Autor: adrelanos Data: CC: Elly Fong-Jones, tor-talk, The Tails public development discussion list Temat: Re: [Tails-dev] [tor-talk] secure and simple network time (hack)
Jacob Appelbaum: > adrelanos:
>> Jacob Appelbaum:
>>> adrelanos:
>>>>>
>>>>> We already fail this test, no?
>>>>
>>>> Not necessarily. This is a difficult question.
>>>>
>>>
>>> Tor does not hide that you are using Tor
>>
>> Yes, but... While making this point up, I saw pluggable transports as a
>> tool which can be thrown into the mix and make this a non-issue.
>
> I don't think so - I also this this is non-trivial.
I know. It's absolutely non-trivial. From my distro packager perspective
pluggable transports are just some magic boxes to throw into the mix,
which get a job done. Great minds do all the thinking and coding.
> Some pluggable
> transports may seek to obfuscate traffic or to morph it. However, they
> do not claim to hide that you are using Tor *in all cases* but rather in
> very specific cases. An example threat model includes a DPI device with
> limited time to make a classification choice - so the hiding is very
> specific to functionality and generally does not take into account
> endless data retention with retroactive policing.
Ok.
>>
>> (In theory obfsproxy and alike tools can hide the fact that someone is
>> using Tor, which will be required against trying-hard-censurers so or
>> so. This assumes, that pluggable transports will win the arms race
>> against censors.)
>
> Perhaps for a time but again - rarely is anyone thinking about say, the
> one, five or ten year logging of full packets.
Yes.
>>
>>> and using Tails or Whonix is an
>>> example of a system only emitting Tor traffic.
>>
>> The plan is...
>>
>> Whonix:
>> When using VMs (as most people do), there is still a host operating
>> system people start first - so there is not only Tor traffic. Tor usage
>> can be hidden by using pluggable transports.
>
> I would be very careful with that claim. It might be hidden and it might
> just be that no one is looking.
Yes, I wouldn't claim that in documentation, of course. When I said "Tor
usage can be hidden by using pluggable transports." in this very
context, I assume, that this magic box is working well. It's very clear
to me, that this is a very strong assumption and that this involves a
lot work done by other people creating that magic box. (If we wouldn't
make that assumption, we probable wouldn't have to talk about
fingerprinting issues.)
It's all about censorship circumvention. I thought, when we assume that
this magic box works reasonable well, it would be a pity if we now added
something which could render the achievements by pluggable transports
useless.
>>
>> Tails:
>> When this becomes an issue, there are two workarounds:
>> - running Tails in a VM (naturally requires starting a non-Tails os
>> beforehand) using pluggable transports to hide Tor usage
>> - booting a second computer with a non-Tails operating system behind the
>> same router, wait a bit, run Tails using pluggable transports to hide
>> Tor usage
>>
>> And one possible fix: boot the amnesic system, simulate "this is Debian"
>> (or other mainstream distro) by running it untorified in chroot or in a
>> VM; fire up Tor using pluggable transports to hide Tor usage.
>>
>> The point I wanted to make is, I can very well imagine, not to fail this
>> test, i.e. pretending to be a mainstream distribution, having non-Tor
>> traffic and obfuscating Tor traffic using pluggable transports. Perhaps
>> it can be prevented, that tlsdate introduces new operating system
>> fingerprinting possibilities for ISPs.
>>
>
> That's my point - I don't believe that tlsdate introduces anything more
> than what any OpenSSL TLS connection would introduce. The main
> difference is the host and *that* is currently a set of *extremely*
> popular hosts, way way more popular than Tor nodes or some random bridge
> or something. Yes, we could use obfsproxy in the mix but that is punting
> and a side step.
Ok.
>>> It depends on your threat
>>> model but generally, we'd just making up "someone could" as a network
>>> distinguisher.
>>
>> Yes.
>>
>>> I assert that someone could watch - see no traffic except
>>> encrypted traffic, decide it is Tor and then decide you're running Tails
>>> or Whonix.
>>
>> I tried to picture solutions to that above.
>>
>
> That doesn't solve the fingerprinting issues - attackers can classify
> the number of users with different machines behind a NAT and often do so.
Well, I failed to describe what I meant with 100% accuracy due to my
skills. I cut it here so you don't have to read so much. Just that: our
opinions here don't differ at all and I got educated. You understand
this topic better than me, the important point "it would be a pity if we
now added something which could render the achievements by pluggable
transports useless" has been considered, thank you for that.