Are you able to freely use Tor in your country? In that case, you’re one of the fortunate ones . If it’s merely a case where Tor is blocked by your ISP, there are easier solutions.
You may already be familiar with Tor bridge relays, which the Tor project describes in detail at Tor: bridges. However, if you live in a country where the internet is heavily censored (e.g. North Korea or Burma), some of them use deep packet inspection (DPI) to filter internet traffic flows, even if they use alternate IP addresses.
This is where pluggable transports (PTs) come in.
Previously, on Deepdotweb…
We at Deepdotweb did explain a bit about pluggable transports in our 2014 article Hiding Tor From Your ISP – Part 1 – Bridges and Pluggable Transports. Read it if you need a basic understanding of how they work.
Currently, the most popular pluggable transports are obfuscated bridges. As their names suggest, they’re a method of obfuscating Tor traffic, making it appear to be “normal” (non-Tor) internet traffic.
In the years since the aforementioned article, the Tor project has developed newer PTs. The currently deployed PTs are:
Though you can use any of these transports, the general consensus is that obfs4 (the latest version of obfsproxy) is the most effective PT at present.
If you read more of its documentation, you’ll be able to get an understanding of how obfs4 works, but I’ll explain it as simply as I can.
In the above article, Jolly Roger (a member of The Hub forums) explains how to use the older PTs obfs2 and obfs3. In his words:
…For the laymans [sic] out there, basically obfs2 uses a protocol that disguises your traffic to look like random data, whereas [Tor] has a more distinct structure to it. However, it should be noted in the case of obfs2, that if an attacker sniffs the initial handshake between your computer and the obfuscated bridge, they could get the encryption key used to disguise your traffic and use it to decrypt the disguised traffic, which would reveal it as Tor traffic.
Obfs4, on the other hand, is based on Philipp Winter’s ScrambleSuit, a transport protocol that’s difficult for DPI boxes to identify and block. ScrambleSuit protects against active probing attacks, a technique used by The Great Firewall of China (an ironic term that generally refers to internet censorship in China). For more information on that, see the Wikipedia article Golden Shield Project.
Obfs4 is also known as “the obfourscator,” according to Yawning Angel (a member of the Tor Project). Obfs4 incorporates ideas from ScrambleSuit, despite its name being similar to older protocols obsf2 and obfs3. (Confused yet? I didn’t think so.)
Just to clarify, Yawning Angel, on his GitHub page, briefly makes an effort to illustrate the differences between ScrambleSuit and Obfs4:
- When using obfs4, the handshake always does a full key exchange (i.e. there’s no session ticket handshake).
- The handshake uses the Tor project’s NTor handshake, which obfuscates public keys with the Elligator 2 mapping.
- Link layer encryption uses Networking and Cryptography library (NaCl) secret boxes (Poly1305 and XSalsa20).
I realize that these protocols are difficult to explain in a short article, but one of the main reasons that obfs4 is considered to be the best is that it’s faster than its protocol peers. Also, the main changes that have been made to obfs4 are in the key exchange process.
If you still want more information, the Tor Project has an obfs4 Transport Evaluation on their main site, which is basically an FAQ, and tries to explain the transport in plain English.
One of the more interesting questions posed on the FAQ is this: “How difficult or expensive will it be to block the design?”
The answer, in essence, is that obfs4, as opposed to its predecessors, reduces the vulnerability against attackers who try to identify which type of protocol is running.
Give Me My Obfuscation!
To actually install obfs4, there are several methods. You can build it from its source code, install it directly, or just activate it when you start Tor. For the full list of instructions on building from the source code, visit Yawning Angel’s GitHub repository (which I linked to above).
Setting it up from there is actually very simple. You merely need to install the components, using the following commands:
In order to build it: go get git.torproject.org/pluggable-transports/obfs4.git/obfs4proxy
After that, to install it: $GOPATH/bin/obfs4proxy – to a location on your hard drive.
Finally, make a few small changes to your torrc file, which are described in detail at Yawning Angel: obfs4proxy – under “Bridge side torrc configuration.” After that, it should be up and running!
On the other hand, if you’re not the type who enjoys building things from source, there is an even simpler way to activate obsf4.
When you first launch Tor, a window pops up called “Tor Network Settings.” (This probably looks familiar to those of you who already have it installed.)
If you’re in the latter category, click “Configure.” After that, click “Next,” and select “obfs4” as your pluggable transport. Really easy, huh?
Hopefully, the process isn’t too difficult, but again, if you don’t have obstacles stopping you from running Tor in the first place, pluggable transports should prove unnecessary.
Still, given that law enforcement has been cracking down on cybercrime, and has become suspicious of anyone who tries to use privacy tools in general, it’s helpful to know about protocols like obfs4, just in case you should ever need to use them.
They’re watching you…