This is a project that I’ve been working on as part of my ongoing master’s thesis. It implements a modular, censorship-resistant proxy tunnel that encapsulates arbitrary application traffic inside some cover protocol (currently only HTTPS).
I’ve tested it against nDPI and a commercial DPI engine developed by Palo Alto Networks. Both detected TOR traffic using Rosen as ordinary HTTPS :)
If you can test this out and let me know your experiences, especially if you are behind a repressive firewall that implements censorship, I would really appreciate it.
but this has been tested against nDPI and a commercial DPI engine developed by Palo Alto Networks, both of which detected TOR traffic encapsulated by Rosen as ordinary HTTPS
That might well just be a momentary observation though. It seems likely that such engines just need a small update to recognize TOR/Rosen.
The true test will be if/when censors take note. The main fingerprint that can pinpoint a Rosen client is its strange timing pattern and atypical bandwidth characteristics. These can be tweaked if needed.
This is how researchers managed to detect meek, for example. It polls for data immediately and then decays the delay interval by 1.5x if nothing happens. Researchers fed this data to a machine learning model. However from what I found, it doesn’t look like real world censors today use techniques this advanced in order to detect circumvention tools.
This is a project that I’ve been working on as part of my ongoing master’s thesis. It implements a modular, censorship-resistant proxy tunnel that encapsulates arbitrary application traffic inside some cover protocol (currently only HTTPS).
I’ve tested it against nDPI and a commercial DPI engine developed by Palo Alto Networks. Both detected TOR traffic using Rosen as ordinary HTTPS :)
If you can test this out and let me know your experiences, especially if you are behind a repressive firewall that implements censorship, I would really appreciate it.
It looks better if you write Tor, not TOR. https://tor.void.gr/docs/faq.html.en#WhyCalledTor
That might well just be a momentary observation though. It seems likely that such engines just need a small update to recognize TOR/Rosen.
The true test will be if/when censors take note. The main fingerprint that can pinpoint a Rosen client is its strange timing pattern and atypical bandwidth characteristics. These can be tweaked if needed.
This is how researchers managed to detect meek, for example. It polls for data immediately and then decays the delay interval by 1.5x if nothing happens. Researchers fed this data to a machine learning model. However from what I found, it doesn’t look like real world censors today use techniques this advanced in order to detect circumvention tools.
I have been using brook for this
https://github.com/txthinking/brook
It runs on some windows boxes and some odrids behind routers in order to provide various exits in different locations.