Distinguishing SSH and HTTPS traffic

Question

Alice is an employee of Chris, and Chris does heavy traffic monitoring via its company proxy.

Alice wishes to use a Bob's web service while preserving privacy and confidentiality. She has full control over a miner machine which is reachable from the Chris' company network.

Will Chris be able to distinguish SSH SOCKS proxy traffic on port 443 from a "usual" (unremarkable and mostly ignored by Chris' monitoring systems) HTTPS over the same port and IP pair? If so, how drastic are the detectable differences? Assume arbitrary power of the monitoring systems.

Answer 1

Yes. SSH has standardized and quite distinct handshake packets, so you can very easily detect an SSH session initiation. Here is a transcription of Wireshark capture of an SSH session initiation:

Encrypted request packet len=41
Encrypted response packet len=39
Client: Key Exchange Init
Server: Key Exchange Init
Client: Diffie-Hellman Key Exchange Init
Server: New Keys
Client: New Keys
Encrypted request packet len=48
Encrypted response packet len=48

As you can see, even Wireshark can detect them with ease. Commercial DPI solutions should also be able to detect the type of traffic going in the encrypted tunnel by looking at traffic patterns - i.e. they can understand that you're tunnelling HTTP traffic and not just using the remote shell.

To avoid detection you can wrap SSH traffic into a steganographic tunnel such as obfsproxy, but in this case you're engaging in a steganographic arms race with the packet inspector and have no way of knowing if you're detected or not unless you have access to the packet inspector console.