A Preliminary Look at the Privacy of SSH Tunnels

Secure Shell (SSH) tunnels are commonly used to provide two types of privacy protection to clear-text application protocols. First and foremost, they aim at protecting the privacy of the data being exchanged between two peers, such as passwords, details of monetary transactions and so on. Second, they are supposed to protect the privacy of the behavior of end-users, by preventing an unauthorized observer from detecting which application protocol is being transported by an SSH tunnel. In this paper we introduce a GMM-based (Gaussian Mixture Model) technique that, under a set of reasonable assumptions, can be used to identify which application is being tunneled inside an SSH session by simply observing the stream of encrypted packets. This technique can therefore break the presumption of privacy in its second incarnation as described above. Although still preliminary, experimental results show that the technique can be quite effective, and that the standard bodies might need to take this approach under consideration when designing new obfuscation techniques for SSH.