Comments (1)
Conjure ... can choose any covert proxy protocol—basically, anything that on its own won't get blocked by a censor, like obfs4, WebRTC, obfuscated SSH, or TLS with some form of SNI protection.
One of the possible covert proxy protocols, new in this work, is "mask sites" (§4.2.3, §5.3.2, §7.1). The overall idea is that the Conjure station forwards phantom-addressed TLS traffic to some actual web site running at its own address—until the Conjure station discovers that the client is using a special prearranged key, at which point the station hijacks the connection and begins forwarding it to an application proxy instead. The motivation here is that TLS makes a good covert channel, but has a few caveats: in order to look like a genuine TLS connection, the server needs to present a valid CA-signed certificate (not a problem with TLS 1.3), and the client needs to present a plausible SNI (even with TLS 1.3, at least until ESNI arrives). By always forwarding at least the first part of the TLS connection to a real site, the client is able to provide a plausible SNI (that of the mask site) and the Conjure station is able to provide a genuine certificate that matches that SNI (forwarded from the mask site).
Here's how it works more concretely. The client sends a registration signal that indicates it wants to use mask sites. The client and Conjure station agree on a phantom address P, and also derive a special shared secret key. The station begins forwarding traffic addressed to P to instead go to the mask site, say example.com. It's not IP-layer forwarding, it's TCP-layer forwarding: the Conjure station itself acts as the endpoint for incoming TCP connections that are addressed to P (sending back its own SYN/ACK, etc.), then initiates its own, separate TCP connection to the mask site, forwarding only the contents of the TCP connection, not the TCP segments themselves. While forwarding, the Conjure station passively inspects the TLS stream, looking for an Application Data
record. The client, instead of encrypting the Application Data record using the key that resulted from the TLS handshake, encrypted the record using the prearranged key that it shares with the Conjure station. The Conjure station attempts to decrypt the record using the same key, and, if successful, ceases forwarding to example.com and instead starts forwarding to an application proxy service. The key-switching magic is made possible by uTLS. If decryption using the special key does not work, the Conjure station just carries on with unmodified TCP-layer forwarding until the connection ends.
The idea requires some care in choosing mask sites. The censor-observable communication flow is that of a client having a TLS session with a real TLS server, just at an IP address other than one at which that server would normally be found. So, for example, if the censor knows that a certain site normally resides on one and only one IP address, it can block all TLS connections that purport to be for that site while being addressed to a different IP address. Ideally, one chooses a mask site that could plausibly reside past the Conjure station at a phantom address in its range. §4.2.3 lists considerations for mask site selection. Another consideration with mask sites is that, because the Conjure station forwards TCP payloads and not IP packets, the observable TCP fingerprint of the connection may not match that of a direct connection to the mask site. If the censor knows, for example, that the mask site usually has an initial TCP window size of 16384, but observes a connection with 14480, or that the TCP timestamp frequency is 200 Hz when it should be 1000 Hz, it could block connections on that basis. Some considerations along these lines appear in §7.1.
from bbs.
Related Issues (20)
- Possible Cloudflare blocking in Russia HOT 2
- EU.ORG got blocked by GFW recently HOT 15
- Anamorphic Encryption Covert Channels HOT 1
- Thinking about building a covert TCP proxy that's based on DPI. But is it possible? HOT 12
- کانفیگ برای v2ray / v2ray configuration HOT 4
- "Anti-fraud" (反诈) spyware apps, phone inspections in China HOT 12
- National Anti-Fraud Center based plugins allegedly found in residential FTTR modem in China. HOT 3
- PowerTunnel HOT 3
- CN4Iran 2.0
- China-Linked 'Muddling Meerkat' Conducts DNS Hijacking for Internet Mapping HOT 3
- REALITY servers in Iran being abused as sort-of SNI proxies HOT 2
- CensorWatch: On the Implementation of Online Censorship in India (FOCI 2023)
- Some IP addresses used for DNS censorship in India HOT 3
- Defense against AI-guided Traffic Analysis (DAITA)
- Blocking of fully encrypted protocols (Shadowsocks, VMess) in Russia, targeting HTTPS traffic fingerprints HOT 12
- Blocking of *.pages.dev in Russia HOT 4
- I have my own VPN application, and I published it in the app markets. What is the difference between LTE and Home internet? HOT 3
- Snowflake, a censorship circumvention system using temporary WebRTC proxies (USENIX Security 2024) HOT 1
- Bleeding Wall: A Hematologic Examination on the Great Firewall (FOCI 2024)
- Assistance Needed to Bypass Restrictions on Irancell Network HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bbs.