Tags API (3) , Conference (8) , Dispatcher (2) , Geneva (1) , Go (6) , Guardian (1) , I2P (1) , IETF (7) , IPC (3) , Localization (1) , MASQUE (1) , Minecruft (1) , Multipath (1) , Obfs4 (1) , Obfuscation (2) , Operator (3) , PTIM (2) , PTIM2020 (7) , PTSpec (2) , Rhizome (1) , Shapeshifter (1) , Spec (2) , Specification (3) , Swift (1) , TCP (1) , UMD (1) , Virtual (8) , conference (1) , create (2) , developer (41) , grants (12) , implement (32) , implementation (9) , library (2) , marionette (1) , meeting (18) , minecruft (1) , repository (1) , research (3) , shapeshifter (1) , software (1) , specification (1) , transport (14) , video (1) , virtual (19) , Archives by Date
September 2022
July 2022
June 2022
May 2022
April 2022
March 2022
February 2022
January 2022
December 2021
November 2021
October 2021
August 2021
July 2021
March 2021
December 2020
October 2020
September 2020
January 2020
December 2019
March 2019
February 2019
December 2018
November 2018
October 2018
September 2018
August 2018
July 2018
June 2018
July 2017
June 2017
May 2017

subscribe via RSS

PTIM 2020 Guest Blog - Obfuscation Is Not Security

Updated:

This guest blog, from the Operator Foundation, weighs the role obfuscation plays in encryption.

Obfuscation: Why It Does Not Mean Security

Adelita Schule, The Operator Foundation

The key to Pluggable Transports is obfuscation. This is the mechanism by which we help our users get where they need to go by letting their traffic blend in with traffic that would not normally be blocked (or possibly by making their traffic not look like anything worth paying attention to). Obfuscation is a disguise; it is misdirection, sleight of hand. What you see is not what you think you see, but that is all. Misdirection should not be confused with security.

Like most disguises, obfuscated network traffic may not evade scrutiny. If your traffic is scrutinized, it is only private if you have also taken specific steps to make it secure with robust encryption. Encryption is a fantastic way to make data look like something else. Encryption is not only for strict security, and anything that makes employing a cipher more accessible could be used. Even a cipher that now has known vulnerabilities would still work well for obfuscation purposes. If a transport uses a cipher, you should assume it is for obfuscation and not security unless the developer explicitly states otherwise.

The need for internet security is ever more important in our connected world, and many of us who spend time working to increase internet access also work to improve internet security. The distinction between what a pluggable transport does and does not do is one that can easily be misunderstood, especially when the transport in question is known to use an encryption cipher. We all know how important security is, so it’s important that we also remember that pluggable transports are primarily meant to obfuscate and not necessarily to maintain security.