2026-vilalonga-obscura-enabling-ephemeral

Obscura: Enabling Ephemeral Proxies for Traffic Encapsulation in WebRTC Media Streams Against Cost-Effective Censors

Afonso Vilalonga, Kevin Gallagher, João S. Resende, Henrique Domingos · PoPETs 2026 · 2026

Team notes

Auto-ingested via corpus-crawl. Tags proposed by Claude Haiku 4.5; review and tighten before relying. Directly relevant to Lanterns's WebRTC-based transport research and defenses against lightweight censorship infrastructure in cost-constrained regions.

Tags

censors: generic
techniques: traffic-shape
defenses: webrtc-pluggable

findings extracted from this paper

Obscura's browser-to-browser (B-B) WebRTC connections produce DTLS ClientHello and ServerHello messages indistinguishable from genuine browser traffic: across 100 captured handshakes compared against Facebook Messenger, Google Meet, Discord, and a reference WebRTC app using the dfind tool, no unique identifiers were found in C-C connections, and the sole Firefox-specific fingerprint (ServerHello length 86 bytes, cipher TLS_AES_128_GCM_SHA256, extension field length 46 bytes) matches the default Firefox WebRTC profile — meaning blocking it would also block all legitimate Firefox WebRTC users.

§5.2 defense tls-fingerprintdpi generic
A differential degradation attack (DDA) that selectively drops RTP packets carrying the last packet of a video frame — exploiting the fact that a single lost packet causes the entire encoded frame to be discarded — reduces Protozoa's covert throughput to single-digit KBps at 1920×1080 with 15% frame loss and at 426×240 with 50% frame loss, while maintaining acceptable video quality for legitimate WebRTC traffic.

§5.3 detection dpitraffic-shape generic
Obscura proxies resist active probing by never exposing open ports or accepting incoming connections; combined with a large ephemeral volunteer pool (analogous to Snowflake's scale), the vast IP address space and rapid proxy rotation make exhaustive enumeration infeasible without causing sufficient collateral damage to deter the censor — consistent with the absence of observed blind-blocking campaigns against Snowflake.

§5.1 defense active-probingip-blocking cnir
Under baseline conditions (0% packet loss, no bandwidth constraint, 115 ms RTT), Obscura achieves average throughputs of 1.79 Mbps for Firefox-to-Firefox, 1.49 Mbps for Chrome-to-Chrome, and 1.32 Mbps for Pion-to-Pion connections; P-P connections collapse when the 2 Mbps target video bitrate exceeds the 1500 Kbps bandwidth constraint, while C-C connections remain usable at 10% packet loss with an average of 460 Kbps.

§4.3 evaluation traffic-shape generic
Authoritarian regimes blocked Snowflake primarily through DPI targeting fingerprints in Pion's DTLS handshake and TLS fingerprints in complementary WebRTC protocols, not through ML-based traffic analysis — confirming that cost-effective censors consistently favor simple, deterministic methods over computationally expensive classifiers.

§1 detection dpitls-fingerprintactive-probing cnir