This (and Jacob's note) raise a larger question: Is Mosh trying to disguise the fact that a Mosh session exists between two hosts?<br><br>Currently our answer is a definite no, and ditto the other transport layer security protocols.<br>
<br>SSH doesn't try to hide that an SSH connection is happening (the packets are usually sent to port 22 after all, and an SSH banner is sent in cleartext at the start of the connection). HTTPS doesn't. DTLS doesn't. And SSP doesn't either.<br>
<br>Yes, the incrementing sequence number does indicate a Mosh session, but so do other distinguishing characteristics like the port numbers and 3-second heartbeats.<br><br>My worry is that if we start to do half-measures at network layer security, people will get confused about what we're trying to protect. Either somebody will "crack" our partial protocol hiding (and then we have to explain that it's not a "real" crack -- good luck getting people to believe that), or users will get a false sense of security.<br>
<br>My colleague Katrina has some scary/awesome results where she sniffs packets outside a VPN and tells you with 90+% probability what protocols are being used and what popular Web sites (!) the user is visiting.<br><br>
On Wed, May 16, 2012 at 5:00 PM, Peter Jeremy <<a href="mailto:peter@rulingia.com">peter@rulingia.com</a>> wrote:<br>> This incrementing nonce does provide a very simple way to detect a<br>> mosh session. Even if you can't see the actual data, simple traffic<br>
> analysis can reveal information that users might prefer not to reveal.<br>><br>> A fairly simple way to hide this would be to encrypt the nonce (and<br>> possibly the rest of the mosh header) using ECB. During setup (which<br>
> is protected via SSH), the mosh server would return two keys - the<br>> existing key used for encrypting the actual mosh session and a second<br>> key used to encrypt the nonce. Since the intent is just to whiten<br>
> the UDP packets and nonce's don't repeat, the downsides of ECB aren't<br>> important here.<br>><br>> Of course, this still leaves the periodic keepalive packets but<br>> detecting a session this way takes more effort (and you could add some<br>
> jitter to the keepalives to make it less obvious).<br>><br>> --<br>> Peter Jeremy