Practical Censorship Evasion Leveraging Content Delivery Networks Hadi Zolfaghari Amir Houmansadr University of Massachusetts Amherst University of Massachusetts Amherst [email protected] [email protected] ABSTRACT censorship by refraining from DNS lookups for the censored CDNBrowsing is a promising approach recently proposed for content. Second, censors will refrain from IP blocking the censorship circumvention. CDNBrowsing relies on the fact CDN edge servers that host censored webpages since this will that blocking content hosted on public CDNs can poten- block all the other (potentially many) non-forbidden web- tially cause the censors collateral damage due to disrupting pages hosted on those edge servers as well. Finally, the use benign content publishers. In this work, we identify vari- of encryption by the hosting CDN providers (e.g., through ous low-cost attacks against CDNBrowsing, demonstrating HTTPS) can bypass DPI-based censorship mechanisms like that the design of practically unobservable CDNBrowsing keyword and URL filtering. systems is significantly more challenging than what thought In this paper, we show that despite being a promising new previously. We particularly devise unique website finger- direction for censorship circumvention, designing practical printing attacks against CDNBrowsing traffic, and discover CDNBrowsing systems is significantly more challenging than various forms of information leakage in HTTPS that can be previously suggested [21]. We demonstrate the possibility used to block the previously proposed CDNBrowsing sys- of various low-cost identification attacks tailored to CDN- tem. Motivated by the attacks, we design and implement Browsing, and demonstrate that the attacks can effectively a new CDNBrowsing system called CDNReaper, which de- detect and block CacheBrowser, the first CDNBrowsing sys- feats the discovered attacks. tem proposed by Holowczak et al. [21]. Specifically, our thor- By design, a CDNBrowsing system can browse only par- ough analysis of in-the-wild CDN systems shows that their ticular types of webpages due to its proxy-less design. We deployments of the HTTPS protocol leaks the identity of the perform a comprehensive measurement to classify popular websites being served to the clients, therefore, allowing the Internet websites based on their browsability by CDNBrowsing censors to block an unprotected CDNBrowsing system like systems. To further increase the reach of CDNBrowsing, we CacheBrowser. Additionally, we introduce a unique form devise several mechanisms that enable CDNBrowsing sys- of website fingerprinting attack against CDNBrowsing traf- tems to browse a larger extent of Internet webpages, partic- fic, and show its significantly high accuracy against Cache- ularly partial-CDN webpages. Browser with processing overheads two orders of magnitude lower than traditional website fingerprinting techniques [39]. We conclude that an effective CDNBrowsing system should 1. INTRODUCTION be tailored to every single CDN system it tries to leverage for Internet censorship continues to remain the biggest threat circumvention, as opposed to CacheBrowser's one-size-fits- to the Internet freedom across the globe [7,8, 25]. A re- all solution; this is due to the diversity of CDN deployments cent promising approach for censorship circumvention [21], as shown in our analysis. which we call CDNBrowsing, relies on the collateral damage To that end, we design and deploy a new CDNBrowsing of disrupting ubiquitous content delivery networks (CDN). system called CDNReaper that protects against the discov- In this approach, censored clients obtain a forbidden Inter- ered attacks. CDNReaper takes into account the specific net webpage that is hosted on a CDN network by connect- deployment of HTTPS by each real-world CDN system, and ing to some arbitrary edge server of the hosting CDN sys- implements CDN-aware mechanisms that remove the leaked tem|as opposed to obtaining it from the optimal CDN edge information about (forbidden) CDN destinations browsed by server identified through DNS resolution. This mechanism CDNReaper. Also, CDNReaper defeats the CDNBrowsing- is aimed at defeating the main censorship mechanisms as specific website fingerprinting attacks by making modifica- follows: First, CDNBrowsing clients bypass any DNS-based tions to the web objects requested by the censored clients. We have implemented CDNReaper as a fully functional, end- Permission to make digital or hard copies of all or part of this work for personal or user system. classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation By design, a CDNBrowsing system can only browse par- on the first page. Copyrights for components of this work owned by others than the ticular censored webpages, e.g., those hosted on specific CDN author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or systems. We perform the first comprehensive analysis on the republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]. reach of CDNBrowsing systems by inspecting the top 10,000 CCS’16, October 24 - 28, 2016, Vienna, Austria Alexa websites and classifying them into various categories c 2016 Copyright held by the owner/author(s). Publication rights licensed to ACM. based on their readiness to be browsed by CDNBrowsing ISBN 978-1-4503-4139-4/16/10. $15.00 systems. To further expand the reach of CDNBrowsing, we DOI: http://dx.doi.org/10.1145/2976749.2978365 devise several mechanisms that enable CDNBrowsing sys- ufactured and sold by competing multinational technology tems to browse a larger scope of Internet webpages. In par- companies. Even the most advanced, state-of-the-art cir- ticular, we implement mechanisms to enable CDNBrowsing cumvention systems designed in the academia, such as Tor of partial-CDN websites, i.e., those with only some of their pluggable transports [16, 19, 31, 38, 40], are thwarted [20, 22, main content hosted on CDN, which constitute a large frac- 37] by competent state-level censors. tion of Internet webpages based on our study. For instance, some video streaming or Internet TV websites host their 2.2 CDNBrowsing Circumvention multimedia content on CDN networks, but not their front- CDNBrowsing is a new approach for censorship circum- page HTML. We particularly introduce content wrappers vention, recently proposed by Holowczak et al. [21] as a sys- and dynamic mirrors to enable CDNBrowsing of partial- tem called CacheBrowser. CDNBrowsing is based on the CDN websites, and demonstrate their feasibility for popular observation that webpages hosted on typical CDN platforms partial-CDN webpages like bbc.co.uk and tumblr.com. We share the same set of IP addresses. Therefore, to block a for- show that these mechanisms come with very small overheads bidden webpage hosted on a CDN system, the censors will compared to fully CDNBrowsable webpages. We also inves- not be able to use IP filtering since it will also block all the tigate how CDNReaper can be used for browsing websites (potentially many) non-forbidden webpages that are served hosted on private CDN networks, such as YouTube. through the same set of shared IP addresses. The censors, In summary, we make the following main contributions: however, may be able to use DNS interference to block • We identify various low-cost attacks tailored for CDN- access to specific forbidden CDN-hosted webpages. Fortu- Browsing systems, and demonstrate their effectiveness nately, such DNS interference can be easily circumvented: against CacheBrowser [21]. Particularly, we devise as Holowczak et al. show, typical CDN-hosted webpages can a CDNBrowsing-specific website fingerprinting attack be obtained from arbitrary CDN edge servers. Therefore, a that is two orders of magnitude faster than the state- censored client can ignore the DNS resolution stage (which of-the-art fingerprinting system of Wang et al. [39], is anyways interfered with by the censors) and directly re- despite its higher accuracy. quest the forbidden CDN website from some arbitrary CDN • We have designed and deployed an advanced CDN- edge server that the client already knows. Ignoring the DNS Browsing system called CDNReaper. Our system is resolution state by a CDNBrowsing client can potentially designed to defeat the CDNBrowsing-specific attacks degrade the QoS performance of the (otherwise censored) we discovered. We have implemented CDNReaper as a CDNBrowsing connection compared to regular connections fully functional system with Chrome and Firefox plug- (since DNS resolution is meant to identify the optimal CDN ins. We have also designed an advanced bootstrapper IP address), however, Holowczak et al. show that the per- for CDNReaper. Our bootstrapper is designed as a formance is still superior to that of traditional circumven- CDNBrowsable service itself, therefore it is highly un- tion systems like Tor. Finally, the use of encryption in blockable. HTTPS connections is meant to prevent the censors from • Through comprehensive evaluations, we classify the deep-packet inspection of HTTPS CDN content, there- top 10,000 Alexa websites into six categories based on fore, rendering URL/keyword filtering infeasible their readiness to be browsed through CDNBrowsing. • We have devised several mechanisms to extend the 2.3 Advantages of CDNBrowsing reach of CDNBrowsing. Particularly, we introduce CDNBrowsing is a new paradigm