.nymity.ch/pdf/Serjantov2002a.pdf}, } @inproceedings{Sfakianakis2011a, @@ -1268,7 +1286,7 @@ publisher = {USENIX}, title = {{CensMon}: A Web Censorship Monitor}, year = {2011}, - url = {http://static.usenix.org/event/foci11/tech/final_files/Sfakianakis.pdf}, + url = {https://www.usenix.org/legacy/events/foci11/tech/final_files/Sfakianakis.pdf}, } @inproceedings{Shklovski2011a, @@ -1286,7 +1304,7 @@ publisher = {USENIX}, title = {Pass it on: Social Networks Stymie Censors}, year = {2008}, - url = {http://www.cs.toronto.edu/iptps2008/final/73.pdf}, + url = {https://www.cs.toronto.edu/iptps2008/final/73.pdf}, } @techreport{Stubblefield2001a, @@ -1294,7 +1312,7 @@ title = {{Dagster}: Censorship-Resistant Publishing Without Replication}, institution = {Rice University}, year = {2001}, - url = {http://www.cs.rice.edu/~dwallach/pub/dagster-tr.pdf}, + url = {https://www.cs.rice.edu/~dwallach/pub/dagster-tr.pdf}, } @inproceedings{Tan2014a, @@ -1394,7 +1412,7 @@ booktitle = {Network and Distributed System Security}, publisher = {The Internet Society}, year = {2013}, - url = {http://www-users.cs.umn.edu/~hopper/rbridge_ndss13.pdf}, + url = {https://www-users.cs.umn.edu/~hopper/rbridge_ndss13.pdf}, } @inproceedings{Weaver2009a, @@ -1456,7 +1474,7 @@ booktitle = {Free and Open Communications on the Internet}, publisher = {USENIX}, year = {2011}, - url = {http://static.usenix.org/event/foci11/tech/final_files/Wright.pdf}, + url = {https://www.usenix.org/legacy/events/foci11/tech/final_files/Wright.pdf}, } @techreport{Wright2012a, diff --git a/local.bib b/local.bib index b96ed38..d16a6bf 100644 --- a/local.bib +++ b/local.bib @@ -791,3 +791,29 @@ year = 2012, url = {https://github.com/NullHypothesis/brdgrd}, } + +% https://www.freehaven.net/anonbib/bibtex.html#morphing09 +@inproceedings{morphing09, + title = {Traffic Morphing: An efficient defense against statistical traffic analysis}, + author = {Charles Wright and Scott Coull and Fabian Monrose}, + booktitle = {Network and Distributed System Security}, + publisher = {The Internet Society}, + year = 2009, + month = feb, + url = {https://freehaven.net/anonbib/papers/morphing09.pdf}, +} + +@inproceedings{Durumeric2013a, + author = {Zakir Durumeric and Eric Wustrow and J. Alex Halderman}, + title = {{ZMap}: Fast {Internet}-Wide Scanning and its Security Applications}, + booktitle = {USENIX Security Symposium}, + publisher = {USENIX}, + year = 2013, + url = {https://zmap.io/paper.pdf}, +} + +@misc{Shadowsocks, + title = {{Shadowsocks}}, + key = {Shadowsocks}, + url = {https://shadowsocks.org/en/}, +} diff --git a/summaries.txt b/summaries.txt index a882cef..4b8ca5c 100644 --- a/summaries.txt +++ b/summaries.txt @@ -1322,3 +1322,70 @@ NIDSes. Their "evasion" is the same as the "evasion" of Ptacek1998a. They say that their "confusion" is different from the "insertion" of Ptacek1998a (Section 3.2), but I don't really see the difference. + + +morphing09 +Traffic Morphing: An efficient defense against statistical traffic analysis + +Traffic morphing is an algorithm for frustrating traffic analysis: it +makes an input distribution of packet sizes conform to an output +distribution, by padding and optionally splitting packets. It has lower +overhead than, for example, padding every packet to a constant size. It +doesn't do anything for interpacket timing: one input packet corresponds +to one output packet (or, in the case of shortening, a burst of short +packets) with minimal delay. + +Morphing works by computing an intermediate matrix that converts one +probability distribution (of packet sizes) to another. It's therefore +specific to the input protocol: if it doesn't match the expected input +distribution, the output distribution will not be as expected. Each +column of the matrix is a probability distribution on output sizes, +given an input size. In the case where the computed output size is less +than the input size, first a short packet with the desired output size +is split off, then the rest of the input packet is split up by directly +sampling the output distribution (without using the matrix). Section 3.3 +also discusses constructing a matrix such that packets are never +shortened. Convex optimization can efficiently compute the matrix and +minimize byte overhead. Naively, the process only handles 1-grams, but +Section 3.4 is about coping with large input spaces, such as the n² +space created by bigrams. + +The flaw, as I see it, is that there is still a correspondence between +input packet and output packets. Whenever the input is idle, the output +will be idle as well. You could sample directly from the desired output +distribution, independent of the input packet sizes, and not need to +compute a matrix. I suppose such a design would have lower efficiency. + + +Winter2013b +ScrambleSuit: A Polymorphic Network Protocol to Circumvent Censorship + +ScrambleSuit is an obfuscation protocol that aims to resist active +probing, DPI, and traffic analysis. It resists active probing with +per-user (or per-server) secrets: a client that connects without being +able to show knowledge of the secret will not get a response from the +server. (The client authentication is an extension of the UniformDH used +by obfs3.) It resists DPI by encrypting everything, including the +key-exchange handshake, so it looks like a random stream. It resists +traffic analysis by shaping packet sizes and delays according to a +probability distribution that depends on a server secret. Therefore to +the extent that ScrambleSuit has a traffic analysis signature, each +server has a different signature, so blocking one does not result in a +block of the others. + +After an initial UniformDH handshake, later authentications are done +using session tickets. There are slightly different designs for session +tickets to accomodate different underlying protocols. (Tor's bridge +distribution design makes it difficult to have per-client secrets.) + +Discusses the difference between mimickry protocols (effective against +whitelisting) and look-like-random protocols (effective only against +blacklisting). The authors judge that whitelisting results in +unacceptable false positives, and that looking like random increases the +false-positive rate sufficiently to make it expensive to block. They +considered client-side puzzles (proof of work) as an alternative to +out-of-band secrets, but the current rate of churn in Tor bridges would +give too large an advantage to the censor in completing puzzles. + +Evaluation is difficult because there is no specific protocol they are +mimicking; therefore they instead measure deviation from vanilla Tor. diff --git a/thesis.tex b/thesis.tex index 9aa2f0c..23aa94e 100644 --- a/thesis.tex +++ b/thesis.tex @@ -393,10 +393,6 @@ Gabi Nakibly and Dan Boneh. \chapter{Principles of circumvention} \label{chap:principles} -\begin{itemize} -\item Look like something / look like nothing -\end{itemize} - In order to understand the challenges of circumvention, it helps to put yourself in the mindset of a censor. A censor has two high-level functions: detection and blocking. @@ -485,7 +481,7 @@ A proxy need not be what is typically understood by the term ``proxy server,'' a single host accepting and forwarding connections. A VPN (virtual private network) is also a kind of proxy, as is the Tor network, -as may be a specially configured router. +as may be a specially configured network router. In \autoref{chap:domain-fronting} we will see a network of cloud servers acting as a proxy. In \autoref{chap:snowflake} the proxy will @@ -536,7 +532,7 @@ flow properties, and protocol semantics~\cite[\S~2.4]{Khattak2016a}. I think of their ``content,'' ``flow properties,'' and ``protocol semantics'' as all fitting under the heading of content. -Tschantz2016a et~al.\ identify ``setup'' and ``usage''~\cite[\S~V]{Tschantz2016a-local}, +Tschantz et~al.\ identify ``setup'' and ``usage''~\cite[\S~V]{Tschantz2016a-local}, and Khattak, Elahi et~al.\ identify ``communication establishment'' and ``conversation''~\cite[\S~3.1]{Khattak2016a}, as targets of obfuscation; @@ -547,6 +543,7 @@ and Tschantz et~al.\ call ``detection'' and ``action''~\cite[\S~II]{Tschantz2016 \section{Collateral damage} +\label{sec:collateral-damage} What's to prevent the censor from shutting down all connectivity within its network, @@ -628,7 +625,7 @@ reducing false positives without reducing false negatives.) For example, it has been repeatedly documented---by Clayton et~al.~\cite{Clayton2006a}, Winter and Lindskog~\cite{Winter2012a}, -and Fifield and Tsai~\cite{Fifield2016a}, +and Fifield and Tsai~\cite{Fifield2016a-local}, for example---that the Great Firewall prefers to block individual ports (or a small range of ports), rather than blocking an entire IP address, @@ -695,7 +692,11 @@ characterized the essential component as being meaning that a user could plausibly claim to have been doing something other than circumventing when confronted with a log of their network activity. -Zhou et~al.~\cite{Zhou2013a} +Khattak, Elahi, et~al.~\cite[\S~4]{Khattak2016a} also list +``deniability'' separately from ``unblockability.'' +% \cite{Burnett2010a} also says ``deniability'' +% \cite{Jones2014a} also says ``deniability'' +Brubaker et~al.~\cite{Brubaker2014a} used the term ``entanglement,'' which inspired a lot of my own thinking. What they call entanglement I think of as @@ -751,6 +752,143 @@ One might even say that the very decision to censor is exactly such an irrational decision, at the greater societal level. +\section{Content obfuscation strategies} +\label{sec:obfuscation-strategies} + +There are two general strategies to counter content-based blocking. +The first is to mimic some content that the censor allows, +like HTTP or email. +The second is to randomize the content, +to make it dissimilar to anything that the censor specifically blocks. + +Tschantz et~al.~\cite{Tschantz2016a-local} call these two strategies +``steganography'' and ``polymorphism'' respectively. +Another way to say it is ``look like something'' +and ``look like nothing.'' +They are not strict classifications---any +real system will incorporate a bit of both---and +they reflect differing conceptions of censors. +Steganography works against +a ``whitelisting'' or ``default-deny'' censor, +one that permits only a set +of specifically enumerated protocols and blocks all others. +Polymorphism, on the other hand, +falls to a whitelisting censor, +but works against a ``blacklisting'' or ``default-allow'' censor, +one that blocks a set of specifically enumerated protocols +and allows all others. + +This is not to say that steganography is strictly +superior to polymorphism---there are tradeoffs in both directions. +Effective mimickry can be difficult to achieve, +and in any case effectiveness can only be judged +against a censor's specific computations of collateral damage. +Whitelisting, by its nature, +tends to cause more collateral damage than blacklisting. +And just as obfuscation protocols are not purely steganographic +or polymorphic, +real censors are not purely whitelisting or blacklisting. + +I will list some representative examples of the steganographic strategy. +Infranet~\cite{Feamster2002a}, way back in 2002, +built a covert channel out of HTTP, +encoding upstream data in special requests +and downstream data using standard steganography in image files. +(An aside on the evolution of threat models: +the authors of Infranet rejected the possibility of using TLS (then called SSL), +because it was not then common enough that its wholesale blocking +would cause much damage. +Today the situation around TLS is much different, +and it is much relied on by circumventors.) +% Collage~\cite{Burnett2010a} +% Facade~\cite{Jones2014a} (2014) updates Infranet. +StegoTorus~\cite{Weinberg2012a} (2012) uses custom encoders +to make traffic resemble common HTTP file types, +such as PDF, JavaScript, and Flash. +SkypeMorph~\cite{Moghaddam2012a} (2012) mimics a Skype video call. +FreeWave~\cite{Houmansadr2013a} (2013) modulates a data stream +into an acoustic signal and transmits it over VoIP. +FTE~\cite{Dyer2013a} (for ``format-transforming encryption''; 2013) +and its followup Marionette~\cite{Dyer2015a} (2015) +force traffic to conform to a user-specified syntax: +if you can describe it, you can imitate it. +Despite the research attention they have received, +steganographic systems have not been as used in practice: +of these listed systems, FTE is the only one that +saw substantial deployment. + +\dragons + +The history of the polymorphic, randomized protocols +known as obfs2~\cite{obfs2}, obfs3~\cite{obfs3}, and obfs4~\cite{obfs4} is interesting +because it tells a story of circumventors changing behavior +in the face of changing censor models. +All of these protocols aim to encode traffic +as a uniformly random sequence of bytes, +leaving no plaintext features for a censor to detect. +The obfs2 protocol used a fairly naive handshake protocol +that appeared random only to a first approximation. +It would have bypassed the keyword- or pattern-based censors +of its era, but it was detectable passively, using a custom detector. +obfs3 improved on obfs2 by adding a clever Diffie--Hellman +key exchange, specially modified to also appear random to a censor. +obfs3 was not trivially detectable passively, +but could be attacked by an active man in the middle, +and was vulnerable to active probing. +obfs4 added an out-of-band secret +that foils both man-in-the-middle and active probing attacks. +ShadowSocks~\cite{Shadowsocks} + + +``Decoy routing'' systems put proxies at the middle of network paths. +A special cooperating router lies between the client and the apparent destination of a TCP stream. +The router looks for a special cryptographic ``tag'' that is undetectable to the censor. +On finding a tag, the router begins to redirect the client's traffic +away from its declared destination and towards a censored destination instead. +There are several decoy routing proposals, each with advantages and disadvantages; +those that began the line of research are called +Curveball~\cite{Karlin2011a}, +Telex~\cite{Wustrow2011a}, and +Cirripede~\cite{Houmansadr2011a}. + + + +Parrot is dead~\cite{Houmansadr2013b} +It's worth noting that the kind of detection +they employ has not been seen used by censors. +Wang et~al.~\cite{Wang2015a} found some of the attacks +to be impractical (because of untenable false-positive rates) +and offer attacks that are more acceptable +to censors as we imagine them. + + +Some systematizations +(for example those of Brubaker et~al.~\cite[\S~6]{Brubaker2014a} +and Khattak, Elahi, et~al.~\cite[\S~6.1]{Khattak2016a}) +draw a distinction between +mimicking and tunneling systems. +That particular distinction is not that relevant to me. +It makes sense when discussing +concrete implementation strategies, +but otherwise the difference is only one of degree of fidelity. +I think of tunneling as a high-fidelity way +of implementing mimickry. + + + +Dust~\cite{Wiley2011a} +ScrambleSuit +obfs4 +crucially, distribution is specific to a server + +relation to website fingerprinting +disadvantage is that you can't just e.g. use constant bitrate -- have to look like something else + +Traffic transformation +look like nothing and look like something +Psiphon anecdote about prepending HTTP to obfssh + + \section{Spheres of influence and visibility} \begin{itemize} @@ -869,6 +1007,9 @@ identifying classes of working evasions and estimating the cost to counteract them. +\section{Active probing} + + \section{Bridge distribution} \label{sec:bridge-distribution} @@ -914,17 +1055,15 @@ rather as Generic rendezvous: BridgeDB and others -Traffic transformation -look like nothing and look like something -Psiphon anecdote about prepending HTTP to obfssh +Mass scanning for bridges +Durumeric et~al.~\cite[\S~4.4]{Durumeric2013a} found about 80\% +of Tor bridges by scanning TCP ports 443 and 9001 on IPv4. depending on physical aspects of networks Denali infrastructure-based, decoy routing and domain fronting -pluggable transports - Tying questions of ethics\index{ethics} to questions about censor behavior, motivation: \cite{Wright2011a} (also mentions ``organisational requirements, administrative burden'') \cite{Jones2015a} @@ -1542,87 +1681,6 @@ Do they check the right things? what's used and what's not used -\section{Summary of circumvention systems} -\label{sec:list-of-circ} - -\dragons - -% (BIFSO article predicting failure of censorship, leading to CGIProxy?) - -Many circumvention systems -have been proposed or deployed. -My survey with Tschantz, Afroz, and Paxson~\cite{Tschantz2016a-local} -covered 54 systems; -a later one by Khattak, Elahi, et~al.~\cite{Khattak2016a} -covered 73. -The systems mentioned in this section are not exhaustive -but are chosen to be representative. - -Against content blocking, -circumvention systems generally take one of two strategies. -The first is steganography, trying to blend in with some other protocol -that the censor does not already block. -The second is polymorphism, trying to look unlike anything -the censor already blocks. -Which one is more appropriate depends on the censor model. -Against a censor that whitelists a small number of protocols -and prohibits everything else, -steganography is appropriate. -Against a censor that blacklists a small number of protocols or keywords, -polymorphism is appropriate. -(The common understanding is that real-world censors -tend to be of the blacklisting type, -because whitelisting causes too much inherent collateral damage---it -is too hard to enumerate all the protocols users might want to use. -The exception is in exceptionally constrained networks -such as that of Cuba, that do not derive as much benefit -from Internet connectivity anyway, and so can afford the collateral damage.) - -FTE~\cite{Dyer2013a} (for ``format-transforming encryption'') -is a quintessential example of a steganographic protocol. -Given a specification of a regular expression, -FTE transforms traffic to match it. -The purpose is to force false-negative misclassification by firewalls. -StegoTorus~\cite{Weinberg2012a} uses custom encoders -to make traffic resemble common HTTP file types, -such as PDF, JavaScript, and Flash. -FreeWave~\cite{Houmansadr2013a} modulates a data stream -into an acoustic signal and transmits it over VoIP. - -The history of the polymorphic, randomized protocols -known as obfs2~\cite{obfs2}, obfs3~\cite{obfs3}, and obfs4~\cite{obfs4} is interesting -because it tells a story of circumventors changing behavior -in the face of changing censor models. -All of these protocols aim to encode traffic -as a uniformly random sequence of bytes, -leaving no plaintext features for a censor to detect. -The obfs2 protocol used a fairly naive handshake protocol -that appeared random only to a first approximation. -It would have bypassed the keyword- or pattern-based censors -of its era, but it was detectable passively, using a custom detector. -obfs3 improved on obfs2 by adding a clever Diffie--Hellman -key exchange, specially modified to also appear random to a censor. -obfs3 was not trivially detectable passively, -but could be attacked by an active man in the middle, -and was vulnerable to active probing. -obfs4 added an out-of-band secret -that foils both man-in-the-middle and active probing attacks. - -``Decoy routing'' systems put proxies at the middle of network paths. -A special cooperating router lies between the client and the apparent destination of a TCP stream. -The router looks for a special cryptographic ``tag'' that is undetectable to the censor. -On finding a tag, the router begins to redirect the client's traffic -away from its declared destination and towards a censored destination instead. -There are several decoy routing proposals, each with advantages and disadvantages; -those that began the line of research are called -Curveball~\cite{Karlin2011a}, -Telex~\cite{Wustrow2011a}, and -Cirripede~\cite{Houmansadr2011a}. - -% pluggable transports is the most mature modularization - -% shadowsocks, whatever - \chapter{Active probing} \label{chap:active-probing}