DOCSLIB.ORG

Tapdance: End-To-Middle Anticensorship Without Flow Blocking Eric Wustrow, Colleen M

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

TapDance: End-to-Middle Anticensorship without Flow Blocking Eric Wustrow, Colleen M. Swanson, and J. Alex Halderman, University of Michigan https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/wustrow This paper is included in the Proceedings of the 23rd USENIX Security Symposium. August 20–22, 2014 • San Diego, CA ISBN 978-1-931971-15-7 Open access to the Proceedings of the 23rd USENIX Security Symposium is sponsored by USENIX TapDance: End-to-Middle Anticensorship without Flow Blocking Eric Wustrow Colleen M. Swanson J. Alex Halderman University of Michigan University of Michigan University of Michigan [email protected] [email protected] [email protected] Abstract tools, researchers have recently introduced a new ap- In response to increasingly sophisticated state-sponsored proach called end-to-middle (E2M) proxying [21, 26,49]. Internet censorship, recent work has proposed a new ap- In an E2M system, friendly network operators agree to proach to censorship resistance: end-to-middle proxying. help users in other, censored countries access blocked This concept, developed in systems such as Telex, Decoy information. These censored users direct traffic toward Routing, and Cirripede, moves anticensorship technology uncensored “decoy” sites, but include with such traffic a into the core of the network, at large ISPs outside the special signal (undetectable by censors) through which censoring country. In this paper, we focus on two techni- they request access to different, censored destinations. cal obstacles to the deployment of certain end-to-middle Participating friendly networks, upon detecting this signal, schemes: the need to selectively block flows and the need redirect the user’s traffic to the censored destination. From to observe both directions of a connection. We propose a the perspective of the censor—or anyone else positioned new construction, TapDance, that removes these require- between the censored user and the friendly network—the ments. TapDance employs a novel TCP-level technique user appears to be in contact only with the decoy site. that allows the anticensorship station at an ISP to function In order to block the system, the censor would have to as a passive network tap, without an inline blocking com- block all connections that pass through participating ISPs, ponent. We also apply a novel steganographic encoding which would result in a prohibitive level of overblocking to embed control messages in TLS ciphertext, allowing us if E2M systems were widely deployed at major carriers. to operate on HTTPS connections even under asymmetric Deployment challenges While E2M approaches ap- routing. We implement and evaluate a TapDance proto- pear promising compared to traditional proxies, they face type that demonstrates how the system could function technical hurdles that have thus far prevented any of them with minimal impact on an ISP’s network operations. from being deployed at an ISP. All existing schemes as- sume that participating ISPs will be able to selectively 1 Introduction block connections between users and decoy sites. Unfor- tunately, this requires introducing new hardware in-line Repressive governments have deployed increasingly so- with backbone links, which adds latency and introduces a phisticated technology to block disfavored Internet con- possible point of failure. ISPs typically have service level tent [5,50]. To circumvent such censorship, many users agreements (SLAs) with their customers and peers that employ systems based on encrypted tunnels and proxies, govern performance and reliability, and adding in-line such as VPNs, open HTTPS proxies, and a variety of flow-blocking components may violate their contractual purpose-built anticensorship tools [1, 2, 13, 25, 37]. How- obligations. Additionally, adding such hardware increases ever, censors are able to block many of these systems by the number of components to check when a failure does discovering and banning the IP addresses of the servers on occur, even in unrelated parts of the ISP’s network, po- which they rely [46,47]. Some services attempt to remain tentially complicating the investigation of outages and unblocked by frequently changing their IP addresses, but increasing downtime. Given these risks, ISPs are reluc- they face a tension between the desire to make their net- tant to add in-line elements to their networks. In private work locations known to would-be users and the need to discussions with ISPs, we found that despite being willing keep the same information secret from the censor. to assist Internet freedom in a technical and even finan- To avoid this tension and escape the cat-and-mouse cial capacity, none were willing to deploy existing E2M game that results between censors and anticensorship technologies due to these potential operational impacts. USENIX Association 23rd USENIX Security Symposium 159 Furthermore, our original E2M proposal, Telex, as- 2 Review of Existing E2M Protocols sumes that the ISP sees traffic in both directions, client- decoy and decoy-client. While this might be true when There are three original publications on end-to-middle the ISP is immediately upstream from the decoy server, proxying: Telex [49], Decoy Routing [26], and Cirri- it does not generally hold farther away. IP flows are of- pede [21]. The designs for these three systems are largely ten asymmetric, such that the route taken from source to similar, although some notable differences exist. Figure 1 destination may be different from the reverse path. This show the Telex scheme, as one example. asymmetry limits an ISP to observing only one side of a In each design, a client wishes to reach a censored connection. The amount of asymmetry is ISP-dependent, website. To do so, the client creates an encrypted connec- but tier-2 ISPs typically see lower amounts of asymmetry tion to an unblocked decoy server, with the connection to (around 25% of packets) than tier-1s, where up to 90% this server passing through a cooperating ISP (outside the of packets can be part of asymmetric flows [48]. This censored country) that has deployed an ISP station. The severely constrains where in the network E2M schemes decoy can be any server and is oblivious to the operation that require symmetric flows can be deployed. of the anticensorship system. The ISP station determines Our approach In this paper, we propose TapDance, that a particular client wishes to be proxied by recogniz- a novel end-to-middle proxy approach that removes these ing a tag. In Telex, this is a public-key steganographic tag obstacles to deployment at the cost of a moderate in- placed in the random nonce of the ClientHello message of crease in its susceptibility to active attacks by the censor. a Transport Layer Security (TLS) connection [12]. In Cir- TapDance is the first E2M proxy that works without an ripede, users register their IP address with a registration inline-blocking or redirecting element at an ISP. Instead, server by making a series of TCP connections, encoding our design requires only a passive tap that observes traffic a similar tag in the initial sequence numbers (ISNs). In transiting the ISP and the ability to inject new packets. Decoy Routing, the tag is placed in the TLS client nonce TapDance also includes a novel connection tagging mech- as in Telex, but the client and the ISP station are assumed anism that embeds steganographic tags into the ciphertext to have a shared secret established out of band. of a TLS connection. We make use of this to allow the In both Telex and Cirripede, the tag consists of an el- system to support asymmetric flows and to efficiently liptic curve Diffie-Hellman (ECDH) public key point and include large steganographic payloads in a single packet. a hash of the ECDH secret shared with the ISP station. In Although TapDance appears to be more feasible to de- Decoy Routing, the tag consists of an HMAC of the previ- ploy than previous E2M designs, this comes with certain ously established shared secret key, the current hour, and tradeoffs. As we discuss in Section 5, there are several a per-hour sequence number. In all cases, only the station active attacks that a censor could perform on live flows in can observe this tag, using its private key or shared secret. order to distinguish TapDance connections from normal Once the station has determined that a particular flow traffic. We note that each of the previous E2M schemes is should be proxied, all three designs employ an inline also vulnerable to at least some active attacks. As a poten- blocking component at the ISP to block further commu- tial countermeasure, we introduce active defense mech- nication between the client and the decoy server. Telex anisms, which utilize E2M’s privileged vantage point in and Decoy Routing both block only the tagged flow us- the network to induce false positives for the attacker. ing an inline-blocking component. Cirripede blocks all Even with these tradeoffs, TapDance provides a real- connections from a registered client. Cirripede’s inline istic path to deployment for E2M proxy systems. Given blocking is based on the client’s IP address and has a long the choice between previous schemes that appear not to duration, possibly making it easier to implement than the be practically fieldable and our proposal, which better flow-based blocking used in Telex and Decoy Routing. satisfies the constraints of real ISPs but requires a careful After the TLS handshake has completed and the client- defense strategy, we believe TapDance is the more viable server communication is blocked, all three designs have route to building anticensorship into the Internet’s core. the station impersonate the decoy server, receiving pack- Organization Section 2 reviews the three existing ets to and spoofing packets from its IP address. In Telex, E2M proposals. Section 3 introduces our chosen cipher- the station uses the tag in the TLS client nonce to com- text steganography mechanism, and Section 4 explains pute a shared secret with the client, which the client uses the rest of the TapDance construction.
Recommended publications
  • Threat Modeling and Circumvention of Internet Censorship

    Threat Modeling and Circumvention of Internet Censorship

    Threat modeling and circumvention of Internet censorship David Fifield September 27, 2017 Abstract Research on Internet censorship is hampered by a lack of adequate models of censor behavior, encompassing both censors' current practice and their likely future evolution. Censor models guide the development of circumvention systems, so it is important to get them right. A censor model should be understood not only as a set of capabilities| such as the ability to monitor network traffic—but also as a set of priorities constrained by resource limitations. A circumvention system designed under inadequate assumptions runs the risk of being either easily blocked, or impractical to deploy. My thesis research will be concerned with developing empirically informed censor models and practical, effective circumvention systems to counter them. My goal is to move the field away from seeing the censorship problem as a cat-and-mouse game that affords only incre- mental and temporary advancements. We should instead state the hypotheses and assumptions under which our circumvention designs will work|with the designs being more or less practical depending on how well the hypotheses and assumptions match the behavior of real-world censors. 1 Thesis My research is about Internet censorship and how to make it ineffective. To this end, I am interested in building useful models of real-world censors as they exist today and may exist in the future, for the purpose of building circumvention systems that are not only sound in theory but also effective in practice. 1 2 Scope Internet censorship is an enormous topic. My thesis research is concerned with one important case of it: the border firewall.
  • Internet Censorship and Resistance May 15, 2009 1 / 32 Historical Censorship

    Internet Censorship and Resistance May 15, 2009 1 / 32 Historical Censorship

    INTERNET CENSORSHIP AND RESISTANCE Joseph Bonneau [email protected] (thanks to Steven Murdoch) Computer Laboratory Gates Scholars' Symposium 2010 Joseph Bonneau (University of Cambridge) Internet Censorship and Resistance May 15, 2009 1 / 32 Historical Censorship He who controls the past controls the future, and he who controls the present controls the past —George Orwell, Nineteen Eighty Four, 1949 Joseph Bonneau (University of Cambridge) Internet Censorship and Resistance May 15, 2009 2 / 32 Historical Censorship He who controls the past controls the future, and he who controls the present controls the past —George Orwell, Nineteen Eighty Four, 1949 Joseph Bonneau (University of Cambridge) Internet Censorship and Resistance May 15, 2009 2 / 32 Information as a Human Right Everyone has the right to freedom of opinion and expres- sion; this right includes freedom to hold opinions without inter- ference and to seek, receive and impart information and ideas through any media and regardless of frontiers. —Article 19, UN Declaration of Human Rights (1948) Joseph Bonneau (University of Cambridge) Internet Censorship and Resistance May 15, 2009 3 / 32 Information as a Human Right The final freedom, one that was probably inherent in what both President and Mrs. Roosevelt thought about and wrote about all those years ago, ... is the freedom to connect—the idea that governments should not prevent people from con- necting to the internet, to websites, or to each other... a new information curtain is descending across much of the world. —Hillary Clinton, US Secretary of State (2010) Joseph Bonneau (University of Cambridge) Internet Censorship and Resistance May 15, 2009 3 / 32 The Internet Dream The Net treats censorship as damage and routes around it.
  • OSS: Using Online Scanning Services for Censorship Circumvention

    OSS: Using Online Scanning Services for Censorship Circumvention

    OSS: Using Online Scanning Services for Censorship Circumvention David Fifield1, Gabi Nakibly2, and Dan Boneh1 1 Computer Science Department, Stanford University 2 National EW Research & Simulation Center, Rafael { Advanced Defense Systems Ltd. Abstract. We introduce the concept of a web-based online scanning service, or OSS for short, and show that these OSSes can be covertly used as proxies in a censorship circumvention system. Such proxies are suitable both for short one-time rendezvous messages and bulk bidirectional data transport. We show that OSSes are widely available on the Internet and blocking all of them can be difficult and harmful. We measure the number of round trips and the amount of data that can be pushed through various OSSes and show that we can achieve throughputs of about 100 KB/sec. To demonstrate the effectiveness of our approach we built a system for censored users to communicate with blocked Tor relays using available OSS providers. We report on its design and performance. 1 Introduction Nowadays many nations regularly filter Internet traffic by blocking news sites, social networking sites, search sites, and even public mail sites like Gmail. The OpenNet Initiative, which tracks public reports of Internet filtering, lists a large number of countries that filter Internet traffic. Over half of the 74 countries tested in 2011 imposed some degree of filtering on the Internet [1]. In response, several proxy systems have emerged to help censored users freely browse the Internet. Most notable among these is Tor [2], which, while originally designed to provide anonymity, has also seen wide use in circumvention.
  • Everyone's Guide to Bypassing Internet Censorship

    Everyone's Guide to Bypassing Internet Censorship

    EVERYONE’S GUIDE TO BY-PASSING INTERNET CENSORSHIP FOR CITIZENS WORLDWIDE A CIVISEC PROJECT The Citizen Lab The University of Toronto September, 2007 cover illustration by Jane Gowan Glossary page 4 Introduction page 5 Choosing Circumvention page 8 User self-assessment Provider self-assessment Technology page 17 Web-based Circumvention Systems Tunneling Software Anonymous Communications Systems Tricks of the trade page 28 Things to remember page 29 Further reading page 29 Circumvention Technologies Circumvention technologies are any tools, software, or methods used to bypass Inter- net filtering. These can range from complex computer programs to relatively simple manual steps, such as accessing a banned website stored on a search engine’s cache, instead of trying to access it directly. Circumvention Providers Circumvention providers install software on a computer in a non-filtered location and make connections to this computer available to those who access the Internet from a censored location. Circumvention providers can range from large commercial organi- zations offering circumvention services for a fee to individuals providing circumven- tion services for free. Circumvention Users Circumvention users are individuals who use circumvention technologies to bypass Internet content filtering. 4 Internet censorship, or content filtering, has become a major global problem. Whereas once it was assumed that states could not control Internet communications, according to research by the OpenNet Initiative (http://opennet.net) more than 25 countries now engage in Internet censorship practices. Those with the most pervasive filtering policies have been found to routinely block access to human rights organi- zations, news, blogs, and web services that challenge the status quo or are deemed threatening or undesirable.
  • Shedding Light on Mobile App Store Censorship

    Shedding Light on Mobile App Store Censorship

    Shedding Light on Mobile App Store Censorship Vasilis Ververis Marios Isaakidis Humboldt University, Berlin, Germany University College London, London, UK [email protected] [email protected] Valentin Weber Benjamin Fabian Centre for Technology and Global Affairs University of Telecommunications Leipzig (HfTL) University of Oxford, Oxford, UK Humboldt University, Berlin, Germany [email protected] [email protected] ABSTRACT KEYWORDS This paper studies the availability of apps and app stores across app stores, censorship, country availability, mobile applications, countries. Our research finds that users in specific countries do China, Russia not have access to popular app stores due to local laws, financial reasons, or because countries are on a sanctions list that prohibit ACM Reference Format: Vasilis Ververis, Marios Isaakidis, Valentin Weber, and Benjamin Fabian. foreign businesses to operate within its jurisdiction. Furthermore, 2019. Shedding Light on Mobile App Store Censorship. In 27th Conference this paper presents a novel methodology for querying the public on User Modeling, Adaptation and Personalization Adjunct (UMAP’19 Ad- search engines and APIs of major app stores (Google Play Store, junct), June 9–12, 2019, Larnaca, Cyprus. ACM, New York, NY, USA, 6 pages. Apple App Store, Tencent MyApp Store) that is cross-verified by https://doi.org/10.1145/3314183.3324965 network measurements. This allows us to investigate which apps are available in which country. We primarily focused on the avail- ability of VPN apps in Russia and China. Our results show that 1 INTRODUCTION despite both countries having restrictive VPN laws, there are still The widespread adoption of smartphones over the past decade saw many VPN apps available in Russia and only a handful in China.
  • Psiphon User Guide

    Psiphon User Guide

    PSIPHON USER GUIDE Psiphon is a free and open source web proxy that helps internet users bypass content-filtering systems used by governments in countries like China, Iran, Saudi Arabia, and Vietnam. It was developed by the Citizen Lab's CiviSec Project at the University of Toronto and was first released in December 2006. In this how to guide, learn how to provide a proxy service to someone behind a firewall with psiphon . If you are behind a firewall and want to learn how to connect to psiphon and access blocked content, check out this how to guide . Psiphon, unlike other circumvention services, is not intended to be a public, open proxy service. It’s based on a “web of trust” system so psiphon nodes are harder to block. What this means is that a person in an unrestricted location (one that is not behind a firewall) provides a psiphon proxy service to a person they are familiar with who is going online in a place where online access is limited. This is known as a psiphonode . A psiphonite is a psiphon user living in a censored country. The psiphonite connects to a psiphonode (set up by someone they know and trust) to access information freely. NOTE: Psiphon only works on Windows and Linux. There is no Mac version yet. Step 1. First, you should be in a location where you have open access to the internet. You should know someone in another location where access is limited. You will be providing a psiphonode for this person. Tip! If you do not know any psiphon users, but still want to provide a psiphonode, you can find users on psiphon’s Facebook page or Twitter page.
  • Threat Modeling and Circumvention of Internet Censorship by David Fifield

    Threat Modeling and Circumvention of Internet Censorship by David Fifield

    Threat modeling and circumvention of Internet censorship By David Fifield A dissertation submitted in partial satisfaction of the requirements for the degree of Doctor of Philosophy in Computer Science in the Graduate Division of the University of California, Berkeley Committee in charge: Professor J.D. Tygar, Chair Professor Deirdre Mulligan Professor Vern Paxson Fall 2017 1 Abstract Threat modeling and circumvention of Internet censorship by David Fifield Doctor of Philosophy in Computer Science University of California, Berkeley Professor J.D. Tygar, Chair Research on Internet censorship is hampered by poor models of censor behavior. Censor models guide the development of circumvention systems, so it is important to get them right. A censor model should be understood not just as a set of capabilities|such as the ability to monitor network traffic—but as a set of priorities constrained by resource limitations. My research addresses the twin themes of modeling and circumvention. With a grounding in empirical research, I build up an abstract model of the circumvention problem and examine how to adapt it to concrete censorship challenges. I describe the results of experiments on censors that probe their strengths and weaknesses; specifically, on the subject of active probing to discover proxy servers, and on delays in their reaction to changes in circumvention. I present two circumvention designs: domain fronting, which derives its resistance to blocking from the censor's reluctance to block other useful services; and Snowflake, based on quickly changing peer-to-peer proxy servers. I hope to change the perception that the circumvention problem is a cat-and-mouse game that affords only incremental and temporary advancements.
  • The Future of Anonymity and Censorship Resistant Publishing

    The Future of Anonymity and Censorship Resistant Publishing

    The Future of Anonymity and Censorship Resistant Publishing Steven J. Murdoch http://www.cl.cam.ac.uk/users/sjm217 Computer Laboratory www.torproject.org FIDIS/IFIP Internet Security & Privacy Summer School, 1–7 September 2008, Masaryk University, Czech Republic Many countries censor the Internet • Out of the 40 countries studied by the OpenNet Initiative in 2006, 26 censored the Internet in some way • The types of material censored varied depending on country, for example: • Human Rights (blocked in China) • Religion (blocked in Saudi Arabia, UAE, Iran, Bahrain) • Pornography (blocked in Saudi Arabia, UAE, Iran, Bahrain, Singapore, Burma, . ) • Other issues censored include: military and militant websites; sex education, alcohol/drugs, music; gay and lesbian websites; news, online communities Many countries censor the Internet • Out of the 40 countries studied by the OpenNet Initiative in 2006, 26 censored the Internet in some way • The types of material censored varied depending on country, for example: • Human Rights (blocked in China) • Religion (blocked in Saudi Arabia, UAE, Iran, Bahrain) • Pornography (blocked in Saudi Arabia, UAE, Iran, Bahrain, Singapore, Burma, . ) • Other issues censored include: military and militant websites; sex education, alcohol/drugs, music; gay and lesbian websites; news, online communities Many countries censor the Internet • Out of the 40 countries studied by the OpenNet Initiative in 2006, 26 censored the Internet in some way • The types of material censored varied depending on country, for example:
  • Style Counsel: Seeing the (Random) Forest for the Trees in Adversarial Code Stylometry∗

    Style Counsel: Seeing the (Random) Forest for the Trees in Adversarial Code Stylometry∗

    Style Counsel: Seeing the (Random) Forest for the Trees in Adversarial Code Stylometry∗ Christopher McKnight Ian Goldberg Magnet Forensics University of Waterloo [email protected] [email protected] ABSTRACT worm based on an examination of the reverse-engineered code [17], The results of recent experiments have suggested that code stylom- casting style analysis as a forensic technique. etry can successfully identify the author of short programs from This technique, however, may be used to chill speech for soft- among hundreds of candidates with up to 98% precision. This poten- ware developers. There are several cases of developers being treated tial ability to discern the programmer of a code sample from a large as individuals of suspicion, intimidated by authorities and/or co- group of possible authors could have concerning consequences for erced into removing their software from the Internet. In the US, the open-source community at large, particularly those contrib- Nadim Kobeissi, the Canadian creator of Cryptocat (an online se- utors that may wish to remain anonymous. Recent international cure messaging application) was stopped, searched, and questioned events have suggested the developers of certain anti-censorship by Department of Homeland Security officials on four separate oc- and anti-surveillance tools are being targeted by their governments casions in 2012 about Cryptocat and the algorithms it employs [16]. and forced to delete their repositories or face prosecution. In November 2014, Chinese developer Xu Dong was arrested, pri- In light of this threat to the freedom and privacy of individual marily for political tweets, but also because he allegedly “committed programmers around the world, we devised a tool, Style Counsel, to crimes of developing software to help Chinese Internet users scale aid programmers in obfuscating their inherent style and imitating the Great Fire Wall of China” [4] in relation to proxy software he another, overt, author’s style in order to protect their anonymity wrote.
  • Cloudtransport: Using Cloud Storage for Censorship-Resistant Networking

    Cloudtransport: Using Cloud Storage for Censorship-Resistant Networking

    CloudTransport: Using Cloud Storage for Censorship-Resistant Networking Chad Brubaker1,2, Amir Houmansadr2, and Vitaly Shmatikov2 1 Google 2 The University of Texas at Austin Abstract. Censorship circumvention systems such as Tor are highly vulnerable to network-level filtering. Because the traffic generated by these systems is disjoint from normal network traffic, it is easy to recog- nize and block, and once the censors identify network servers (e.g., Tor bridges) assisting in circumvention, they can locate all of their users. CloudTransport is a new censorship-resistant communication system that hides users’ network traffic by tunneling it through a cloud storage ser- vice such as Amazon S3. The goal of CloudTransport is to increase the censors’ economic and social costs by forcing them to use more expen- sive forms of network filtering, such as large-scale traffic analysis, or else risk disrupting normal cloud-based services and thus causing collateral damage even to the users who are not engaging in circumvention. Cloud- Transport’s novel passive-rendezvous protocol ensures that there are no direct connections between a CloudTransport client and a CloudTrans- port bridge. Therefore, even if the censors identify a CloudTransport connection or the IP address of a CloudTransport bridge, this does not help them block the bridge or identify other connections. CloudTransport can be used as a standalone service, a gateway to an anonymity network like Tor, or a pluggable transport for Tor. It does not require any modifications to the existing cloud storage, is compatible with multiple cloud providers, and hides the user’s Internet destinations even if the provider is compromised.
  • A Privacy Threat for Internet Users in Internet-Censoring Countries

    A Privacy Threat for Internet Users in Internet-Censoring Countries

    A Privacy Threat for Internet Users in Internet-censoring Countries Feno Heriniaina R. College of Computer Science, Chongqing University, Chongqing, China Keywords: Censorship, Human Computer Interaction, Privacy, Virtual Private Networks. Abstract: Online surveillance has been increasingly used by different governments to control the spread of information on the Internet. The magnitude of this activity differs widely and is based primarily on the areas that are deemed, by the state, to be critical. Aside from the use of keywords and the complete domain name filtering technologies, Internet censorship can sometimes even use the total blocking of IP addresses to censor content. Despite the advances, in terms of technology used for Internet censorship, there are also different types of circumvention tools that are available to the general public. In this paper, we report the results of our investigation on how migrants who previously had access to the open Internet behave toward Internet censorship when subjected to it. Four hundred and thirty-two (432) international students took part in the study that lasted two years. We identified the most common circumvention tools that are utilized by the foreign students in China. We investigated the usability of these tools and monitored the way in which they are used. We identified a behaviour-based privacy threat that puts the users of circumvention tools at risk while they live in an Internet-censoring country. We also recommend the use of a user-oriented filtering method, which should be considered as part of the censoring system, as it enhances the performance of the screening process and recognizes the real needs of its users.
  • Blocking-Resistant Communication Through Domain Fronting

    Blocking-Resistant Communication Through Domain Fronting

    Proceedings on Privacy Enhancing Technologies 2015; 2015 (2):46–64 David Fifield*, Chang Lan, Rod Hynes, Percy Wegmann, and Vern Paxson Blocking-resistant communication through domain fronting Abstract: We describe “domain fronting,” a versatile 1 Introduction censorship circumvention technique that hides the re- mote endpoint of a communication. Domain fronting Censorship is a daily reality for many Internet users. works at the application layer, using HTTPS, to com- Workplaces, schools, and governments use technical and municate with a forbidden host while appearing to com- social means to prevent access to information by the net- municate with some other host, permitted by the cen- work users under their control. In response, those users sor. The key idea is the use of different domain names at employ technical and social means to gain access to the different layers of communication. One domain appears forbidden information. We have seen an ongoing conflict on the “outside” of an HTTPS request—in the DNS re- between censor and censored, with advances on both quest and TLS Server Name Indication—while another sides, more subtle evasion countered by more powerful domain appears on the “inside”—in the HTTP Host detection. header, invisible to the censor under HTTPS encryp- Circumventors, at a natural disadvantage because tion. A censor, unable to distinguish fronted and non- the censor controls the network, have a point working fronted traffic to a domain, must choose between allow- in their favor: the censor’s distaste for “collateral dam- ing circumvention traffic and blocking the domain en- age,” incidental overblocking committed in the course of tirely, which results in expensive collateral damage.