I think if the goal is to avoid detection+blocking then having the ability to run the protocol over HTTP by doing GETS and POSTS would work much better (no ssl).
I have a few issues with the idea of using SSL as obfuscation.
One is that some countries do in fact block or simply forbid encrypted connections. Spotting encrypted connections is easy because the data looks random whereas unencrypted protocols don't.
Examples: Tunisia "solved" SSL on the Google login page by simply hijacking the connection before the SSL connection was established. They solved it on Facebook by just blocking SSL entirely and forcing users to downgrade to the unencrypted version. Chinas GFW has been known to simply terminate connections that look like they're encrypted when they're leaving the country.
To really hide you need to look like regular web traffic as much as possible and you need the ability to rapidly change how the protocol looks. Then nothing but cutting off all web access will work.
How about this strawman proposal. Currently BitCoin travels over TCP port 8333. We can build an HTTP proxy for this such that a GET to
http://www.some-site.com/bc/random-words?v=1is equivalent to waiting for a message to arrive and a POST to that same URL is like sending a message. BitCoin is an entirely message based protocol and messages are small, so it will work OK. A cookie is used to keep the individual requests tied together to a logical connection. The proxy site then relays these messages into the p2p network as per usual. The random words could be anything and just pulled from a dictionary.
If you wanted to get really intense you could encode the messages steganographically into JPEGs or random HTML content.
To a DPI engine, this looks just like regular web browsing. There's some GETs, some POSTs, some cookies and the downloads/uploads are just binary. As long as there's no specific signature (like the current protocols beginning of message markers) this is probably quite hard to detect.
At the start, this can be implemented independent of the BitCoin client. Later on it could be integrated. Proxy lists could be distributed via a regular text file that has a signature on the end. A new command could be added that allows for new proxy lists to be downloaded from an existing proxy, to mimic the address discovery of the existing TCP based network.
Anyone who is serious about claiming this bounty should team up with a Snort expert to make sure that whatever solution they come up with is actually difficult to build detection scripts for.
