Disguising Tor Traffic as Skype Video Calls

One of the problems with Tor traffic is that it can de detected and blocked. Here’s SkypeMorph, a clever system that disguises Tor traffic as Skype video traffic.

To prevent the Tor traffic from being recognized by anyone analyzing the network flow, SkypeMorph uses what’s known as traffic shaping to convert Tor packets into User Datagram Protocol packets, as used by Skype. The traffic shaping also mimics the sizes and timings of packets produced by normal Skype video conversations. As a result, outsiders observing the traffic between the end user and the bridge see data that looks identical to a Skype video conversation.

The SkypeMorph developers chose Skype because the software is widely used throughout the world, making it hard for governments to block it without arousing widespread criticism. The developers picked the VoIP client’s video functions because its flow of packets more closely resembles Tor traffic. Voice communications, by contrast, show long pauses in transmissions, as one party speaks and the other listens.

Posted on April 13, 2012 at 7:08 AM30 Comments


Spaceman Spiff April 13, 2012 7:59 AM

When are these governmental pinheads going to stop playing Whack-a-Mole ™ with the Internet? The only way to plug all leaks like this is to shut the Internet down altogether, and I think even they realize (sub-consciously at least) that that would foment a global revolution! Nothing, not even the automobile, has become as ubiquitous as the Internet, and certainly not in as short a period of time.

Ben Hutchings April 13, 2012 8:33 AM

Until Skype follows national rules for telcos (including “lawful interception”) it’s very easy to justify blocking it.

Natanael L April 13, 2012 8:35 AM

Unfortunately, some ARE considering shutting down the internet. But mesh systems like CJDNS could maybe fix that issue too, hopefully.

Chris April 13, 2012 8:35 AM

@Spaceman Spiff

The only way to plug all leaks like this is to shut the Internet down altogether


bob April 13, 2012 8:52 AM

@Ben Hutchings

This is only an example. The point is that you could shape it to look like any encrypted data stream.

ssh proxies via port 443 is an early example of this. But deep packet analysis spotted it. So you shape your traffic to look more like HTTPS. But… So…

Arms race.

Captain Obvious April 13, 2012 9:16 AM

“outsiders observing the traffic”

Aren’t the feds usually considered insiders in the process?

If they own a good chunk of the endpoints, does it matter how your traffic is shaped?

MarkH April 13, 2012 9:20 AM

Maybe Iran will “shut down the internet” and prove me wrong …

In countries with significant internet usage, businesses, government agencies, and research & development organizations integrate internet access tightly into their operations.

It may be simple for a government executive to say, “shut down the internet!” But s/he will quickly be flooded with messages (including, no doubt, emails) from many, many directions. This potentate may soon learn not only that the economic cost of such a shutdown would be too heavy to bear for more than a couple of days… but also, that (say) the secret police, or the nuclear development agency will be shouting “our effectiveness will be cut by at least half!”

Just Some Guy April 13, 2012 11:17 AM

Security by obscurity works!

(kidding, not trolling)

Right, but this is an anonymity by obscurity scheme. If an adversary identifies such traffic as Tor traffic the protocol’s anonymity is compromised, but the traffic remains as secure as plain Tor traffic, i.e. its encryption must still be cracked.

Daniel April 13, 2012 1:42 PM

The fundamental issue is that the need to encrypt data is in itself useful data. So traffic shaping in this case is a type of parasitic cuckoldism. It’s trying to disguise “bad” encryption by making it look like “good” encryption. If you can’t convince ’em, confuse ’em.

Gweihir April 14, 2012 4:13 AM

Basically, the only way to defend against things like this is to cut the connection. Good!

As to when politicians will stop to try to fight this, my take is never. But at some point the engineers tasked with fighting this will just realize the battle is lost. Quite like it happened with strong encryption for the masses.

Michael J April 14, 2012 9:08 AM

This is ironic. Skype protocols were originally designed to leave no obvious signature, and thus be resistant from DPI activities at Telcos and company firewalls.

As Skype became an integral and apparently acceptable part of the Internet landscape, these design goals have become eroded.

To the extent that Skype is apparently perceived as so harmless, that imitating its transport protocols is now a benefit.

How the world changes.

Nick P April 14, 2012 1:42 PM

@ Michael J

Indeed, in the past many of us considered Skype a security risk due to its behavior and protocol construction. There were also suspicions that, after eBay acquisition, that it was operated by the NSA. How ironic that they would proxy an anonymity system through a privacy-defeating, possibly government run product.

ian April 15, 2012 6:28 AM

The NSA can probably detect it, by virtue of them not being able to decrypt it as they can for normal Skype traffic 😉

Arska April 15, 2012 7:35 AM

Skype belongs to Microsoft’s portfolio. They collaborate with all three letter agencies. I wouldn’t trust in it’s encryption scheme either. Use jitsi.org. In matter of fact I do not trust any piece of usa made software or cloud service that resides in USA!

Nick P April 15, 2012 3:59 PM

@ ian


@ arska

lol @ your poor logic. I’m USA and nothing I’ve ever made has a backdoor. Why, my development processes are even design to prove it to an untrusting 3rd party. And eBay owns Skype, not Microsoft. (rolls eyes)

Lisa April 16, 2012 11:44 AM

Forget shutting down the Internet, since the bad guys will move to another medium.

The only effective solution is to simultaneous detonate the world’s stockpiles of nuclear weapons in order to burn off all of that pesky oxygen that the world’s criminals are using.

The precedence has already been set to make the vast majority of innocent people suffer and lose life, liberty, justice, freedom, and privacy, in the so call goal of going after the bad guys.

So why stop at a half measure, that is slowly ratcheting up, when removing all oxygen on the planet will solve the problem completey?

Mike Rose April 16, 2012 7:26 PM

@Lisa – Given we’ve left the realm of serious, reasoned debate, I’ll play along. How does one ‘burn’ oxygen?

Clive Robinson April 17, 2012 6:57 AM

@ Mike Rose,

@Lisa – Given we’ve left the realm of serious reasoned debate, I’ll play along. How does one’burn’ oxygen

As we are “not serious” I’ll play along as well 😉

According to some very old text books I have the process of burning is breaking chemical bonds and so that new bonds can be created to atoms of oxygen. It also indicates that oxygen has two common “free states” that is O2 and O3, both of which are poisonous to some degree.

So at the risk of hearing that old phrase thrown at Wimbledon umpires “Surely you cann’t be Serious!!”…

You could “burn” 3 lots of O2 to make 2 lots of O3

I will let you decide what I get for the two scores (style and substance) used by other sports 😉

Lisa April 17, 2012 10:02 AM

Burning off oxygen is an expression that refers to consuming free O2 & O3, in the process of oxidizing other elements, like nitrogen, carbon, sulfur, iron, etc.

Some speculate that if enough above ground atomic detinations occur over large areas and on multiple continents all at the same time, it could trigger a global fire that would burn down all of the surface plant life, break up atmospheric nitrogen into nitro-oxides, and significantly lower the remaining free oxygen.

Whether or not this is true is not important. My point was only to express the stupidity of forcing all innocent people to suffer, in the attempt to go after a few bad people, to the logical extreme.

Does it make sense to kill 100000 people a year from skin cancer, from back scatter X-ray machines, in the remote chance that you might prevent a 911 style attack every 10 years which might kill 500-5000 people?

Chanoch April 18, 2012 4:22 AM

I used to read a lot of scifi and I have to tell you we’re backing into the very plots I used to read. The idea that it is acceptable to tape my calls, read my emails, and have free access to my communication without showing reason is ludicrous.

I think to properly eliminate terror we should demand that everyone installs microphones in every room so the government can listen in. We could develop software that listens in to key words and alerts the nearest officer to come and fetch us if the level is suspicious.

jacob April 18, 2012 7:56 AM

@chanoch. At the risk of being accused of wearing a tin foil hat. “They” can and do now, right now. FISA, patriot act, etc. they can listen by activated cell phone mics, talked about web cam/microphone activation, keyloggers, etc. all without a judge signing off other than a pinky promise that it is important.

The new NSA datacenter, to vacuum info for analysis later. Oh, and the director parsing words saying it’s not snooping until we access the data.

Hoover would love this modern age. I just wonder what is available for blackmail and if someone has already done it. You know CEOs and politicians…

Ok, taking tin foil hat off… 😉

gordon anderson May 7, 2012 12:43 AM

One concern I have heard mentioned [ by eff.org ] is that a well funded org can snoop traffic at the entry and exit points to the ‘tor cloud’ and correlate these to get a picture of a Tor users activity.

It seems useful to have a synthetic traffic generator which shapes traffic going into Tor, so that bursty traffic is embedded within a ‘normalised’ random stream of traffic.

This would make it much harder to do traffic correlation.

The other thing you might want to do is to add random small delays to traffic – increasing average latency by say 100ms… making it very hard to time-correlate data between the traffic at the Internet provider sites where packets go in and out of Tor.

Maybe a 10x increase in bandwidth and 5x increase in latency is the price one has to pay for anonymous traffic?

Clive Robinson May 7, 2012 5:28 AM

@ Gordon Anderson,

One concern I have heard mentioned [ by eff.org is that a well funded org can snoop traffic at the entry and exit points to the ‘tor cloud’ and correlate these to get a picture of a Tor users activity

The main problem with TOR in this respect is that the network stops before the users computer.

The military solution to “Traffic Analysis” was to use a fixed bandwidth and stuff it to capacity with either real or faux traffic. Correlation by an enemy/observer then has to be done by other means (packet size type etc).

Obviously if all parts of the network followed this fixed bandwidth with 100% utilisation using standard fully encrypted packets then little information would be leaked from the traffic.

For obvious reasons TOR can not do this with independent endpoints such as general use webservers, so there will always be information leakage there. It can but currently does not do fixed bandwidth 100% utilisation between nodes within the TOR network so some information can leak when the number of users is low or one or two users have very asymetric traffic usage (ie download a movie -v- post to a blog site). Likewise it could use fixed bandwidth 100% utilisation to a users endpoint computer.

But there is a problem with “fixed bandwidth” links on the Internet which does not use (at the user access level) circuit switching. That is you get all sorts of minor delays, jitter and other time based issues due to sharing the limk bandwidth with multiple users producing what to all intents and purposes is random traffic.

As long as this issue is exploitable then a well resourced adversary can force link starvation into the system to trigger higher level error correction mechanisums and thus get some information from the links.

Clive Robinson May 7, 2012 7:01 AM

@ Gordon Anderson,

Depending on how good you are at thinking sideways with a twist you might find the following of interest when lookin at “traffic analysis” on TCP links,


Oh and by the way there is another proposal (RED) that was proposed some time ago but in all honesty it’s never likely to get off the ground.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.