This is a great explanation, and the point about TLS is well taken as well. If you want to go for that level of misdirection, then depending on your threat model you might consider e.g. using a remote proxy and wrapping your session to it in TLS.
The tricky thing about baking TLS in at the protocol level is that it brings its baggage with it. This is not necessarily a bad thing, but it makes the design more complex to reason about. In particular, it is arguably overkill when you're not planning on using certificates, as is the case here. Just compare the number of steps here: https://tls13.xargs.org/ to any of the patterns here: http://www.noiseprotocol.org/noise.html#interactive-handshak...
Another thing worth mentioning regarding indistinguishability from randomness is the impact of metadata. Even if the bytes you send on the wire look meaningless, there's still the size of the message, the spacing between messages, the time of day, etc. Any of these channels can carry signal, and it is very hard, if not impossible, to get rid of those signals completely.
That said, I still think the original goal of indistinguishability is worthwhile, because if you can force the passive adversary to move from perfectly accurate methods (e.g. fingerprinting message contents) to imperfect ones (e.g. guessing the protocol from message timing), that seems like a win to me.
Hi, I wrote this post, and I just wanted to say thanks for the kind words - this research was a lot of fun to do and I'm glad it has an audience.
The "best" resources I know of are the ones I cited in that post, though do bear in mind it's a few years old. That said, I did want to make sure you didn't miss this companion piece: https://eli.sohl.com/2020/06/05/dht-size-estimation.html which is applicable to detecting (and - conjecturally - responding to) Sybil attacks.
Hi, I wrote this post, and yes, you're right that IPs would be disclosed, because it is necessary to learn a remote peer's IP before you can make a TCP connection to them. Whether or not this is "secure" depends on who you're trying to be secure against. If you're sharing Linux ISOs, you really don't care who sees you do it; if you're sharing pirated movies, you just care that Disney doesn't find out it was you, so you can use a VPN; if you're sharing government secrets, you might have a more rigorous threat model.
For users in extreme circumstances, Tor gets them a lot, but it also adds a lot of overhead; you'd want to avoid it if you don't need it, not just for your own sake but also for the sake of Tor's finite bandwidth. There is a lot to be said for having a feature like Tor be supported-but-optional, opt-in, and interoperable with users who are not on Tor.
I did consider the idea of allowing Tor hidden service addresses as an alternative identifier to IPs, though that idea comes with its own compromises: you'd only be able to talk to other Tor peers, for instance, or, alternately, every peer would have to be on Tor.
The latter case is obviously a non-option. The former case would kind of work, but the Tor-hidden-service peers' effective network size would be much smaller (since they can only talk to Tor peers) and thus easier to compromise. This is obviously bad - users in need of greater security would end up in a less secure version of the network - and if this subsection gets owned, that could have a second-order impact on the network's overall resilience.
Hi, I wrote this post, and this is something I was wondering about the whole time. It seemed like TCP was a necessary compromise, but I wasn't sure how painful the overhead would be. If there are any notable examples you know of where this went wrong (or right) I'd be interested.
Hi, I wrote this post. Let me use your comment as a chance to talk about what I was going for with the use of Noise here.
You're correct that part of the assumption inherent in end-to-end encryption is that you've got the other end right; otherwise, MitM attacks become possible. To prevent this, Social apps like Signal (also WhatsApp and many others) give you, roughly speaking, a way of confirming that both endpoints have negotiated the same secure channel. Less-social web apps use PKI. In both these cases, the design makes sense because you care who the other endpoint is. Their identity is meaningful to you outside of the context of the protocol.
In the peer-to-peer context, though, this identity information is mostly meaningless. I think, as long as there are no "network admins" or similarly privileged identities worth claiming, it's less important to certify identities up-front (what would even be a reasonable standard for accepting them?) and it's more important to be able to persist them. You want to make sure you're still talking to the same person you were talking to last time, whoever they are. This is what the PSKs are meant to accomplish (though they are not the only possible solution here).
This is technically still MitM'able, but only if you catch two parties on their very first connection; after that, they have a shared secret, and you should be locked out. Technically this falls slightly short of the ultimate goal of end-to-end encryption, but I still think it's a good fit for this context.
The tricky thing about baking TLS in at the protocol level is that it brings its baggage with it. This is not necessarily a bad thing, but it makes the design more complex to reason about. In particular, it is arguably overkill when you're not planning on using certificates, as is the case here. Just compare the number of steps here: https://tls13.xargs.org/ to any of the patterns here: http://www.noiseprotocol.org/noise.html#interactive-handshak...
Another thing worth mentioning regarding indistinguishability from randomness is the impact of metadata. Even if the bytes you send on the wire look meaningless, there's still the size of the message, the spacing between messages, the time of day, etc. Any of these channels can carry signal, and it is very hard, if not impossible, to get rid of those signals completely.
That said, I still think the original goal of indistinguishability is worthwhile, because if you can force the passive adversary to move from perfectly accurate methods (e.g. fingerprinting message contents) to imperfect ones (e.g. guessing the protocol from message timing), that seems like a win to me.