On recent and upcoming developments in Pluggable Transports

Hello friends,

this is a brief post on recent and upcoming developments of the Pluggable Transport world:

What has happened

Here is what has been keeping us busy during the past few months:

TBB 3.6

As many of you know, the TBB team recently released the Tor Browser Bundle 3.6 that features built-in PT support. This is great and has taken PT usage to new levels. Maaad props to the TBB team for all their work.

TBB-3.6 includes obfs3 and FTE by default. If the built-in bridges are blocked for you (this is the case at least in China), try getting some more bridges from BridgeDB (which also got renovated recently).

obfs2 deprecation

We are in the process of deprecating the obfs2 pluggable transport.

This is because China blocks it using active probing, and because obfs3 is stictly better than obfs2. obfs3 can also be blocked using active probing, but China hasn't implemented this yet (at least as far as we know). The new upcoming line of PTs (like scramblesuit and obfs4) should be able to defend more effectively against active probing.

Outgoing proxies and Pluggable Transports

Yawning Angel et al. recently implemented outgoing proxy support for PTs. This means that soon our PTs will be able to connect to an outgoing proxy using the Socks5Proxy torrc option (or the corresponding proxy field in TBB).

A Childs Garden Of Pluggable Transports

David Fifield created refreshing visualizations of Pluggable Transports. Take a look; it might help you understand what these damned things are doing.

What will happen

Now let's take a look into the short-term future (a few months ahead) of Pluggable Transports:

obfs4 and ScrambleSuit

Remember ScrambleSuit? Guess what; we are thinking of not deploying it after all...

Don't get me wrong, ScrambleSuit is great, but during the past two months Yawning has been developing a new transport called 'obfs4'. obfs4 is like ScrambleSuit (with regards to features and threat model), but it's faster and autofixes some of the open issues with scramblesuit (#10887, #11271, ...).

Since scramblesuit has not been entirely deployed yet, we thought that it would be a good idea to deploy obfs4 instead, and keep scramblesuit around as an emergency PT.

Meek

Meek is an exciting new transport by David Fifield. You can read all about it here: https://trac.torproject.org/projects/tor/wiki/doc/meek

It's basically a transport that (ab)uses Firefox to do SSL in a way that makes it look like Firefox but underneath it's actually Tor. Very sneaky, and because it uses third-party services (like Google Appspot, Akamai, etc.) as proxies, the user does not need to input a bridge. Meek just works bridgeless and automagically.

Help us by testing the latest bundles that David made: https://lists.torproject.org/pipermail/tor-qa/2014-June/000422.html

Also, since the recent Google block in China, Meek will not work with Google Appspot. However, other third-party services can be used instead of Appspot, so Meek does not lose its effectiveness.

PTs and IPv6

PTs are not very good at IPv6 yet. We identified some of the open issues and hopefully we will fix them too.

And that's that for now.

Till next time, enjoy life and give thanks and praises :)

(For what it's worth, this was originally a post in the [tor-talk] mailing list:
https://lists.torproject.org/pipermail/tor-talk/2014-June/033296.html)

Anonymous

June 15, 2014

Permalink

The announcements and promotions made concerning obfs3, obfs4 and Meek are timely and interesting.

I am a businessman working and living in China for at least half a year while the rest is spent on travelling outside of it. One of my so-called leisure activities is to help Chinese people regain their freedom of expression on the internet.

If Tor is to achieve one of its objectives, which is to help people living under authoritarian regimes such as China, North Korea and Iran to communicate without fear and punishment with the outside world, then Tor must provide detailed "How To" guides on how to use obfs3, obfs4 and Meek. Tor developers: for your info, most Chinese dissidents are at least 40 years old and are not IT experts.

Anonymous

June 16, 2014

Permalink

Thanks for answering my question about Meek and China that I asked on the "Tor Challenge 2014" blog. I'm guessing you don't list all the third-party services Meek can use so China can't block all of them.

No, they do list. Amazon cloud is to work with meek, other than Google. Any other service that will ignore/redirect the front to second service can be used.
You can't hide services like you think, because Someone can download meek and see its settings to see which servers it connects to.

What prevents Chinese ( or other ) censors from doing exactly what you said, "Someone can download meek and see its settings to see which servers it connects to" and block whatever third party services meek is using at that time?

This is fine, if they're willing to block Google, Amazon, Cloudflare, Akamai, etc.

But maybe they will hesitate because of the collateral damage from such widespread blocking?

It won't work everywhere (sometimes China blocks all Google services for example), but there are some censored places where it will work well.

Anonymous

June 16, 2014

Permalink

trac.torproject.org's collective cypherpunks login does work anymore, or had it's password changed.

I'm posting this here in the hope that someone can forward it to the right people.

Anonymous

June 16, 2014

Permalink

I'm in Iran and use obfs2 bridges. Obfs2 works faster than obf3 here.

If meek makes your Firefox connect to the Big Brother's favorite traffic info collection pots like Google and Akamai, would not that expose you to the unwanted traffic pattern learning?

Your IP address (identifies your ISP, your location and eventually you), plus the fingerprint of your unique Firefox, plus the time of connections (to build a profile of your habits/schedule)... And the Big Bro loves your Firefox's JavaScript doors and the Mozilla's undercover communications (Add-on/search_engine auto updates, Safebrowsing, Crash reporter, etc.)

We were already told that it's somehow "OK" to for the Obfsproxy bridges to have a load-screaming "I'm a Tor bridge!" domain name. Now we need meek to connect our Firefox to Google every time. Hey, why not running meek via the .gov sites directly?

I appreciate your efforts and new gadgets, but... Are we turning a bit blind about the American Big Bro, (or are we working for him?), or meek is only good for the Chinese users?

Anyone? This seems like an legit concern. Can somone elaborate?

meek is a fine research project to explore what else is possible in terms of hiding Tor communications in services that normal users use too. As a comparison, see the CloudTransport talk presented at PETS last week:
https://www.petsymposium.org/2014/program.php
This is a nice research area that I'd love to see more work on -- the "get a bunch of bridges" arms race is no fun so we need to find some alternatives.

As for the unique Firefox question, meek uses the Tor Browser (with a separate profile), so in theory it won't be unique, but rather you will blend with all the other people using that browser.

As for JavaScript, this is a fine and interesting question. I've opened
https://trac.torproject.org/projects/tor/ticket/12671
for David to investigate that one.

But yes, one of the drawbacks to meek's approach is if you're fronting through Amazon S3 and then your destination is a website hosted by Amazon -- then they're in a great position to see both sides of your circuit. That seems like a fundamental tradeoff to this approach, and resolving that contradiction is an open research problem.

The opening sentence should be capitalized, and I'm dismayed to see you swearing in these blog posts. This post just seemed less professional than other posts.

Here China, tried to use meek but with no success (failed to establish connection...).
Then, i pasted my working custom bridges and it connected normally, but saying Browser is not updated.
Wasn't it supposed to be updated? (meek is based on TB 3.6.2, right?)

i'm use tor through vpn proxy ,last month no longer work
seems blocked .
i'm become hate Tor and such many stupid updates.

Be glad of them, the alternative to not being able to communicate at all is far, far worse. Imagine if it worked, and you were compromised because one of those "stupid updates" had not been applied.

Blocked in saudi arabia .

Hi only a question, how to enjoy the scramblesuit by only using tor vidalia bundle?
Do I need to deploy obfsproxy.exe for TP/tor?

To use scramblesuit in the Vidalia bundle, you'd need to compile it all and configure it yourself. That's why the Tor Browser comes with all of it pre-configured for you.

You guys are just Great

Can't download any version of Tor on my IPhone. Please advise

Correct -- there aren't any safe packages of Tor on the iphone -- mainly because there is no Firefox for ios, so there is no Tor Browser.