DOCSLIB.ORG

Frolov Eric Wustrow University of Colorado Boulder University of Colorado Boulder

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Frolov Eric Wustrow University of Colorado Boulder University of Colorado Boulder HTTPT: A Probe-Resistant Proxy Sergey Frolov Eric Wustrow University of Colorado Boulder University of Colorado Boulder Abstract deployed behind already-existing Web Servers, making it im- Recently, censors have been observed using increasingly so- possible for censors to access and identify the proxy without phisticated active probing attacks to reliably identify and knowing the secret necessary to use it. block proxies. In this paper, we introduce HTTPT, a proxy designed to hide behind HTTPS servers to resist these active probing 1.1 Benefits attacks. HTTPT leverages the ubiquity of the HTTPS protocol HTTPT has several benefits over existing designs: to effectively blend in with Internet traffic, making it more difficult for censors to block. We describe the challenges that Replay attack protection Existing probe-resistant proxies HTTPT must overcome, and the benefits it has over previous are vulnerable to replay attacks, where the censor re-sends ob- probe-resistant designs. served client messages. Some proxies, such as shadowsocks- libev [43], implement a cache to prevent replays of previous 1 Introduction connections. However, China’s active probing thwarts this defense by permuting replays [3], and the behavior of not re- Internet censors strive to detect and block circumvention prox- sponding at all to replays may be unusual. In contrast, HTTPT ies. Many censors have adopted sophisticated proxy discovery is immune to replay attacks due to its reliance on TLS, which techniques, such as active probing [14,38,39], where the cen- includes bidirectional nonces in the handshake. sor connects to suspected proxy servers and sends probes Using existing web servers HTTPT leverages existing designed to distinguish them from non-proxies. In response web servers, making it more difficult for censors to single out to this attack, developers designed and built probe-resistant or identify. Hiding a proxy behind an authentic web server, proxies, such as ScrambleSuit [40], obfs4 [44], and Shadow- such as Apache or nginx, obviates the need to mimic TLS or socks [2] which require clients to prove knowledge of a secret any other server fingerprints [21] that could allow censors to key (obtained out of band) before the proxy will respond to block it. them. Overhead After the initial TLS handshake, HTTPT’s over- While probe-resistant proxies are harder for censors to head is minimal. To avoid the overhead associated with send- identify, recent work demonstrates there are still ways censors ing HTTP-compatible encodings, HTTPT instead uses Web- could detect probe-resistant proxies [20]. For instance, not Sockets between client and server. This allows the client responding to common protocols like HTTP or TLS is un- and server to send binary data over the web server, obviating usual behavior for servers. Recently, China’s GFW has been the need for costly HTTP-safe encodings such as MIME or observed using similar active probing techniques to detect base64. and block Shadowsocks [3]. Using a popular protocol Existing probe-resistant proxies In this work, we propose HTTPT, an alternative proxy rely on randomized protocols that try to blend in with generic architecture that is designed to defend against advanced ac- Internet traffic and make it hard for censors to identify pas- tive probing. While previous probe-resistant designs avoid sively. However, prior work has shown that these protocols looking like any protocol, we argue this approach is funda- might still be detectable using entropy analysis and machine mentally limited, as this behavior is unusual for servers on learning [5,37]. In HTTPT, we rely on the popular TLS pro- the Internet [20]. Instead, HTTPT uses HTTPS, a ubiquitous tocol to tunnel data, making it more difficult for censors to protocol with many diverse implementations, providing a het- block outright (because TLS is popular), and hard to perform erogeneous set of behaviors to blend in with. HTTPT can be fingerprinting attacks due to the heterogeneity of the protocol. 2 Background and random data, and identify the servers whose responses are consistent with responses of a given proxy (e.g. close im- The arms race between censors and circumvention tools has mediately for probes over 256 bytes or close after 90 seconds led to new techniques from both sides. In this section, we pro- otherwise for Lampshade). vide background on the active probing attacks and defenses Another potential way censors can identify probe-resistant employed recently. proxies is with replay attacks, where they replay a previous legitimate client’s initial message to the server. Since this mes- Active Probing To detect and block proxies, censors often sage proves knowledge of the secret, the server will respond, use active probing attacks, where they connect to suspected alerting the censor it is a proxy. proxy servers and attempt to communicate using known cir- Recently, the GFW has been observed using replay attacks cumvention protocols. If a server responds to these probes and the aforementioned timeout fingerprinting to identify and using the protocol (e.g. they offer proxy service to the censor), block Shadowsocks servers [3]. When a client connects to the censor learns the server is in fact a proxy, and can block it. a server and sends a Shadowsocks-sized initial message, the The Great Firewall of China (GFW) have used this technique GFW will send several follow-up probes, including replays for nearly a decade to find and block Tor bridges and other of the client’s message, and random-data probes of various proxies [14, 38, 39]. sizes up to and exceeding the 50-byte data limit unique to Censors typically find suspected proxies by traffic analysis Shadowsocks. or Internet scanning [13]. For instance, the GFW has been Probe-resistant proxies could try to prevent replay attacks observed to send probes to TLS (TCP port 443) servers when using server randoms or challenges, where the client proves a client first connects to them [38]. These probing techniques knowledge of the shared secret by hashing it with server- include sending random data and attempting to perform a Tor provided (random) data. However, this would require the handshake. If the server responds like a proxy, for instance server send data before the client has authenticated, which by responding with the Tor protocol, the endpoint is blocked could be used by censors to identify those proxies. by the censor. In contrast, web servers provide a natural defense against replays due to the security properties of TLS. TLS defends Probe-resistant proxies To resist active probing attacks, against client replay attacks by including the server random circumvention tools have developed probe-resistant proxy in the key agreement, ensuring each connection uses unique protocols, such as ScrambleSuit [40], obfs4 [44], Shadow- cryptographic keys. socks [2], and Lampshade [28]. These protocols require TLS also has a large number of popular implementations, clients to prove knowledge of a shared secret before the server providing a plethora of fingerprints to blend into [21]. While will respond. This shared secret is distributed among the previous work has shown the difficulty in mimicking existing clients through private channels, such as Tor’s BridgeDB [36] protocols for circumvention [25], many of these protocols or email, and without the knowledge of the secret, censors are only had a single used implementation, making it difficult for unable to get responses to their probes. As these proxies effec- circumvention tools to copy perfectly. In contrast, our tech- tively remain silent to such probes, it is difficult for censors nique leverages existing TLS implementations and efficiently to confirm if they are proxies. tunnels through them, avoiding the difficult task of mimicry al- together. While prior work has tunneled circumvention traffic through other protocols, including chat applications, Skype, Detecting probe-resistant proxies However, there are still or video streaming [4,29,31,32], these protocols are generally ways censors can identify probe-resistant proxies. In 2020, less popular than TLS and used in a narrow set of applica- Frolov et al. showed how not responding to any probes is tions. This allows censors to use traffic analysis to find proxy uncommon behavior online: over 94% of servers responded use [23]. In contrast, the wide range of applications used with data to at least one popular protocol [20]. Furthermore, by TLS makes it more difficult (though not impossible) to circumvention servers would often have unique timeouts or perform this kind of analysis. data limits before they closed connections, allowing censors to identify and even fingerprint probe-resistant proxies that never respond to the censor. For example, Lampshade reads 256 3 Design bytes from the client, and closes the connection immediately if it does not demonstrate knowledge of the secret (e.g. a At a high level, HTTPT functions as a TLS server that also censor sends random data). However, if less than 256 bytes has secret proxy functionality. The proxy function can only is read, the server will wait for 90 seconds, and then timeout be accessed by clients that know a secret key, distributed and close the connection. out of band. If a censor attempts to probe an HTTPT server, This gives censors a new strategy for identifying probe- they will receive the TLS server’s benign response, making resistant proxies: send several probes for popular protocols it difficult to identify the server as a proxy. We first describe HTTPT HTTPT Destination Web Server Destination Client Server TLS Client Hello ‘Hello’ HTTPT Server Server Hello, Change Cipher Spec HTTPT Client {TLS Encrypted Extentions, Cert, Cert Verify, Finished} Common TLS Record(‘Hello’) {TLS Finished} ‘Hello’ {HTTP GET /SecretLink Web Server Upgrade: WebSocket X-Destination: example.com:4242 HTTP GET /SecretLink... User App ‘Hello’ X-Message: hi server!} hi server! User Device HTTP/1.1 101..
Load more

Recommended publications
  • Uila Supported Apps
    Uila Supported Applications and Protocols updated Oct 2020 Application/Protocol Name Full Description 01net.com 01net website, a French high-tech news site. 050 plus is a Japanese embedded smartphone application dedicated to 050 plus audio-conferencing. 0zz0.com 0zz0 is an online solution to store, send and share files 10050.net China Railcom group web portal. This protocol plug-in classifies the http traffic to the host 10086.cn. It also 10086.cn classifies the ssl traffic to the Common Name 10086.cn. 104.com Web site dedicated to job research. 1111.com.tw Website dedicated to job research in Taiwan. 114la.com Chinese web portal operated by YLMF Computer Technology Co. Chinese cloud storing system of the 115 website. It is operated by YLMF 115.com Computer Technology Co. 118114.cn Chinese booking and reservation portal. 11st.co.kr Korean shopping website 11st. It is operated by SK Planet Co. 1337x.org Bittorrent tracker search engine 139mail 139mail is a chinese webmail powered by China Mobile. 15min.lt Lithuanian news portal Chinese web portal 163. It is operated by NetEase, a company which 163.com pioneered the development of Internet in China. 17173.com Website distributing Chinese games. 17u.com Chinese online travel booking website. 20 minutes is a free, daily newspaper available in France, Spain and 20minutes Switzerland. This plugin classifies websites. 24h.com.vn Vietnamese news portal 24ora.com Aruban news portal 24sata.hr Croatian news portal 24SevenOffice 24SevenOffice is a web-based Enterprise resource planning (ERP) systems. 24ur.com Slovenian news portal 2ch.net Japanese adult videos web site 2Shared 2shared is an online space for sharing and storage.
    [Show full text]
  • Poster: Introducing Massbrowser: a Censorship Circumvention System Run by the Masses
    Poster: Introducing MassBrowser: A Censorship Circumvention System Run by the Masses Milad Nasr∗, Anonymous∗, and Amir Houmansadr University of Massachusetts Amherst fmilad,[email protected] ∗Equal contribution Abstract—We will present a new censorship circumvention sys- side the censorship regions, which relay the Internet traffic tem, currently being developed in our group. The new system of the censored users. This includes systems like Tor, VPNs, is called MassBrowser, and combines several techniques from Psiphon, etc. Unfortunately, such circumvention systems are state-of-the-art censorship studies to design a hard-to-block, easily blocked by the censors by enumerating their limited practical censorship circumvention system. MassBrowser is a set of proxy server IP addresses [14]. (2) Costly to operate: one-hop proxy system where the proxies are volunteer Internet To resist proxy blocking by the censors, recent circumven- users in the free world. The power of MassBrowser comes from tion systems have started to deploy the proxies on shared-IP the large number of volunteer proxies who frequently change platforms such as CDNs, App Engines, and Cloud Storage, their IP addresses as the volunteer users move to different a technique broadly referred to as domain fronting [3]. networks. To get a large number of volunteer proxies, we This mechanism, however, is prohibitively expensive [11] provide the volunteers the control over how their computers to operate for large scales of users. (3) Poor QoS: Proxy- are used by the censored users. Particularly, the volunteer based circumvention systems like Tor and it’s variants suffer users can decide what websites they will proxy for censored from low quality of service (e.g., high latencies and low users, and how much bandwidth they will allocate.
    [Show full text]
  • In Computer Networks, A
    Practical No.1 Date:- Title:- Installation of Proxy-Server Windows Server 2003 What is proxy server? In computer networks, a proxy server is a server (a computer system or an application program) that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource, available from a different server. The proxy server evaluates the request according to its filtering rules. For example, it may filter traffic by IP address or protocol. If the request is validated by the filter, the proxy provides the resource by connecting to the relevant server and requesting the service on behalf of the client. A proxy server may optionally alter the client's request or the server's response, and sometimes it may serve the request wit hout contacting the specified server. In this case, it 'caches' responses from the remote server, and returns subsequent requests for the same content directly . Most proxies are a web proxy, allowing access to content on the World Wide Web. A proxy server has a large variety of potential purposes, including: To keep machines behind it anonymous (mainly for security).[1] To speed up access to resources (using caching). Web proxies are commonly used to cache web pages from a web server.[2] To apply access policy to network services or content, e.g. to block undesired sites. To log / audit usage, i.e. to provide company employee Internet usage reporting. To bypass security/ parental controls. To scan transmitted content for malware before delivery.
    [Show full text]
  • An ISP-Scale Deployment of Tapdance
    An ISP-Scale Deployment of TapDance Sergey Frolov Fred Douglas Will Scott Eric Wustrow Google Allison McDonald University of Colorado Boulder Benjamin VanderSloot University of Michigan Rod Hynes Michalis Kallitsis David G. Robinson Adam Kruger Merit Network Upturn Psiphon Steve Schultze Nikita Borisov J. Alex Halderman Georgetown University Law University of Illinois University of Michigan Center ABSTRACT network operators, who provide censorship circumvention In this talk, we will report initial results from the world’s functionality for any connection that passes through their net- first ISP-scale field trial of a refraction networking system. works. To accomplish this, clients make HTTPS connections Refraction networking is a next-generation censorship cir- to sites that they can reach, where such connections traverse cumvention approach that locates proxy functionality in the a participating network. The participating network operator middle of the network, at participating ISPs or other network recognizes a steganographic signal from the client and ap- operators. We built a high-performance implementation of pends the user’s requested data to the encrypted connection the TapDance refraction networking scheme and deployed it response. From the perspective of the censor, these connec- on four ISP uplinks with an aggregate bandwidth of 100 Gbps. tions are indistinguishable from normal TLS connections to Over one week of operation, our deployment served more sites the censor has not blocked. To block the refraction con- than 50,000 real users. The experience demonstrates that nections, the censor would need to block all connections that TapDance can be practically realized at ISP scale with good traverse a participating network.
    [Show full text]
  • Threat Modeling and Circumvention of Internet Censorship by David Fifield
    Threat modeling and circumvention of Internet censorship By David Fifield A dissertation submitted in partial satisfaction of the requirements for the degree of Doctor of Philosophy in Computer Science in the Graduate Division of the University of California, Berkeley Committee in charge: Professor J.D. Tygar, Chair Professor Deirdre Mulligan Professor Vern Paxson Fall 2017 1 Abstract Threat modeling and circumvention of Internet censorship by David Fifield Doctor of Philosophy in Computer Science University of California, Berkeley Professor J.D. Tygar, Chair Research on Internet censorship is hampered by poor models of censor behavior. Censor models guide the development of circumvention systems, so it is important to get them right. A censor model should be understood not just as a set of capabilities|such as the ability to monitor network traffic—but as a set of priorities constrained by resource limitations. My research addresses the twin themes of modeling and circumvention. With a grounding in empirical research, I build up an abstract model of the circumvention problem and examine how to adapt it to concrete censorship challenges. I describe the results of experiments on censors that probe their strengths and weaknesses; specifically, on the subject of active probing to discover proxy servers, and on delays in their reaction to changes in circumvention. I present two circumvention designs: domain fronting, which derives its resistance to blocking from the censor's reluctance to block other useful services; and Snowflake, based on quickly changing peer-to-peer proxy servers. I hope to change the perception that the circumvention problem is a cat-and-mouse game that affords only incremental and temporary advancements.
    [Show full text]
  • Let's Encrypt: 30,229 Jan, 2018 | Let's Encrypt: 18,326 Jan, 2016 | Let's Encrypt: 330 Feb, 2017 | Let's Encrypt: 8,199
    Let’s Encrypt: An Automated Certificate Authority to Encrypt the Entire Web Josh Aas∗ Richard Barnes∗ Benton Case Let’s Encrypt Cisco Stanford University Zakir Durumeric Peter Eckersley∗ Alan Flores-López Stanford University Electronic Frontier Foundation Stanford University J. Alex Halderman∗† Jacob Hoffman-Andrews∗ James Kasten∗ University of Michigan Electronic Frontier Foundation University of Michigan Eric Rescorla∗ Seth Schoen∗ Brad Warren∗ Mozilla Electronic Frontier Foundation Electronic Frontier Foundation ABSTRACT 1 INTRODUCTION Let’s Encrypt is a free, open, and automated HTTPS certificate au- HTTPS [78] is the cryptographic foundation of the Web, providing thority (CA) created to advance HTTPS adoption to the entire Web. an encrypted and authenticated form of HTTP over the TLS trans- Since its launch in late 2015, Let’s Encrypt has grown to become the port [79]. When HTTPS was introduced by Netscape twenty-five world’s largest HTTPS CA, accounting for more currently valid cer- years ago [51], the primary use cases were protecting financial tificates than all other browser-trusted CAs combined. By January transactions and login credentials, but users today face a growing 2019, it had issued over 538 million certificates for 223 million do- range of threats from hostile networks—including mass surveil- main names. We describe how we built Let’s Encrypt, including the lance and censorship by governments [99, 106], consumer profiling architecture of the CA software system (Boulder) and the structure and ad injection by ISPs [30, 95], and insertion of malicious code of the organization that operates it (ISRG), and we discuss lessons by network devices [68]—which make HTTPS important for prac- learned from the experience.
    [Show full text]
  • Enhancing System Transparency, Trust, and Privacy with Internet Measurement
    Enhancing System Transparency, Trust, and Privacy with Internet Measurement by Benjamin VanderSloot A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy (Computer Science and Engineering) in the University of Michigan 2020 Doctoral Committee: Professor J. Alex Halderman, Chair Assistant Professor Roya Ensafi Research Professor Peter Honeyman Assistant Professor Baris Kasikci Professor Kentaro Toyama Benjamin VanderSloot [email protected] ORCID iD: 0000-0001-6528-3927 © Benjamin VanderSloot 2020 ACKNOWLEDGEMENTS First and foremost, I thank my wife-to-be, Alexandra. Without her unwavering love and support, this dissertation would have remained unfinished. Without her help, the ideas here would not be as strong. Without her, I would not be here. Thanks are also due to my advisor, J. Alex Halderman, for giving me the independence and support I needed to find myself. I also thank Peter Honeyman for sharing his experience freely, both with history lessons and mentorship. Thank you Roya Ensafi, for watching out for me since we met. Thank you Baris Kasikci and Kentaro Toyama, for helping me out the door, in spite of the ongoing pandemic. I owe a great debt to my parents, Craig and Teresa VanderSloot, for raising me so well. No doubt the lessons about perseverance and hard work were put to good use. Your pride has been fuel to my fire for a very long time now. I also owe so much to my sister, Christine Kirbitz, for being the best example a little brother could hope for. I always had a great path to follow and an ear to share my problems with.
    [Show full text]
  • Style Counsel: Seeing the (Random) Forest for the Trees in Adversarial Code Stylometry∗
    Style Counsel: Seeing the (Random) Forest for the Trees in Adversarial Code Stylometry∗ Christopher McKnight Ian Goldberg Magnet Forensics University of Waterloo [email protected] [email protected] ABSTRACT worm based on an examination of the reverse-engineered code [17], The results of recent experiments have suggested that code stylom- casting style analysis as a forensic technique. etry can successfully identify the author of short programs from This technique, however, may be used to chill speech for soft- among hundreds of candidates with up to 98% precision. This poten- ware developers. There are several cases of developers being treated tial ability to discern the programmer of a code sample from a large as individuals of suspicion, intimidated by authorities and/or co- group of possible authors could have concerning consequences for erced into removing their software from the Internet. In the US, the open-source community at large, particularly those contrib- Nadim Kobeissi, the Canadian creator of Cryptocat (an online se- utors that may wish to remain anonymous. Recent international cure messaging application) was stopped, searched, and questioned events have suggested the developers of certain anti-censorship by Department of Homeland Security officials on four separate oc- and anti-surveillance tools are being targeted by their governments casions in 2012 about Cryptocat and the algorithms it employs [16]. and forced to delete their repositories or face prosecution. In November 2014, Chinese developer Xu Dong was arrested, pri- In light of this threat to the freedom and privacy of individual marily for political tweets, but also because he allegedly “committed programmers around the world, we devised a tool, Style Counsel, to crimes of developing software to help Chinese Internet users scale aid programmers in obfuscating their inherent style and imitating the Great Fire Wall of China” [4] in relation to proxy software he another, overt, author’s style in order to protect their anonymity wrote.
    [Show full text]
  • How to Download Torrent Anonymously How to Download Torrent Anonymously
    how to download torrent anonymously How to download torrent anonymously. Completing the CAPTCHA proves you are a human and gives you temporary access to the web property. What can I do to prevent this in the future? If you are on a personal connection, like at home, you can run an anti-virus scan on your device to make sure it is not infected with malware. If you are at an office or shared network, you can ask the network administrator to run a scan across the network looking for misconfigured or infected devices. Another way to prevent getting this page in the future is to use Privacy Pass. You may need to download version 2.0 now from the Chrome Web Store. Cloudflare Ray ID: 66b6c3aaaba884c8 • Your IP : 188.246.226.140 • Performance & security by Cloudflare. Download Torrents Anonymously: 6 Safe And Easy Ways. Who doesn’t want to know how to download torrents anonymously? The thing is, in order to download torrents anonymously you don’t need to have a lot of technical know-how. All you need to download torrents anonymously is some grit and a computer with an internet connection. The technology world never remains the same. In fact, new development and discoveries come to the surface of this industry every day. They also come into the attention of online users every year. Moreover, this allows us to do much more than we could do in the past, in faster and easier ways. A highly relevant aspect to mention at this stage is that: Now we can also download torrents anonymously from best torrent sites.
    [Show full text]
  • World-Wide Web Proxies
    World-Wide Web Proxies Ari Luotonen, CERN Kevin Altis, Intel April 1994 Abstract 1.0 Introduction A WWW proxy server, proxy for short, provides access to The primary use of proxies is to allow access to the Web the Web for people on closed subnets who can only access from within a firewall (Fig. 1). A proxy is a special HTTP the Internet through a firewall machine. The hypertext [HTTP] server that typically runs on a firewall machine. server developed at CERN, cern_httpd, is capable of run- The proxy waits for a request from inside the firewall, for- ning as a proxy, providing seamless external access to wards the request to the remote server outside the firewall, HTTP, Gopher, WAIS and FTP. reads the response and then sends it back to the client. cern_httpd has had gateway features for a long time, but In the usual case, the same proxy is used by all the clients only this spring they were extended to support all the within a given subnet. This makes it possible for the proxy methods in the HTTP protocol used by WWW clients. Cli- to do efficient caching of documents that are requested by ents don’t lose any functionality by going through a proxy, a number of clients. except special processing they may have done for non- native Web protocols such as Gopher and FTP. The ability to cache documents also makes proxies attrac- tive to those not inside a firewall. Setting up a proxy server A brand new feature is caching performed by the proxy, is easy, and the most popular Web client programs already resulting in shorter response times after the first document have proxy support built in.
    [Show full text]
  • Colorado College Is Hiring!
    Colorado College is hiring! Early Childhood Teacher (multiple positions available) - Children’s Center Under minimal supervision while in the classroom provide nurturing early care and educational experience to benefit the children and families of the CC Community. Design and implement age-appropriate individualized curriculum to foster growth and development socially, emotionally, physically and cognitively for each child. Be flexible, adaptive, reliable, and a confidential resource for families in an assigned classroom (infant, toddler or pre-school). Full position description: https://employment.coloradocollege.edu/postings/4697 OC (on call) Educational Assistant- Children’s Center Hours may vary Monday through Friday between 7:30 and 5:30 up to 1000 hours per fiscal year. Under general supervision, assists with providing on-site early childhood education and supervision for infants, toddlers and preschool children when teachers are sick and/or on vacation, teacher daily breaks, teacher daily planning times, daily kitchen duties, and working in the afterschool care program. Full position description: https://employment.coloradocollege.edu/postings/4607 Counselor (Occasional) Provide professional mental health services to the students of Colorado College. Positions Type: On Call Full position description: https://employment.coloradocollege.edu/postings/4746 Driver/Automotive Technician Performs maintenance and repair of college vehicles and maintenance equipment; drives fleet vehicles, including highway buses. Position Type: Full-time
    [Show full text]
  • Product End User License Agreement
    End User License Agreement If you have another valid, signed agreement with Licensor or a Licensor authorized reseller which applies to the specific products or services you are downloading, accessing, or otherwise receiving, that other agreement controls; otherwise, by using, downloading, installing, copying, or accessing Software, Maintenance, or Consulting Services, or by clicking on "I accept" on or adjacent to the screen where these Master Terms may be displayed, you hereby agree to be bound by and accept these Master Terms. These Master Terms also apply to any Maintenance or Consulting Services you later acquire from Licensor relating to the Software. You may place orders under these Master Terms by submitting separate Order Form(s). Capitalized terms used in the Agreement and not otherwise defined herein are defined at https://terms.tibco.com/posts/845635-definitions. 1. Applicability. These Master Terms represent one component of the Agreement for Licensor's products, services, and partner programs and apply to the commercial arrangements between Licensor and Customer (or Partner) listed below. Additional terms referenced below shall apply. a. Products: i. Subscription, Perpetual, or Term license Software ii. Cloud Service (Subject to the Cloud Service Terms found at https://terms.tibco.com/?types%5B%5D=post&feed=recent#cloud-services) iii. Equipment (Subject to the Equipment Terms found at https://terms.tibco.com/?types%5B%5D=post&feed=recent#equipment-terms) b. Services: i. Maintenance (Subject to the Maintenance terms found at https://terms.tibco.com/?types%5B%5D=post&feed=recent#october-maintenance) ii. Consulting Services (Subject to the Consulting terms found at https://terms.tibco.com/?types%5B%5D=post&feed=recent#supplemental-terms) iii.
    [Show full text]