著者: Jacob Appelbaum 日付: To: The Tails public development discussion list CC: tor-talk, Elly Fong-Jones 題目: Re: [Tails-dev] [tor-talk] secure and simple network time (hack)
adrelanos: > Jacob Appelbaum:
>> adrelanos:
>>>>
>>>> We already fail this test, no?
>>>
>>> Not necessarily. This is a difficult question.
>>>
>>
>> Tor does not hide that you are using Tor
>
> Yes, but... While making this point up, I saw pluggable transports as a
> tool which can be thrown into the mix and make this a non-issue.
I don't think so - I also this this is non-trivial. Some pluggable
transports may seek to obfuscate traffic or to morph it. However, they
do not claim to hide that you are using Tor *in all cases* but rather in
very specific cases. An example threat model includes a DPI device with
limited time to make a classification choice - so the hiding is very
specific to functionality and generally does not take into account
endless data retention with retroactive policing.
>
> (In theory obfsproxy and alike tools can hide the fact that someone is
> using Tor, which will be required against trying-hard-censurers so or
> so. This assumes, that pluggable transports will win the arms race
> against censors.)
Perhaps for a time but again - rarely is anyone thinking about say, the
one, five or ten year logging of full packets.
>
>> and using Tails or Whonix is an
>> example of a system only emitting Tor traffic.
>
> The plan is...
>
> Whonix:
> When using VMs (as most people do), there is still a host operating
> system people start first - so there is not only Tor traffic. Tor usage
> can be hidden by using pluggable transports.
I would be very careful with that claim. It might be hidden and it might
just be that no one is looking.
>
> Tails:
> When this becomes an issue, there are two workarounds:
> - running Tails in a VM (naturally requires starting a non-Tails os
> beforehand) using pluggable transports to hide Tor usage
> - booting a second computer with a non-Tails operating system behind the
> same router, wait a bit, run Tails using pluggable transports to hide
> Tor usage
>
> And one possible fix: boot the amnesic system, simulate "this is Debian"
> (or other mainstream distro) by running it untorified in chroot or in a
> VM; fire up Tor using pluggable transports to hide Tor usage.
>
> The point I wanted to make is, I can very well imagine, not to fail this
> test, i.e. pretending to be a mainstream distribution, having non-Tor
> traffic and obfuscating Tor traffic using pluggable transports. Perhaps
> it can be prevented, that tlsdate introduces new operating system
> fingerprinting possibilities for ISPs.
>
That's my point - I don't believe that tlsdate introduces anything more
than what any OpenSSL TLS connection would introduce. The main
difference is the host and *that* is currently a set of *extremely*
popular hosts, way way more popular than Tor nodes or some random bridge
or something. Yes, we could use obfsproxy in the mix but that is punting
and a side step.
>> It depends on your threat
>> model but generally, we'd just making up "someone could" as a network
>> distinguisher.
>
> Yes.
>
>> I assert that someone could watch - see no traffic except
>> encrypted traffic, decide it is Tor and then decide you're running Tails
>> or Whonix.
>
> I tried to picture solutions to that above.
>
That doesn't solve the fingerprinting issues - attackers can classify
the number of users with different machines behind a NAT and often do so.