Philipp Winter

I am interested in computer networks and security, and why the two don't get along very well. I enjoy being part of all phases of a research project—from sketching ideas on a whiteboard, to implementation, and finally deployment and maintenance. To this end, I have worked in the three research areas listed below. I keep maintaining code I have developed in these research projects, so they are open-ended in some sense.

Keeping bad actors out of the Tor network
As communities grow in size, it becomes increasingly hard to keep out bad actors, and Tor is no exception because the network is run by volunteers. In 2013, I started developing exitmap, a fast and flexible scanner for Tor exit relays. If you have a background in functional programming, think about it as a map() interface for Tor exit relays. It allows you to run arbitrary, TCP-based tests over each exit relay. One of the main tasks of exitmap is to expose and block malicious and misbehaving exit relays. I recently broadened my scope to Sybil relays, sets of Tor relays that are under the control of a single entity. I am developing sybilhunter which is meant to assist in finding and analysing Sybils.

Censorship analysis
Early on in my Ph.D. studies, I became interested in the Great Firewall of China (GFW). I was first exposed to the GFW in 2011, when trying to understand how it blocks the Tor network. I have since revisited the topic several times, to understand how the GFW fails over space and time, and how its active probing component is designed. As part of my work on the Tor network, I also helped characterise—and circumvent—a censorship system in Ethiopia.

Traffic obfuscation
Motivated by my work on censorship systems, I became interested in traffic obfuscation, i.e., shaping network traffic in a way that it is hard to classify and block. I started by developing a small tool for server-side circumvention. It was designed to prevent the GFW from recognising Tor handshakes on the wire. The tool transparently rewrites the window size in a SYN-ACK segment, forcing the client to split its initial payload across two segment instead of one. Back in 2012, the GFW would not reassemble TCP streams, rendering it unable to spot circumvention traffic “protected” by this tool. I then went on and developed ScrambleSuit, a polymorphic traffic obfuscation protocol. ScrambleSuit can protect against the GFW's active probing attacks by relying on a “password” that is shared between client and server. ScrambleSuit has since been superseded by the faster and more elegant obfs4, which is no longer maintained by me.