hellais
commented
4 years ago This is something we have plans to do in the new probe-engine based tests. cc @bassosimone
Open hellais opened 7 years ago
hellais
commented
4 years ago This is something we have plans to do in the new probe-engine based tests. cc @bassosimone
hellais
commented
4 years ago We should check in with @nullhypothesis if there is some easy way to make a PT generate some traffic without having tor as a requirement on the system.
hellais
commented
4 years ago @NullHypothesis Basically the question we have is:
What else could we do to generate some amount of traffic over a tor obfs4proxy bridge that does not require us having the tor binary installed on the system?
The problem is that it's hard for us to ship tor on mobile (but also on desktop there are many things to consider when shipping an additional binary) and therefore we would like to find a solution that doesn't rely on tor.
If this is not possible, we can also defer this to future work or for the moment just support generating traffic over the bridge only in when there is a system tor binary installed.
NullHypothesis
commented
4 years ago Is a separate Python tool an option? If so, you could use ptadapter to interact with your obfs4proxy instance.
Another option would be to use obfs4 as a library rather than a separate process. Brandon Wiley has implemented this as part of Shapeshifter.
A third option would be to create a lightweight Go tool that basically does what Tor (and ptadapter) does: set environment variables, spawn obfs4proxy, and send traffic over it.
hellais
commented
4 years ago We use obfs4 as a library in fact. The code is here: https://github.com/ooni/probe-engine/blob/master/internal/oonitemplates/oonitemplates.go#L522.
Our question was mostly about how can we generate traffic towards an obfs4 tor bridge without speaking the tor protocol, because we don't have a tor binary.
NullHypothesis
commented
4 years ago We use obfs4 as a library in fact. The code is here: https://github.com/ooni/probe-engine/blob/master/internal/oonitemplates/oonitemplates.go#L522.
Our question was mostly about how can we generate traffic towards an obfs4 tor bridge without speaking the tor protocol, because we don't have a tor binary.
Gotcha. One option would be to use (a stripped down version of) gotor and have it speak Tor for you. Another option would be to repeatedly perform the TLS handshake with the bridge, without actually speaking the Tor protocol. However, that may alter the flow fingerprint on the fire, i.e., a DPI that's trained to identify Tor may not trigger when a client is simply performing repeated TLS handshakes.
bassosimone
commented
4 years ago @NullHypothesis thanks! So, for now, I think we'd rather defer generating traffic using the bridges to future work. We're also considering shipping tor along with the desktop app and using it, so this may be another viable (and possibly more robust) alternative for generating traffic.
hellais
commented
4 years ago In light of the latest conclusions we reached for this issue, I am going to remove it from the current sprint and move it to another circumvention epic.
In places such as Kazakistan obfs4 is blocked not on the initial handshake, but only after some amount of traffic is done (rumor has it that the magic number is 50KB).
We should add support for performing some traffic once tor has bootstrapped to the bridge_reachability test to ensure that.