Airvpn Team do you know about obfsproxy with obfs3 ? its a much better and future proof protocol not to mention the tor team working on better plugins

[poorlyhiking 0]

dear Airvpn Team id like to let you know about obfsproxy vs ssl , you should switch to obfsproxy with obfs3 support , this is a much better way to obfuscate the openvpn connection from DPI, so your ISP cant notice the difference between your regular net activity and usage of a VPN, since SSL aka Stunnel has the issue of being noticeable due to it being a HTTPS session but it

 

would flag up per DPI due to an unusual long singular HTTPS Session showing up , you see so its far from perfect , mind you China is working on improving the DPI sides of things since they hate people using VPNs but theyre not the only ones and we should be prepared , as so it can only be a positive thing to do not to mention with all the future proofing and so on seeing as Team Tor is constantly developing new

 

plugins for obfsproxy such as the much anticipated Scramblesuit plugin that should take care of DPI for good , but that one is currently in testing phase , so let me know what you guys think i think this is the way to go forward from here on out as should any trustworthy VPN provider that has its users privacy and security in mind, thank you

[zhang888 1065]

Hi!

 

Since sometimes I faced the same problem, the best solution for me was Tor > AirVPN.

 

The recent changes in the Tor bridges infrastructure in 2014 made a clear improvement over existing OpenVPN patches, such as the Xor patch

https://github.com/clayface/openvpn_xorpatch

 

and OpenVPN obfuscation patch

https://github.com/siren1117/openvpn-obfuscation-release

 

 

I can confirm (from internal tests that I conducted) that the Meek pluggable transport was working much better for me, than any other custom patches,

that had to be supported by VPN provider as well.

 

https://www.torproject.org/docs/pluggable-transports

 

https://github.com/arlolra/meek

 

 

Meek (Google/Amazon/Azure SNI obfuscation) performed far better than those obsolete obfs3 patches, and considering the fact that your ISP sees those main

companies in the SSL handshake, can even make your QoS score higher, in case your ISP uses DPI in order to shape traffic, such as most cases outside US/EU.

 

You will have an extra anonymity layer, as well as -immediate- availability, since it's only up to you to create such bridge.

 

P.S.

If you are connecting from Mainland China, the overhead of the Tor network will be almost not noticable, since the home ISP connections are capped at 5Mbit/sec max anyway.

You might get an extra 200msec latency, though.

 

Also, both SSL Tunnel and SSH Tunnel to AIrVPN servers work from China without DPI triggers, at the moment.

I know that it seems logical that "unusual long singular HTTPS Session showing up" looks obvious if you do manual traffic analysis, but again, at least now there are

no DPI devices that we are aware of, that keep such extra metadata states, like the duration of an HTTPS connection.

It is a little hard to implement, since then every connection would have to be logged for it's entire time, and not only during its initial establishment.

I doubt we will see that soon, on such massive deployment like a whole continent.

 

Regards

[poorlyhiking 0]

i personally would advise against going the Meek way! 

 

using meek means there are more entities who can watch the traffic patterns between you and your first hop. With ordinary bridges it is:

• your ISP, all upstream routers, and the bridge itself.

With meek it is:

• your ISP, all upstream routers, Amazon/Google, and the bridge itself.

 

Of course, none of these entities gets to see your plaintext directly—there is still a Tor encryption layer underneath meek's HTTPS tunnel. But all those entities are in a better position to do timing correlation, for example.

It's important to understand that Amazon/Google don't actually get to see what web sites you browse. What they see is a bunch of encrypted HTTPS POST requests, which they forward to a Tor bridge. Amazon/Google knows that your IP address is using Tor, so thats not really a good thing at all mind you

 

, id rather either go with obfs3 which defeats DPI completely without tying in another bunch of spying companies ontop , of course obfs3 is not resistant agains Man in the Middle Attacks , but we have solution to that as well but with lag as cost, namely scramblesuit or you may call it obfs4 , scramblesuit is in the process of being depreciated in favour of a better scramblesuit plugin named obfs4 , this obfs4 will have scramblesuits features and more once it goes full deployment in Tor Browser Bundle , ive heard over at tor forums theyre already planning on putting up obfs4 , heres a link to that https://trac.torproject.org/projects/tor/ticket/12130

 

and heres a easy understandable plugins documentation from Tor

 

 

https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPluggableTransports

[poorlyhiking 0]

Also, both SSL Tunnel and SSH Tunnel to AIrVPN servers work from China without DPI triggers, at the moment.

I know that it seems logical that "unusual long singular HTTPS Session showing up" looks obvious if you do manual traffic analysis, but again, at least now there are

no DPI devices that we are aware of, that keep such extra metadata states, like the duration of an HTTPS connection.

It is a little hard to implement, since then every connection would have to be logged for it's entire time, and not only during its initial establishment.

I doubt we will see that soon, on such massive deployment like a whole continent.

 

 

yes... at the moment! , and as we all know moments can be over in a day , month , who knows , not exactly a reasuring statement there mate, as well you might not be aware of , but why in the world would anybody with the DPI tech let theyre techs capabilities leak to the public , perhaps your right about it not being deployed on a massive scale such as a whole continent , not all at the same time , but one after another , thats enough for concern , and as said what works today may sure as hell not be tomorrow , hence why im making a request to move from ssl to something better

[zhang888 1065]

I am not sure how making an "undetectable" connection is better than making an SSL one.

The most "scary" traffic for Internet Censorship adversaries, is the traffic they cannot correlate to a known protocol, not an "unusual" behavior

like keeping a very long HTTPS connection.

 

You can keep any HTTPS enabled site open in the background browser tab, and the exact "footprint" will be seen on DPI systems as just an SSL connection to an OpenVPN service.

I can send you screenshots from both BlueCoat or Allot DPI systems, although in China they are using in-house solution made by CERNET.

 

The issue I see with standard obfsproxy3/4 bridges, is that some poor maintained blacklist systems can add them to the list of public Tor nodes, and then we will all suffer from what

is described in this topic:

https://airvpn.org/topic/12340-stop-running-tor-servers-behind-airvpn

 

Generally, since China is a very big country with many internet users, once regular SSL connections will start being blocked, the "internet" will know about really quick. It will be in major

technology news the same day.

 

I'm totally with you about the fact that maybe more obfuscation methods could be added, after all there is never "enough" to satisfy geeks like us. But every option should be considered 100

times before, in order to see all the possible implications.

Some providers offer tunneling via ICMP and DNS protocols as well, that can also work in highly restricted networks in many cases.

 

Regards