Comment by megous
1 month ago
You don't need websockets, just Connection: Upgrade to anything you want. You can upgrade directly to ssh protocol and just pass on decrypted data from https socket to local port 22 from then on with no further processing.
Proper DPI can tell that wouldn't be acting like a typical HTTP stream, encrypted or not.
Hehe true, SSH traffic is so characteristically obvious that the packet size and timing can be used as a side channel to leak information about a session.
Tangential: but I recall reading about a similar technique used on SRTP packets to guess the phonemes being uttered without needing to decrypt the traffic.
I guess you would need to either mimic a protocol that always uses a fixed packet size/rate (like a MPEG-TS video stream or something), or artificially pad/delay your packets to throw off detection methods.
would not be able to tell from websockets uses
I think most websockets do not sustain large amounts of bidirectional traffic for prolonged periods, so IMO this would immediately be suspicious.
1 reply →