[Pkg-privacy-maintainers] Bug#1004374: obfs4proxy: Traffic is trivially distinguishable (Elligator2 public key representative leak)
intrigeri
intrigeri at boum.org
Wed Jan 26 07:00:14 GMT 2022
Package: obfs4proxy
Version: 0.0.8-1+b6
Severity: important
Tags: security
Hi,
Please see
https://lists.torproject.org/pipermail/anti-censorship-team/2022-January/000213.html
tl;dr:
> All existing versions prior to the migration to the new code […] are
> fatally broken, and trivial to distinguish via some simple math.
Given obfs4proxy's explicit traffic obfuscation goal, this looks like
an important security issue to me.
(For those who might be wondering: whether/when this bug is fixed in
Debian does not impact Tails since we've switched to using the
obfs4proxy binary from the Tor Browser tarball.)
Thanks for maintaining obfs4proxy in Debian,
cheers!
More information about the Pkg-privacy-maintainers
mailing list