Google's Obfuscated TCP

agl42 writes "Obfuscated TCP attempts to provide a cheap opportunistic encryption scheme for HTTP. Though SSL has been around for years, most sites still don't use it by default. By providing a less secure, but computationally and administratively cheaper, method of encryption, we might be able to increase the depressingly small fraction of encrypted traffic on the Internet. There's an introduction video explaining it."

surveillance

[TheSHAD0W (258774)]

The video starts out saying that increased encryption is needed thanks in part to warrantless government surveillance. It then goes on to describe a system that assumes no MITM attacks can exist. The fact is, however, that governments are entirely capable of performing MITM attacks, as can telecommunications companies; and if it becomes popular we may see more techniques that allow individuals to perform MITM attacks. While this algorithm has significant merit, care needs to be taken to avoid a false sense of security.

Re:surveillance

[Free the Cowards (1280296)]

It does not "assume no MITM attacks can exist". It deliberately does not protect against them. This is not the same thing, as one is a position of ignorance whereas the other is an intentional choice not to defend against that threat.

In practical terms, MITM is considerably harder than simply listening in. Wide-scale surveillance such as what caused the big recent flap with FISA and the NSA simply can't perform MITM attacks. Protecting against pure eavesdropping while remaining open to MITM attacks is useful, it's just not a 100% solution. As long as it doesn't sell itself as one (and I see no indication that it is) then there's absolutely no problem with that.

NOT GOOGLE

[Zutroi_Zatatakowsky (513851)]

This is not GOOGLE's Obfuscated TCP, this is a small one-man project HOSTED on Google Code.

That guy's gonna get tons of traffic for what's maybe a good idea but not endorsed or supported by Google.

Re:NOT GOOGLE

[Plug (14127)]

He's a Google employee. [blogspot.com].

(Standard 20% time disclaimer etc)

Trusts DNS instead of CA signature

[mikenap (1258526)]

So, basically we have the same concept as SSL, except instead of trusting the CA signature on the certificate, we trust DNS.

Forging a CA signature on a certificate would be a BIG DEAL.
Forging a DNS entry, especially with ISP cooperation(read government snooping), is DEAD SIMPLE.

So we replace real security with, well, a CPU hog that's only a smidge better than running everything in the clear. It only keeps out the MOST casual, lazy, and uninterested snooper.

They could have done better

[this great guy (922511)]

I read the technical details [google.com] and they talk about an advert being encoded in the CNAME, to distribute a curve25519 key and a port number. But they could have done much simpler using technology that already exists: encode the 160-bit SHA1 fingerprint of an X.509 certificate and a port number in the CNAME (only 32 chars needed in base32). Then connect to this port using HTTPS and simply verify that the certificate matches the fingerprint ! Advantages:

• This technique works using standard TLS/SSL technology, no need to reinvent a poor man's TLS protocol like they did with Salsa20/8, Curve25519, Poly1305, etc.
• It is just as secure as their "Obfuscated TCP" (both techniques rely on the DNS records not having been tampered).
• The SHA1 fingerprint being encoded in the CNAME allows the browser to verify its validity without prompting the enduser with scary dialog boxes (and it also works with self-signed certs).
• And as a bonus, the fact a standard HTTPS server is running allows endusers who really want true security to explicitely connect to the HTTPS URL by themselves (without relying on the CNAME trick). Doing this would make the browser verify the validity of the cert using the normal way (scary dialog boxes... or not if the cert's CA is trusted).

Reinventing ancient history

[PhilK (20847)]

It's interesting how the same idea gets "reinvented" over and over. Opportunistic encryption using advertised DH public numbers is just such a thing.

ObsTCP is just a reinvention of SKIP.

See here via the Wayback Machine since the concept is long dead and buried.
http://web.archive.org/web/20021129230049/http://www.skip-vpn.org/ [archive.org]

Re:The implications?

[MBCook (132727)]

Why?

If you watch the "video", one of their explicit points (#2) is that the user shouldn't be informed of this. This will not trigger the little security lock icon. From a user's point of view, you shouldn't be able to tell if the web server you are connected to is unsecured or secured this this little bit of obfuscation.

This isn't for real security, it's to make simple sniffing harder. As the video puts it, it simply raises the bar for someone who wants to read other people's traffic.

It seems like a very good idea to me. It sounds quite intelligent (from what I know of TCP/IP, etc). Some protocols have need changes (protocols where there is one connection and it isn't dropped would need some way to communicate that the encryption is OK during the first (and possibly only) connection.

Either way, it sounds like quite an improvement over what we have now.

Re:The implications?

[beav007 (746004)]

This suggestion is insanity!

This. Is. SLASHDOT!

Re:The implications?

[19thNervousBreakdown (768619)]

Implications?

but it can assuage untargeted, dragnet sniffing of backbones

Can you read the subtext there? Snap, how's that for an implication? Privacy. (from the government.)

Re:So, wait...

[by Anonymous Coward]

It's not written by Google, it's just hosted by them. Big difference, misleading title.

Re:Firefox isn't helping

[0123456 (636235)]

"simply removing eavesdroppers would be a step in the right direction."

Yes. Whereas self-signed certs let the eavesdropper send you a certificate which makes you think your connection is secure when in reality they're listening to everything you send.

Re:Firefox isn't helping

[Kjella (173770)]

Per definition, then you're more than an eavesdropper. Then you're actively intercepting and rewriting the connection, which is a lot more complicated to do in volume plus detectable by comparing fingerprints. Whereas just copying the stream for the NSA is trivial and without detection possibility, but hey pick no security because the other is imperfect.

Re:Firefox isn't helping

[profplump (309017)]

Or distinguish between "authenticated" and "encrypted"?

Or finally admit that maybe there are more shades of grey than "secure" and "insecure" when it comes to send and fetching data over the Internet?

Re:Firefox isn't helping

[Free the Cowards (1280296)]

The point being that this is the actual security hierarchy, from best to worst:

1. SSL with cert signed by a trusted certificate authority
2. SSL with self-signed cert
3. Plain HTTP

Whereas most web browsers make it appear like this:

1. SSL with cert signed by a trusted certificate authority
2. Plain HTTP
3. SSL with self-signed cert

Any browser that warns you about self-signed certs should make at least as much of a fuss about using plain HTTP, but they don't. Firefox takes it to ridiculous extremes but they're all faulty in this respect.

And really, if browsers would save the self-signed cert and then alert me if it changes the way SSH does, then the result will be very good, nearly as good as a regular cert (and potentially even better, since there's no potential for compromising the trusted certificate authority).

Re:Firefox isn't helping

[Free the Cowards (1280296)]

So stop displaying the lock symbol! Nothing requires you to treat "real" SSL and self-signed SSL identically. It should be obvious that the current standard approach of making them look exactly the same except for a scary warning that appears the first time you hit a self-signed site is broken. But nobody cares about doing better because it's the "standard".

Re:Firefox isn't helping

[Zadaz (950521)]

Whereas self-signed certs let the eavesdropper send you a certificate which makes you think your connection is secure when in reality they're listening to everything you send.

aka: "Whereas having a keyed lock on your door lets a thief pick the lock and steal everything inside."

Therefore we should make it less convenient to put locks on doors.

Re:Firefox isn't helping

[QuasiEvil (74356)]

SSL without a trusted certificate provides NO additional security over communicating in the clear. AT ALL.

Bzzzt, wrong, thanks for playing.

Yes, the man in the middle attack is very real. However, it takes a great deal more work to set up than a simple sniffer, because you have to either capture/block/proxy/rewrite packets so that each side thinks it's speaking with the other, or spoof the DNS somehow.

On the other hand, a simple network sniffer can capture almost everything send in the clear, no special network tricks needed.

Authentication requires encryption. Encryption does not require authentication, but should then be considered somewhere between truly secure and just wide open. Call it a nice-to-have that prevents casual sniffers from picking up passwords to your home server, reading your webmail, and the like.

Your assertion assumes that there are no casual crackers/script kiddies out there who won't immediately escalate to some invasive and rather difficult MITM attack, or that sniffing is not a real danger. I'd argue that 90% of the insidious activity comes from just sniffing cleartext off the wire, and that more sophisticated attacks are significantly rarer. Encrypting the over the wire traffic is a way of mitigating a significant portion of that risk.

Re:Firefox isn't helping

[rsmith-mac (639075)]

Every time a Firefox or SSLTLS article comes up, we go over this again and again. SSLTLS is both an encryption and authentication scheme; it sucks but that's what the spec says it is. Firefox can't go off and do its own thing, least someone starts exploiting the fact that their implementation of SSLTLS is no longer an authentication scheme and starts taking advantage of people who expect otherwise. The W3C needs to separate authentication and encryption in the standards themselves, that's the only proper and safe way to change things.

Re:Firefox isn't helping

[defaria (741527)]

There's an ambiguity to SSL certs. They do two things at once. They 1) prove that the person who has the cert is that person through a certificate authority and they 2) provide for encryption. Why not simply have grades of SSL? A self signed cert could then allow encryption and say perhaps show a yellow padlock whereas a CA signed cert could provide for encryption and provide CA authentication and give a green padlock or whatever. What's so freaking difficult about that?

Re:Firefox isn't helping

[vux984 (928602)]

Most users are too dumb to check for SSL, good luck getting them to discern insecure, 'insecure but can't be eavesdropped', and secure.

Fair enough. So don't put the secure green lock up for self signed SSL. Put up a totally different icon in some neutral color like blue. If they click on it it says, the connection is encrypted and can't be eavesdropped but there is no gaurantee you are talking to who you think you are.

Hell, most users would be shocked to find out you can eavesdrop on their traffic in the first place.

Good point! Maybe firefox 3 should pop up a huge error screen every time you try to connect to a site with plain http. It could say something like:

The server you are connecting to is insecure. Maybe there is a configuration error on the server. Or maybe someone is trying to impersonate it. Oh, and by the way, not only that, but any communication with them maybe trivially intercepted by any 3rd party...

Are you sure you want to communicate with them?

Then it could have friendly buttons like:

"Hell no get me out of here." or "Ok, I don't mind getting pnwed!"

Re:Problem isn't computation...

[syzler (748241)]

he big barrier to ssl for small sites is cost - in some cases the cost of an ssl cert will exceed all other costs.

I would disagree. One of the biggest barriers to implementing SSL on my sites is the lack of IP addresses. I only have two IP addresses, yet I host 16 web sites. My understanding is that HTTPS requires IP based virtuals which would prevent me from hosting more than two sites if I were to use SSL for all of my sites.

Re:Problem isn't computation...

[Timothy Brownawell (627747)]

My understanding is that HTTPS requires IP based virtuals

Partly. There's a TLS extension [wikipedia.org] that makes it work, but it looks like it doesn't work for IE on WinXP.

Re:Problem isn't computation...

[this great guy (922511)]

You have 2 solutions:

• Run your websites on different ports, you have 65535 of them per IP. Make http://site1/ [site1] redirect to https://site1:1111/ [site1], http://site2/ [site2] redirect to https://site2:2222/ [site2], etc. I concede this prevents users from directly typing the https url in their address bar as they don't know the port number in advance, but again 99% of the users let themselves be redirected to the https content on most websites anyway (except paranoids like me :P).
• Use certs with the "subjectAltName" X.509 extension that let you create a single cert valid for multiple DNS names. I do this (with a CA I created & control), it works very well. The downside is that I think commercial CAs make you pay extra bucks to sign such certs (if they even accept to do that).

Anybody remembers what hapenned to RFC 2817 [ietf.org] ? It tried to address this very pb by introducing the "Upgrade: TLS/1.0" header and the "426 Upgrade Required" status code, but I don't think any browser or server implement them.

Re:Problem isn't computation...

[pv2b (231846)]

Running your web sites on non-standard ports is a great way for your web site not to be accessible to users accessing the internet through firewalls that limit egress traffic based on TCP destination ports.