Tor: Pluggable Transports
An increasing number of censoring countries are using Deep Packet Inspection (DPI) to classify Internet traffic flows by protocol. While Tor uses bridge relays to get around a censor that blocks by IP address, the censor can use DPI to recognize and filter Tor traffic flows even when they connect to unexpected IP addresses.
Pluggable Transports (PT) transform the Tor traffic flow between the client and the bridge. This way, censors who monitor traffic between the client and the bridge will see innocent-looking transformed traffic instead of the actual Tor traffic. External programs can talk to Tor clients and Tor bridges using the pluggable transport API, to make it easier to build interoperable programs.
How to use PTs to bypass censorship
If connections to the Tor network are being blocked by your ISP or country, follow these instructions:
How to run PTs to help censored users
obfs4 is currently the most effective transport to bypass censorship. To learn how to run this transport, please visit the obfs4proxy wiki page.
Currently deployed PTs
These Pluggable Transports are currently deployed in Tor Browser, and you can start using them by downloading and using Tor Browser.
- obfs4 is a transport with the same features as ScrambleSuit but utilizing Dan Bernstein's elligator2 technique for public key obfuscation, and the ntor protocol for one-way authentication. This results in a faster protocol. Written in Go. Maintained by Yawning Angel.
- meek is a transport that uses HTTP for carrying bytes and TLS for obfuscation. Traffic is relayed through a third-party server (​Google App Engine). It uses a trick to talk to the third party so that it looks like it is talking to an unblocked server. Maintained by David Fifield.
- Format-Transforming Encryption (FTE) transforms Tor traffic to arbitrary formats using their language descriptions. See the research paper.
- ScrambleSuit is a pluggable transport that protects against follow-up probing attacks and is also capable of changing its network fingerprint (packet length distribution, inter-arrival times, etc.). It's part of the Obfsproxy framework. Maintained by Philipp Winter.
Deprecated PTs; Removed from Tor Browser
- Obfsproxy is a Python framework for implementing new pluggable transports. It uses Twisted for its networking needs, and pyptlib for some pluggable transport-related features. It supports the obfs2 and obfs3 pluggable transports. Maintained by asn.
- Flashproxy turns ordinary web browsers into bridges using websockets, and has a little python stub to hook Tor clients to the websocket connection. See its git repository, and design paper. Maintained by David Fifield.
Undeployed PTs
- StegoTorus is an Obfsproxy fork that extends it to a)
split Tor streams across multiple connections to avoid packet size
signatures, and b) embed the traffic flows in traces that look like
HTML, JavasCript, or PDF. See its
git repository.
Maintained by Zack Weinberg.
- SkypeMorph transforms Tor traffic flows so they look like
Skype Video. See its
source code
and
design paper.
Maintained by Ian Goldberg.
- Dust aims to provide a packet-based (rather than
connection-based) DPI-resistant protocol. See its
git repository.
Maintained by Brandon Wiley.
Also see the
Our goal is to have a wide variety of Pluggable Transport designs. Many are at the research phase now, so it's a perfect time to play with them or suggest new designs. Please let us know if you find or start other projects that could be useful for making Tor's traffic flows more DPI-resistant!