"Traffic Padding" option - please consider

[iwih2gk 92]

I find the Air tunnel to be pretty solid and I doubt its compromised.  Although strictly speaking the subject of website fingerprinting beyond the exit node is not Air's problem.  Even in a scenario where I employ a long partition of trust I have some concerns for monitoring my traffic and an adversary zeroing in on me via https/ssl website fingerprinting over time.  I know "they" cannot read what is passing through my chained tunnel, but the ultimate destination post-exit node is a website which is viewable except for my trips to the DW.  I am referring to clearnet activities, which I want to remain anonymous also.

 

In an attempt to confound those monitoring a user's actions, would an option to do "traffic padding" not be a cool thing?  I know its going to be tempting to just blow off this suggestion, but please pause and consider it.  No other VPN offers such a professional feature.

 

Clearly, traffic padding comes at the expense of more bandwidth and maybe slowing down a server just a little.  Perhaps a couple of servers could offer padding BUT a member wanting that feature would pay more to get it.  I don't know the expense I can only visualize the extra security for tunnels being padded.

 

The threat of which I am speaking is not just theoretical.  It is a proven, working adversarial counter measure.

 

Would love to hear Staff's thoughts on this.  If I am off please say so and point me to any reading on the subject.

[OpenSourcerer 1360]

maybe slowing down a server just a little

 

I talked about a side channel attack on encrypted tunnels in the past, and traffic padding is a countermeasure against it. Maybe you are referring to this. However, it would lower the performance of OpenVPN drastically.

 

Perhaps a couple of servers could offer padding BUT a member wanting that feature would pay more to get it

 

Then the servers wouldn't be neutral anymore. There were discussions about whether a few servers should offer some "cool" DNS features or TOR exit indicators, and maybe others in the past. Your request is just another one falling in this category, to which the answer would strictly be no. If Air wanted to change something, they would change it on all servers or change nothing.

[zhang888 1065]

First of all, what kind of fingerprinting are you talking about exactly?

Since most of fingerprinting techniques employ application or device

data, not the connection itself. For example cookies, user-agents,

MAC addresses (when on public hotspots) and more.

 

If you want to avoid your OpenVPN connection being detected you can

use an SSL/SSH tunnel and this is supported and documented.

 

Applying more custom patches to the OpenVPN core is a risky thing, first

of all it has to be maintained and peer reviewed for potential security issues.

Second, it will break upstream compatibility and will require manual forking

of the source code and maintaining an own branch. This is not good as well,

consider that there is a new critical vulnerability discovered in OpenVPN.

Now instead of getting the quick upstream vanilla Air would have to backport

that patch, test it, then manually install it on all servers. This is a mess.

 

 

//Edit:

A great new paper on new browser technologies and fingerprinting:

https://hal.inria.fr/hal-01285470v1/document

[iwih2gk 92]

Sorry but for some reason I am just seeing the preceeding posts.  Don't know how I missed them.

 

I already use SSL via Eddie linux on vpn1 of my multi hop circuit.  My ISP only sees which server I connect to and that's about it (bandwidth and connection time excluded of course).  As the Mods & Admins likely see in the site panel, I am using TOR post vpn(s) and so even here its TOR IP's on this website.

 

My original concerns/thoughts on "padding" were to conceal the final destination site.  Let's select airvpn(dot)org as an example, and further assume all sites I visit are https and no exit node is reached outside of the aforementioned tunnel hops.  I have read and heard that adversaries are able to determine which site I may be visiting by analyzing the data fingerprint that a site like Airvpn "sends" when the page loads.  Maybe I am wrong but I was thinking that having other data passing with the page loads and with the tunnel constantly passing small unimportant random data through it, that the distinguishable fingerprint might get concealed.  My words here may be wrong but I hope you are getting the idea.

 

It is only for this reason that I would have any interest in padding a tunnel.

[Keksjdjdke 35]

What about adaptive padding it should be more efficient and still have the same result or near the same result. Here is a research paper talking about it.

http://freehaven.net/anonbib/cache/ShWa-Timing06.pdf