MassBrowser: Unblocking the Web for the Masses, By the Masses Milad Nasr∗, Hadi Zolfaghari,∗ and Amir Houmansadr University of Massachusetts Amherst fmilad,[email protected] Project Website: https://massbrowser.cs.umass.edu/ Abstract 1 Introduction Existing censorship circumvention systems fail to of- The Internet plays a crucial role in today's social fer reliable circumvention without sacrificing their and political movements by facilitating the free cir- users' QoS, or undertaking high costs of opera- culation of speech, information, and ideas; democ- tion. We design a new circumvention system, called racy and human rights throughout the world crit- MassBrowser, with the objective of addressing such ically depend on preserving and bolstering the In- practical weaknesses of existing designs. Our sys- ternet's openness. Consequently, repressive regimes, tem is based on a new design principle, called \the totalitarian governments, and corrupt corporations separation of properties," that states that circum- regulate, monitor, and restrict the access to the In- vention systems should be tailored for circumven- ternet, which is broadly known as Internet censor- tion as opposed to offering additional properties like ship. The techniques commonly used to enforce cen- anonymity. We combine various state-of-the-art cir- sorship include IP address blocking, DNS hijacking, cumvention techniques to make MassBrowser signif- and TCP content filtering [14, 38, 40, 60] to block icantly resistant to blocking, while keeping its cost access to certain destinations or to prevent certain of operation small ($0.001 per censored client per forms of content from being transmitted. To en- month). sure compliance and to detect undercover politi- cal/social activists, repressive regimes additionally We have built and deployed MassBrowser as a fully utilize advanced networking tools, including deep operational system with end-user software for regu- packet inspection (DPI), to prevent the use of the lar Internet users (currently in beta release mode). censorship circumvention technologies by their citi- A key part of MassBrowser's design is using non- zens [35, 36, 57, 77]. censored Internet users to run volunteer proxies to To restore the openness of the Internet, researchers help censored users. We perform the first user study have designed and deployed an arsenal of tools [10, on the willingness of typical Internet users in helping 14, 15, 31, 32, 41, 46, 50, 61, 72, 74, 80] that help users circumvention operators. We have used the findings bypass censorship. Such tools, known as circumven- of our user study in the design of MassBrowser to tion systems, deploy a variety of techniques ranging encourage wide adoption by volunteers; particularly, from IP indirection to onion routing to traffic obfus- our GUI software offers high transparency, control, cation [38, 60]. and safety to the volunteers. Key shortcomings of existing systems: Unfor- tunately, existing circumvention systems suffer from ∗The first two authors made equal contribution. one or all of the following weaknesses: (1) Easily 1 blocked: A majority of in-the-wild circumvention sys- and be able to communicate through blocked social tems, including Tor, Lantern, Psiphon, and VPNs, networks, but for the majority of the censored users work by setting up proxy servers outside the censor- properties like anonymity are not a concern. This ship regions, which relay traffic for censored users. is evident by the fact that \public" VPNs, \pub- Unfortunately, the proxies are implemented in a way lic" HTTP proxies, and centralized circumvention that are easily blockable by the censors, e.g., due to systems like Lantern [39] and Psiphon [53] are the using a small set of IP addresses that can get enu- most popular among censored users in China and merated and blacklisted by the censors [57,59,75,77]. Iran [66, 67] (when compared to privacy-preserving (2) Costly to operate: To resist proxy blocking by the alternatives like Tor) despite the fact that they pro- censors, recent circumvention systems have started vide no anonymity or browsing privacy [27]. to deploy proxies on shared-IP platforms such as The SoP principle enables us to optimize the per- CDNs [44], App Engines [25], and Cloud Storage formance of a circumvention system around blocking services [9], a technique broadly referred to as do- resistance, and to offer features like anonymity and main fronting [19]. This mechanism, however, is pro- browsing privacy as options to the users (possibly by hibitively expensive [45] to be used at large scale. degrading the QoS). We will demonstrate how bas- (3) Poor QoS: Proxy-based circumvention systems ing our design on SoP enables us to overcome the like Tor and its variants [32, 43, 65] suffer from low circumvention shortcomings discussed above. Note quality of service (e.g., very high latencies and low that while systems like VPNs and HTTP proxies do bandwidths). This is primarily due to the imbalance not aim for anonymity/privacy, they do not leverage between the bandwidth demand from censored users the SoP principle in optimizing censorship resilience, versus the bandwidth available by the proxies (e.g., which is the key approach taken in this work. Tor's ≈ 6500 relays need to proxy traffic for around two million daily users [58], while some users lever- The MassBrowser System: We have designed age Tor for bandwidth-extensive applications like Bit- and implemented a new circumvention system, called Torrent. (4) Hard to deploy: Modern circumvention MassBrowser, that aims at addressing the weaknesses systems proposed in the academia are impractical to of prior designs being based on the SoP principle. be used at large scale due to various reasons. For That is, MassBrowser aims at offering reliable block- instance, decoy routing systems [31, 37, 80] require ing resistance while providing practical QoS and low wide adoption by Internet ISPs, and tunneling sys- operational costs. MassBrowser is a volunteer-run tems [32, 34, 43, 65] can be disabled by third-party proxy-based system: it leverages normal Internet service providers they use for tunneling. users with access to the free Internet, which we call Buddies, to proxy censored web traffic for censored Our approach: In this paper, we present a new cir- users, i.e., Clients. The key to the resilience and QoS cumvention system that aims at addressing the short- of any volunteer-based circumvention system like ours comings of existing circumvention solutions. We base is to have a balanced ratio of proxying capacity to our system on a design principle not employed by ex- circumvention bandwidth demand. Towards this, we isting circumvention systems. Our principle, which leverage the SoP principle to (1) optimize the proxy- we call the separation of properties (SoP) prin- ing load on Buddies by using CacheBrowsing [29] and ciple, states that the key feature targeted by an ef- other selective proxying mechanisms introduced later, fective circumvention system should be blocking re- and, (2) encourage volunteer participation by giv- sistance, and other features such as anonymity and ing Buddies full control and transparency over what browsing privacy should be left as optional to the they proxy. A central component of MassBrowser is users. The SoP principle is based on the real-world a hard-to-block Operator service that oversees and observation [11, 20, 27, 66, 67] that the majority of enforces MassBrowser's key functionalities, particu- censored users are solely interested in blocking resis- larly, by strategically matching Clients to Buddies tance, e.g., to be able to access blocked news articles based on the preferences of Buddies and the demands 2 from Clients. teers to whitelist the categories of websites they are The following summarizes the intuitions behind willing to proxy, and the bandwidth they are willing MassBrowser's properties, which will be extensively to devote. discussed throughout the paper: QoS and Cost: Privacy Guarantees: For normal clients, Mass- MassBrowser combines several techniques including Browser provides the same level of privacy as public CacheBrowsing [29], selective proxying, and Domain VPNs/proxies and centralized systems like Lantern Fronting [19] to optimize the QoS of circumven- and Psiphon. Therefore, a Buddy can infer the Inter- tion connections while minimizing its operational net destinations of its clients, as well as their commu- costs. As shown in Section 8.2, we estimate the total nication contents for non-HTTPS destinations (fortu- cost of deploying MassBrowser to be no more than nately, major content providers such as news and so- $0.001 per active client per month. Blocking re- cial networking services offer HTTPS). On the other sistance: MassBrowser's selective proxying not only hand, a MassBrowser client can optionally compro- optimizes QoS, but is also aimed at attracting a larger mise her QoS for stronger privacy properties. Specif- pool of Buddies by providing them full control and ically, our implementation of MassBrowser supports transparency over what they proxy (we support this connecting through Tor for users who need anonymity claim by performing a user survey). Blocking Mass- in addition to blocking resistance (at the expense of a Browser's Buddies causes censors collateral damage degraded QoS). This will tunnel a Client's Tor traf- as the Buddies are normal Internet users who fre- fic through a Buddy who has opted to serve as a quently change network locations and connect from Tor bridge. Therefore, MassBrowser's Buddy soft- behind NAT. (i.e., to block a NATed Buddy, the cen- ware can be used as a pluggable transport [52] by sors will need to block the Buddy's subnet) To make Tor bridges. We evaluate MassBrowser's cost of oper- an analogy, blocking MassBrowser Buddies is equiva- ation when used as a Tor pluggable transport, show- lent to blocking (the impractically expensive) domain ing that it is drastically cheaper than meek [44], while fronted proxies. We also use state-of-the-art circum- both offering similar blocking resistance properties vention techniques to protect MassBrowser's Opera- (both meek and MassBrowser aim at increasing the tor against blocking.