From: Brian Candler <b.candler@pobox.com>
To: wireguard@lists.zx2c4.com
Subject: Re: Let's talk about obfuscation again
Date: Thu, 6 Sep 2018 16:24:00 +0100 [thread overview]
Message-ID: <2c0808aa-47da-9d1a-1c35-1aec3d0c9acc@pobox.com> (raw)
In-Reply-To: <mailman.1542.1536245115.2201.wireguard@lists.zx2c4.com>
> Domain fronting seems like the stealthiest option to me (and if anyone has a reliable way to
> detect domain fronting, I would love to hear about it!). But that doesn?t get you UDP (and NAT
> traversal); perhaps VOIP/WebRTC mimicry could work?
I think this is a game you can't win against a suitably motivated adversary. Such an adversary can and will decode the payload to see if it makes sense.
For example: an apparently unencrypted VOIP/WebRTC stream, but one which contains "random" payload (i.e. which doesn't decode properly through the declared codec, or decodes to noise) may be interpreted as an encrypted phone call, and blocked on that basis alone, even if it's not obvious it contains data.
It would also be massively inefficient. On the one hand, you'd have to send a stream of padding packets when there is no data to send, to look like an idle phone/video call. On the other hand, when you *do* have data to send, you would have to constrain your bandwidth so you don't burst above a level of traffic which such a call would normally generate.
OK, so what about changing wireguard to use TCP and TLS on port 443? It's still going to look very anomolous compared to a "normal" web exchange. Conceivably it might be mistaken for a websockets-based chat application or XMPP; but any adversary who wants to block wireguard is presumably going to want to block encrypted chat too.
In summary: I think wireguard is a tool for connecting together island networks, over an untrusted but cooperative intermediate network. I don't think it should turn into a tool for steganography or policy busting.
next parent reply other threads:[~2018-09-06 15:23 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <mailman.1542.1536245115.2201.wireguard@lists.zx2c4.com>
2018-09-06 15:24 ` Brian Candler [this message]
2018-09-06 21:16 ` Let's talk about obfuscation again James Cloos
2018-09-06 0:06 StarBrilliant
2018-09-06 8:43 ` Dennis Jackson
2018-09-06 14:45 ` George Walker
2018-09-06 15:19 ` Fredrik Strömberg
2018-09-07 8:49 ` StarBrilliant
2018-09-06 15:34 ` Dennis Jackson
2018-09-06 16:10 ` Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2c0808aa-47da-9d1a-1c35-1aec3d0c9acc@pobox.com \
--to=b.candler@pobox.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).