Expose the ability to set DTLS ciphersuites in the API #1043
Comments
|
@cohosh I brought up fingerprinting at the W3C, but didn't have much luck convincing people it matters. Does Tor have any membership in the W3C/people that can push for it there? I am all for adding it, I just don't want to diverge. Maybe I am being paranoid, but I know it has caused my frustration when other software adds 'extensions' to APIs/protocols they don't own. For the time being the best thing to do is probably add a slice of allowed CipherSuites to SettingEngine I would be happy to merge that right away :) |
Nice! That's a good question, I'll ask and try to get back to you next week.
I also filed pion/dtls#199 which would help with some more immediate issues we're having. I'm okay with this ticket being a longer-term goal. I didn't think about the |
|
Oh hey sorry I forgot about this. Yeah we have what we need at the Snowflake side :) Thanks for everything! |
Summary
Right now there is no ability to set the list of DTLS ciphersuites in the WebRTC API. This feature would allow users to the specify the list of ciphersuites in the creation of a DTLSTransport, perhaps as an argument to the NewDTLSTransport function.
Motivation
In our work for Snowflake, we desire the ability to choose ciphersuites that match the fingerprints of common WebRTC implementations. Fingerprinting of the ClientHello message by looking at the list of ciphersuites is a very effective technique by censors to detect circumvention tools like Snowflake.
For more information on TLS fingerprinting, see this recent paper by Frolov and Wustrow: https://sfrolov.io/papers/ndss19-frolov.pdf
uTLS is a Go project that modifies
crypto/tlsfor use in circumvention tools and provides an example of the capabilities that would be great for us and other tools: https://sfrolov.io/projects/utls/For an idea of the DTLS fingerprints of other WebRTC implementations, see our preliminary work on fingerprinting Snowflake (at the time when we were using the Chrome WebRTC library): https://trac.torproject.org/projects/tor/wiki/doc/Snowflake/Fingerprinting
Describe alternatives you've considered
I took a look at what's exposed in the API for the creation of DTLSTransport, and see no way to set the cipher suite. Another option for implementing this would be to specify it in the https://godoc.org/github.com/pion/webrtc#DTLSParameters.
Additional context
This would also help us out in a ticket on CPU profiling where we found that switching to GCM reduces the CPU load on our Snowflake proxies: https://trac.torproject.org/projects/tor/ticket/33211#comment:14
The text was updated successfully, but these errors were encountered: