obfs4

obfs4 (the "obfourscator") is a randomizing pluggable transport that wraps a connection in a layer of specialized encryption so that the traffic on the wire looks like uniformly random bytes with no recognizable headers, length patterns, or handshake fingerprints. It is one of the most widely used disguises for restoring blocked but lawful access to anonymity networks, and is the default transport bundled with many bridge addresses.

Looking like nothing

Rather than imitating a specific protocol, obfs4 aims to look like no protocol at all. It builds on an authenticated key exchange using Curve25519 keys obscured with an Elligator 2 mapping, so even the handshake bytes appear random. It also adds protocol polymorphism, randomizing packet lengths and timing to frustrate flow fingerprinting by deep packet inspection.

Resisting active probing

A capable censor does not just watch traffic passively; it actively connects to suspected proxies to see how they respond. obfs4 defends against this with a per-bridge shared secret that a client must prove knowledge of in its first message. Without that secret, an active prober that has merely learned a bridge's IP address cannot confirm that anything circumvention-related is running there, so the address is far harder to safely block.

obfs4 is typically paired with an unlisted relay; see the Tor bridge and deep packet inspection glossary entries for context.