The Parrot is Dead: Observing Unobservable Network Communications (S&P 2013)

[wkrp]

The third installment of our series of group discussions about significant past censorship research will be:

"The Parrot is Dead: Observing Unobservable Network Communications"
PDF

Sunday, 2023-04-30 13:00–14:00

This paper is a real classic and has been highly influential. If you want to participate in the discussion, just read the paper and show up to the online meeting when it happens. I'll post a video afterward as usual.

[wkrp]

The Parrot is Dead: Observing Unobservable Network Communications
Amir Houmansadr, Chad Brubaker, Vitaly Shmatikov
https://censorbib.nymity.ch/#Houmansadr2013b

This paper identifies distinguishability vulnerabilities in three contemporary (proposed) circumvention systems: SkypeMorph, StegoTorus, and CensorSpoofer. These are examples of what the authors call "parrot" circumvention systems, which means that they attempt to blend in with some other application or protocol by imitating its external characteristics. SkypeMorph imitates Skype, StegoTorus imitates Skype or HTTP, and CensorSpoofer imitates standards-based VoIP. The study uncovers subtle and not-so-subtle ways in which the circumvention systems fail to be perfect imitations; for example, by omitting the ancillary connections that accompany genuine Skype calls, or not responding properly to probes that originate from outside the system. The paper's central claim is that circumvention by imitation is fundamentally flawed: there are too many details, quirks, and error conditions to address them all, and any one left unaddressed is fatal. As an alternative to imitation, the authors suggest tunneling; that is, embedding circumvention traffic into an existing third-party implementation of the cover protocol.

The paper features a fairly granular model of censorship. Attacks are categorized as passive, active, or proactive. ("Proactive" means the attack involves making new network connections, not just manipulating existing ones.) Censors are distinguished by how many of devices they manage, how much state they can maintain, and how much processing they can afford to do. The local adversary (LO) manages a small number of devices and few connections; the state-level oblivious adversary (OB) manages many devices and possibly many egress points, but can only do a small amount of processing per connection and only for short times; and the state-level omniscient adversary (OM) manages a network the size of OB's and can afford as much storage and computation as needed. The authors give a list of 12 requirements that they say every parrot circumvention protocol must satisfy if it is to resist blocking. Every attack is labeled with its attack category and the class of censors it is available to, as well as what failed requirements it takes advantage of.

Thanks to Amir Houmansadr for reviewing a draft of this summary.

[wkrp]

The reading group for "The Parrot is Dead" will start 20 hours from now at Sunday, 2023-04-30 13:00.

https://meet.jit.si/moderated/e4ebc46881e93ce1bf50c8937c184102c8b5ac3c02c95ea68356144e748c3665

I'll try to get the meeting started about 20 minute early, to give time to debug any connection issues. You can join with any pseudonym.

[wkrp]

Link to video

Here is the video of the discussion.

Links to references that came up during the discussion:

• 01:39: uTLS: Parroting
• 03:02: List of metaphor-based metaheuristics#Criticism of the metaphor methodology
• 27:00: Ange Albertini: Portable Document Format
• 29:09: "Seeing through Network-Protocol Obfuscation"
• 40:21: "How the Great Firewall of China Detects and Blocks Fully Encrypted Traffic"
• 40:21: "中国的防火长城是如何检测和封锁完全加密流量的"
• 42:22: "SoK: Towards Grounding Censorship Circumvention in Empiricism"
• 45:06: "A terminology for talking about privacy by data minimization: Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management"
• 45:36: "Cover Your ACKs: Pitfalls of Covert Channel Censorship Circumvention"
• 59:28: Camouflage for the TLS layer ("Blocking-resistant communication through domain fronting")
• 59:28: "Use uTLS for meek TLS camouflage in Tor Browser"