DOCSLIB.ORG

Multiproxy: a Collaborative Approach to Censorship Circumvention

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Multiproxy: a Collaborative Approach to Censorship Circumvention MultiProxy: a collaborative approach to censorship circumvention Gaomei Shi MultiProxy: a collaborative approach to censorship circumvention Master’s Thesis in Computer Science Distributed Systems group Faculty of Electrical Engineering, Mathematics, and Computer Science Delft University of Technology Gaomei Shi 28th March 2019 Author Gaomei Shi Title MultiProxy: a collaborative approach to censorship circumvention MSc presentation 29th March 2019 Graduation Committee Dr. sc. ETH J.S.Rellermeyer Delft University of Technology Dr. ir. J.A.Pouwelse Delft University of Technology Dr. -Ing. T.Fiebig Delft University of Technology Abstract In recent years, many countries and administrative domains exploit control over their communication infrastructures to censor online materials. The concrete reas- ons behind the Internet censorship remain poorly understood due to the opaque nature of the systems. Generally, Internet censorship is to disrupt the free flow of information. It involves a series of steps to stop the dissemination of inform- ation, or prevent the access to information, for example, disrupt the link between the users and providers. These technologies bring significant inconvenience for le- gitimate users. The goal of the thesis is to undertake a recent study to measure the behavior of the Great Firewall of China (GFW). Based on that, this work designs a Peer-to-Peer (P2P) circumvention system called MultiProxy which exploits the blockchain-based economical model in order to create a balanced environment for resources providing and consuming. The system also uses multi-hop messaging to protect the privacy of the request initiators. The evaluation results show that MultiProxy can evade censorship while protecting users privacy. iv Preface Censorship is existing and prevalent with the advent of the Internet. It is like a double-edged sword which has both positive and negative impact on the gen- eral public. For instance, the Internet censorship limits the bad information from spreading, while at the same time it also restricts the access according to prefer- ences of regimes, and this can cause inconvenient for netizens. Take the GFW, the world’s largest country-wide Internet censorship system as an example. There are few numbers of formal documentation about the operational principles under such a sophisticated system. Therefore, I think its patterns are deserved to be explored, and with knowledge about the working mechanisms of the GFW, a countermeasure could be further designed. It was very pleasant to be able to work on this exciting and challenging research topic in the Distributed Systems group. First of all, I would like to thank my super- visor Jan, I would not have been able to complete the underlying work without his excellent scientific guidance. I would also like to thank Martijn for his assistance and support on the project API usage and coding. Finally, I would like to express my sincerest gratitude to my family for their unconditional supporting, encourage- ment and motivational capabilities. Gaomei Shi Delft, The Netherlands 18th March 2019 v vi Contents Preface v 1 Introduction 5 1.1 A brief history of the GFW . .5 1.2 The categories of circumvention systems . .6 1.3 Thesis Structure . .7 2 Problem description 9 2.1 Research Questions . .9 2.2 Internet Censorship . 10 2.2.1 Client-side censorship . 10 2.2.2 Server-side censorship . 11 2.2.3 In-path censorship . 11 2.2.4 On-path censorship . 11 2.3 Analysis and Blocking Mechanisms . 11 2.3.1 In-path censorship . 12 2.3.2 On-path censorship . 13 2.4 Obfuscation of censorship circumvention systems . 16 2.4.1 Payload encryption . 17 2.4.2 Randomizer . 17 2.4.3 Mimicry . 18 2.4.4 Tunneling . 18 2.5 P2P architecture - Build a trust network to overcome censorship . 20 3 Empirical evaluation of the GFW 23 3.1 Experimental Setup . 23 3.2 IP blocking . 24 3.3 TCP connection reset . 27 3.3.1 HTTP keywords detection . 27 3.3.2 DNS keywords detection . 28 3.3.3 TCP connection reset module . 31 3.4 DNS hijacking and DNS cache poisoning . 32 3.4.1 How the GFW intercepts DNS resolution . 32 vii 3.5 Experimental results and summary . 35 3.5.1 Threat model . 35 3.5.2 Results and Circumvention suggestions . 35 4 Circumvention System Design 37 4.1 Design goals . 37 4.2 System Architecture . 39 4.3 Traffic forwarding . 40 4.3.1 SOCKS on edges . 40 4.3.2 Peer-to-peer system . 42 4.4 Token economy . 43 4.4.1 Analysis of threats to the system . 44 4.4.2 Solutions for threats . 46 4.5 Multi-hop messaging . 52 4.5.1 Solutions for data privacy . 52 4.6 Implementation details . 53 4.6.1 Traffic forwarding . 53 4.6.2 Token economy . 54 4.6.3 Anonymous messaging . 55 5 Evaluation 57 5.1 Evaluation framework . 57 5.1.1 Network performance . 57 5.1.2 System performance . 58 5.2 Methodologies and experimental steps . 59 5.2.1 System performance . 59 5.2.2 Performance Comparison . 60 5.3 Results and analysis . 61 5.3.1 Network performance . 61 5.3.2 System performance . 63 5.3.3 Scalability test . 66 6 Conclusions and Future Work 67 6.1 Conclusions . 67 6.1.1 Results for each research questions . 67 6.1.2 Main contributions . 71 6.2 Future Work . 71 viii List of Figures 2.1 An overview of censorship system . 10 2.2 A general censorship model . 11 2.3 DNS hijacking and DNS poisoning . 16 3.1 Experimental pipeline for categorizing different root causes . 25 3.2 IP blocking . 25 3.3 TCP connection reset . 27 3.4 The model of TCP connection reset device . 31 3.5 DNS hijacking . 32 3.6 DNS cache poisoning . 33 4.1 A Tor circuit with pluggable transport meek . 38 4.2 The average connected clients number of cymrubridge02[32] . 39 4.3 Circumvention system architecture . 39 4.4 Traffic routing path . 40 4.5 Work flow of the SOCKS5 protocol . 42 4.6 Bootstrapping of a peer-to-peer system . 43 4.7 Challenge response mechanism . 45 4.8 A malicious server node . 45 4.9 Trustchain protocol[20] . 47 4.10 Intel SGX Remote attestation[19] . 49 4.11 Intel SGX Remote attestation full work flown[19] . 50 4.12 A 2-hop onion routing circuit . 52 4.13 The class UML diagram of Multiproxy . 53 4.14 Components and work flow of MultiProxy . 54 4.15 Packet structure . 54 4.16 Build a 2-hop circuit[37] . 56 5.1 Premium networking topology of Google Cloud instances[21] . 60 5.2 Latency with different hop length . 62 5.3 Latency measurement . 63 5.4 Throughput measurement . 64 5.5 CPU usage (%) . 65 5.6 Memory usage (MB) . 65 1 5.7 Scalability test . 66 2 List of Listings 1 Traceroute from uncensored domain . 26 2 Traceroute from censored domain . 26 3 Packet capture example of TCP connection reset over HTTP protocol 28 4 Packet capture example of TCP connection reset over HTTP pro- tocol during a certain period . 29 5 Packet capture example over TCP . 30 6 Packet capture example over UDP . 32 List of Tables 3.1 Poisoned IP addresses . 34 3.2 The proportion of poisoned domain names . 35 3.3 The number of domains affected by each blocking mechanism . 36 4.1 The IP addresses of meek server . 38 4.2 MultiProxy system components . 41 5.1 Evaluation framework . 57 3 4 Chapter 1 Introduction This chapter gives the background of the censorship. Censorship can occur in various types of media for a variety of reasons, such as politics, religions, copy approval, etc. This thesis does not focus on the root cause of censorship. Instead, it emphasizes the technical aspects of Internet censorship. Since different coun- tries have different implementations of the censorship systems, this work takes the country-wide content monitoring system, the GFW as a case study. Section 1.1 introduces the brief history of the Great Firewall of China (GFW). Following this, a short introduction of different circumvention methods and systems are presented in section 1.2. Section 1.3 outlines the thesis structure. 1.1 A brief history of the GFW The censorship already exists for many years according to different rules and reg- ulations as the Internet has become a common communication platform. Take the most famous example: The GFW, also known as the Great Firewall of China, is the most extensive and sophisticated country-wide Internet censoring and monitor- ing system around the world. It is a combination of the hardware and software which aims at distinguishing and blocking the network traffic in the particular blacklist. This undesired web content contains search engines, e.g., Google and DuckDuckGo, social media and social networking websites, e.g., Twitter, Face- book, Instagram, YouTube, etc. The GFW uses multiple techniques and modules to prevent the citizens from accessing the blocked contents. In the last few decades, most application layer protocols such as HTTP and DNS are directly used based on the transport layer protocols, e.g., TCP and UDP. Although these application protocols provide the standard ways of transferring re- sources, they are vulnerable to man-in-the-middle attacks because of their insuf- ficient considerations of security. All the network traffic is in plain text between 5 the source and the destination. The lack of security gives the GFW a chance to detect the contents inside the specific protocols. In the early years from 2002[41], the GFW starts developing the keyword filtering system to block the access to se- lected target websites including some search engines and social media websites which can spread a massive amount of information.
Load more

Recommended publications
  • Uila Supported Apps
    Uila Supported Applications and Protocols updated Oct 2020 Application/Protocol Name Full Description 01net.com 01net website, a French high-tech news site. 050 plus is a Japanese embedded smartphone application dedicated to 050 plus audio-conferencing. 0zz0.com 0zz0 is an online solution to store, send and share files 10050.net China Railcom group web portal. This protocol plug-in classifies the http traffic to the host 10086.cn. It also 10086.cn classifies the ssl traffic to the Common Name 10086.cn. 104.com Web site dedicated to job research. 1111.com.tw Website dedicated to job research in Taiwan. 114la.com Chinese web portal operated by YLMF Computer Technology Co. Chinese cloud storing system of the 115 website. It is operated by YLMF 115.com Computer Technology Co. 118114.cn Chinese booking and reservation portal. 11st.co.kr Korean shopping website 11st. It is operated by SK Planet Co. 1337x.org Bittorrent tracker search engine 139mail 139mail is a chinese webmail powered by China Mobile. 15min.lt Lithuanian news portal Chinese web portal 163. It is operated by NetEase, a company which 163.com pioneered the development of Internet in China. 17173.com Website distributing Chinese games. 17u.com Chinese online travel booking website. 20 minutes is a free, daily newspaper available in France, Spain and 20minutes Switzerland. This plugin classifies websites. 24h.com.vn Vietnamese news portal 24ora.com Aruban news portal 24sata.hr Croatian news portal 24SevenOffice 24SevenOffice is a web-based Enterprise resource planning (ERP) systems. 24ur.com Slovenian news portal 2ch.net Japanese adult videos web site 2Shared 2shared is an online space for sharing and storage.
    [Show full text]
  • Poster: Introducing Massbrowser: a Censorship Circumvention System Run by the Masses
    Poster: Introducing MassBrowser: A Censorship Circumvention System Run by the Masses Milad Nasr∗, Anonymous∗, and Amir Houmansadr University of Massachusetts Amherst fmilad,[email protected] ∗Equal contribution Abstract—We will present a new censorship circumvention sys- side the censorship regions, which relay the Internet traffic tem, currently being developed in our group. The new system of the censored users. This includes systems like Tor, VPNs, is called MassBrowser, and combines several techniques from Psiphon, etc. Unfortunately, such circumvention systems are state-of-the-art censorship studies to design a hard-to-block, easily blocked by the censors by enumerating their limited practical censorship circumvention system. MassBrowser is a set of proxy server IP addresses [14]. (2) Costly to operate: one-hop proxy system where the proxies are volunteer Internet To resist proxy blocking by the censors, recent circumven- users in the free world. The power of MassBrowser comes from tion systems have started to deploy the proxies on shared-IP the large number of volunteer proxies who frequently change platforms such as CDNs, App Engines, and Cloud Storage, their IP addresses as the volunteer users move to different a technique broadly referred to as domain fronting [3]. networks. To get a large number of volunteer proxies, we This mechanism, however, is prohibitively expensive [11] provide the volunteers the control over how their computers to operate for large scales of users. (3) Poor QoS: Proxy- are used by the censored users. Particularly, the volunteer based circumvention systems like Tor and it’s variants suffer users can decide what websites they will proxy for censored from low quality of service (e.g., high latencies and low users, and how much bandwidth they will allocate.
    [Show full text]
  • DNS Spoofing 2
    Professor Vahab COMP 424 13 November 2016 DNS Spoofing DNS spoofing, also known as DNS Cache Poisoning, is one of the most widely used man-in-the-middle attacks that capitalizes on vulnerabilities in the domain name system that returns a false IP address and routes the user to a malicious domain. Whenever a machine contacts a domain name such as www.bankofamerica.com, it must first contact its DNS server which responds with multiple IP addresses where your machine can reach the website. Your computer is then able to connect directly to one of the IP addresses and the DNS is able to convert the IP addresses into a human-readable domain name. If an attacker is able to gain control of a DNS server and change some of its properties such as routing Bank of America’s website to an attacker’s IP address. At that location, the attacker is then able to unsuspectingly steal the user’s credentials and account information. Attackers use spam and other forms of attack to deliver malware that changes DNS settings and installs a rogue Certificate Authority. The DNS changes point to the hacker's secret DNS name server so that when the users access the web they are directed to proxy servers instead of authorized sites. They can also start to blacklist domains and frustrate the user with their day to day activities. All blacklisted domains would have their traffic dropped instead of forwarded to their intended destination. Based on the rogue Certificate Authority the system has no sign that an attack is taking place or ever took place.
    [Show full text]
  • Secure Shell- Its Significance in Networking (Ssh)
    International Journal of Application or Innovation in Engineering & Management (IJAIEM) Web Site: www.ijaiem.org Email: [email protected] Volume 4, Issue 3, March 2015 ISSN 2319 - 4847 SECURE SHELL- ITS SIGNIFICANCE IN NETWORKING (SSH) ANOOSHA GARIMELLA , D.RAKESH KUMAR 1. B. TECH, COMPUTER SCIENCE AND ENGINEERING Student, 3rd year-2nd Semester GITAM UNIVERSITY Visakhapatnam, Andhra Pradesh India 2.Assistant Professor Computer Science and Engineering GITAM UNIVERSITY Visakhapatnam, Andhra Pradesh India ABSTRACT This paper is focused on the evolution of SSH, the need for SSH, working of SSH, its major components and features of SSH. As the number of users over the Internet is increasing, there is a greater threat of your data being vulnerable. Secure Shell (SSH) Protocol provides a secure method for remote login and other secure network services over an insecure network. The SSH protocol has been designed to support many features along with proper security. This architecture with the help of its inbuilt layers which are independent of each other provides user authentication, integrity, and confidentiality, connection- oriented end to end delivery, multiplexes encrypted tunnel into several logical channels, provides datagram delivery across multiple networks and may optionally provide compression. Here, we have also described in detail what every layer of the architecture does along with the connection establishment. Some of the threats which Ssh can encounter, applications, advantages and disadvantages have also been mentioned in this document. Keywords: SSH, Cryptography, Port Forwarding, Secure SSH Tunnel, Key Exchange, IP spoofing, Connection- Hijacking. 1. INTRODUCTION SSH Secure Shell was first created in 1995 by Tatu Ylonen with the release of version 1.0 of SSH Secure Shell and the Internet Draft “The SSH Secure Shell Remote Login Protocol”.
    [Show full text]
  • Threat Modeling and Circumvention of Internet Censorship by David Fifield
    Threat modeling and circumvention of Internet censorship By David Fifield A dissertation submitted in partial satisfaction of the requirements for the degree of Doctor of Philosophy in Computer Science in the Graduate Division of the University of California, Berkeley Committee in charge: Professor J.D. Tygar, Chair Professor Deirdre Mulligan Professor Vern Paxson Fall 2017 1 Abstract Threat modeling and circumvention of Internet censorship by David Fifield Doctor of Philosophy in Computer Science University of California, Berkeley Professor J.D. Tygar, Chair Research on Internet censorship is hampered by poor models of censor behavior. Censor models guide the development of circumvention systems, so it is important to get them right. A censor model should be understood not just as a set of capabilities|such as the ability to monitor network traffic—but as a set of priorities constrained by resource limitations. My research addresses the twin themes of modeling and circumvention. With a grounding in empirical research, I build up an abstract model of the circumvention problem and examine how to adapt it to concrete censorship challenges. I describe the results of experiments on censors that probe their strengths and weaknesses; specifically, on the subject of active probing to discover proxy servers, and on delays in their reaction to changes in circumvention. I present two circumvention designs: domain fronting, which derives its resistance to blocking from the censor's reluctance to block other useful services; and Snowflake, based on quickly changing peer-to-peer proxy servers. I hope to change the perception that the circumvention problem is a cat-and-mouse game that affords only incremental and temporary advancements.
    [Show full text]
  • Style Counsel: Seeing the (Random) Forest for the Trees in Adversarial Code Stylometry∗
    Style Counsel: Seeing the (Random) Forest for the Trees in Adversarial Code Stylometry∗ Christopher McKnight Ian Goldberg Magnet Forensics University of Waterloo [email protected] [email protected] ABSTRACT worm based on an examination of the reverse-engineered code [17], The results of recent experiments have suggested that code stylom- casting style analysis as a forensic technique. etry can successfully identify the author of short programs from This technique, however, may be used to chill speech for soft- among hundreds of candidates with up to 98% precision. This poten- ware developers. There are several cases of developers being treated tial ability to discern the programmer of a code sample from a large as individuals of suspicion, intimidated by authorities and/or co- group of possible authors could have concerning consequences for erced into removing their software from the Internet. In the US, the open-source community at large, particularly those contrib- Nadim Kobeissi, the Canadian creator of Cryptocat (an online se- utors that may wish to remain anonymous. Recent international cure messaging application) was stopped, searched, and questioned events have suggested the developers of certain anti-censorship by Department of Homeland Security officials on four separate oc- and anti-surveillance tools are being targeted by their governments casions in 2012 about Cryptocat and the algorithms it employs [16]. and forced to delete their repositories or face prosecution. In November 2014, Chinese developer Xu Dong was arrested, pri- In light of this threat to the freedom and privacy of individual marily for political tweets, but also because he allegedly “committed programmers around the world, we devised a tool, Style Counsel, to crimes of developing software to help Chinese Internet users scale aid programmers in obfuscating their inherent style and imitating the Great Fire Wall of China” [4] in relation to proxy software he another, overt, author’s style in order to protect their anonymity wrote.
    [Show full text]
  • Thesis That TW-OR Forwards All DNS Queries to a Resolver in China
    The Impact of DNSSEC on the Internet Landscape Von der Fakult¨atf¨urIngenieurwissenschaften, Abteilung Informatik und Angewandte Kognitionswissenschaft der Universit¨atDuisburg-Essen zur Erlangung des akademischen Grades Doktor der Ingenieurwissenschaften genehmigte Dissertation von Matth¨ausWander aus Lubin (L¨uben) Gutachter: Prof. Dr.-Ing. Torben Weis Prof. Dr.-Ing. Felix Freiling Tag der m¨undlichen Pr¨ufung:19. Juni 2015 Abstract In this dissertation we investigate the security deficiencies of the Domain Name System (DNS) and assess the impact of the DNSSEC security extensions. DNS spoofing attacks divert an application to the wrong server, but are also used routinely for blocking access to websites. We provide evidence for systematic DNS spoofing in China and Iran with measurement-based analyses, which allow us to examine the DNS spoofing filters from van- tage points outside of the affected networks. Third-parties in other countries can be affected inadvertently by spoofing-based domain filtering, which could be averted with DNSSEC. The security goals of DNSSEC are data integrity and authenticity. A point solution called NSEC3 adds a privacy assertion to DNSSEC, which is supposed to prevent disclosure of the domain namespace as a whole. We present GPU-based attacks on the NSEC3 privacy assertion, which allow efficient recovery of the namespace contents. We demonstrate with active measurements that DNSSEC has found wide adoption after initial hesitation. At server-side, there are more than five million domains signed with DNSSEC. A portion of them is insecure due to insufficient cryptographic key lengths or broken due to maintenance failures. At client-side, we have observed a worldwide increase of DNSSEC validation over the last three years, though not necessarily on the last mile.
    [Show full text]
  • A Privacy Threat for Internet Users in Internet-Censoring Countries
    A Privacy Threat for Internet Users in Internet-censoring Countries Feno Heriniaina R. College of Computer Science, Chongqing University, Chongqing, China Keywords: Censorship, Human Computer Interaction, Privacy, Virtual Private Networks. Abstract: Online surveillance has been increasingly used by different governments to control the spread of information on the Internet. The magnitude of this activity differs widely and is based primarily on the areas that are deemed, by the state, to be critical. Aside from the use of keywords and the complete domain name filtering technologies, Internet censorship can sometimes even use the total blocking of IP addresses to censor content. Despite the advances, in terms of technology used for Internet censorship, there are also different types of circumvention tools that are available to the general public. In this paper, we report the results of our investigation on how migrants who previously had access to the open Internet behave toward Internet censorship when subjected to it. Four hundred and thirty-two (432) international students took part in the study that lasted two years. We identified the most common circumvention tools that are utilized by the foreign students in China. We investigated the usability of these tools and monitored the way in which they are used. We identified a behaviour-based privacy threat that puts the users of circumvention tools at risk while they live in an Internet-censoring country. We also recommend the use of a user-oriented filtering method, which should be considered as part of the censoring system, as it enhances the performance of the screening process and recognizes the real needs of its users.
    [Show full text]
  • BRKSEC-2011.Pdf
    #CLUS About Garlic and Onions A little journey… Tobias Mayer, Technical Solutions Architect BRKSEC-2011 #CLUS Me… CCIE Security #14390, CISSP & Motorboat driving license… Working in Content Security & TLS Security tmayer{at}cisco.com Writing stuff at “blogs.cisco.com” #CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Agenda • Why anonymization? • Using Tor (Onion Routing) • How Tor works • Introduction to Onion Routing • Obfuscation within Tor • Domain Fronting • Detect Tor • I2P – Invisible Internet Project • Introduction to Garlic Routing • Conclusion #CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 Cisco Webex Teams Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session How 1 Find this session in the Cisco Events App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space Webex Teams will be moderated cs.co/ciscolivebot#BRKSEC-2011 by the speaker until June 18, 2018. #CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 Different Intentions Hide me from Government! Hide me from ISP! Hide me from tracking! Bypass Corporate Bypass Country Access Hidden policies restrictions (Videos…) Services #CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Browser Identity Tracking does not require a “Name” Tracking is done by examining parameters your browser reveals https://panopticlick.eff.org #CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 Proxies EPIC Browser #CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates.
    [Show full text]
  • People's Tech Movement to Kick Big Tech out of Africa Could Form a Critical Part of the Global Protests Against the Enduring Legacy of Racism and Colonialism
    CONTENTS Acronyms ................................................................................................................................................ 1 1 Introduction: The Rise of Digital Colonialism and Surveillance Capitalism ..................... 2 2 Threat Modeling .......................................................................................................................... 8 3 The Basics of Information Security and Software ............................................................... 10 4 Mobile Phones: Talking and Texting ...................................................................................... 14 5 Web Browsing ............................................................................................................................ 18 6 Searching the Web .................................................................................................................... 23 7 Sharing Data Safely ................................................................................................................... 25 8 Email Encryption ....................................................................................................................... 28 9 Video Chat ................................................................................................................................... 31 10 Online Document Collaboration ............................................................................................ 34 11 Protecting Your Data ................................................................................................................
    [Show full text]
  • Vyprvpn Auf Einem ASUS Router Einrichten “Schritt Für Schritt”
    8.11.2019 Anleitung: ASUS Router mit VPN in Betrieb nehmen "Schritt für Schritt" mit VyprVPN - dem besten VPN-Service für sicheres Sufen Menue Anleitung: VyprVPN auf einem ASUS Router einrichten “Schritt für Schritt” von Markus Hanf Letzte Aktualisierung: 12. September 2019 Approbierter Mathematiker und Netzwerkspezialist. Dozent an einigen Universitäten. Es ist ganz einfach einen ASUS Router direkt in Betrieb zu nehmen, ganz unabhängig davon welchen Internetrouter Du derzeit verwendest. Wir haben einen ganzen Vorgang der Inbetriebnahme in einer Anleitung beschrieben. VPN Router Schematische Darstellung Einen VPN-Service direkt über den ASUS Router zu verwenden bietet die folgenden Vorteile: Alle Geräte (auch SmartTV, FireTV, AndroidTV, xBox usw) werden zuverlässig über VPN verbunden ohne Softwareinstallation. Die Firewall und die zusätzlichen Schutzfunktionen die im Router vorhanden sind lassen es zu, auch Kinder und Jugendliche vor Bedrohungen aus dem Internet zu schützen. (Malwareschutz, Sperren von Webseiten, Zugriff für bestimmte Apps auf Smartphones usw) Die gesamte Familie wird zuverlässig vor Abmahnungen und sonstigen Fallen im Internet geschützt, ohne dass dabei Software oder Apps auf den Geräten zusätzlich installiert werden müssen. Die Benutzer des Routers werden “Anonymisiert” und nutzen damit eine nicht direkt zuordenbare Internetadresse für alle täglichen Aktivitäten. Zuverlässiger Schutz aller Nutzer vor Überwachung und Vorratsdatenspeicherung und damit auch eine aktive Maßnahme für eine bessere Privatsphäre. Hilfe & Beratung
    [Show full text]
  • Blocking-Resistant Communication Through Domain Fronting
    Proceedings on Privacy Enhancing Technologies 2015; 2015 (2):46–64 David Fifield*, Chang Lan, Rod Hynes, Percy Wegmann, and Vern Paxson Blocking-resistant communication through domain fronting Abstract: We describe “domain fronting,” a versatile 1 Introduction censorship circumvention technique that hides the re- mote endpoint of a communication. Domain fronting Censorship is a daily reality for many Internet users. works at the application layer, using HTTPS, to com- Workplaces, schools, and governments use technical and municate with a forbidden host while appearing to com- social means to prevent access to information by the net- municate with some other host, permitted by the cen- work users under their control. In response, those users sor. The key idea is the use of different domain names at employ technical and social means to gain access to the different layers of communication. One domain appears forbidden information. We have seen an ongoing conflict on the “outside” of an HTTPS request—in the DNS re- between censor and censored, with advances on both quest and TLS Server Name Indication—while another sides, more subtle evasion countered by more powerful domain appears on the “inside”—in the HTTP Host detection. header, invisible to the censor under HTTPS encryp- Circumventors, at a natural disadvantage because tion. A censor, unable to distinguish fronted and non- the censor controls the network, have a point working fronted traffic to a domain, must choose between allow- in their favor: the censor’s distaste for “collateral dam- ing circumvention traffic and blocking the domain en- age,” incidental overblocking committed in the course of tirely, which results in expensive collateral damage.
    [Show full text]