David Fifield
This page last updated
Threat modeling and circumvention of Internet censorship
David Fifield
A dissertation submitted in partial satisfaction of the
requirements for the degree of
Doctor of Philosophy
Computer Science
in the
Graduate Division
of the
University of California, Berkeley
Committee in charge:
Professor J.D. Tygar, Chair
Professor Deirdre Mulligan
Professor Vern Paxson
Fall 2017
Research on Internet censorship is hampered by poor models of censor behavior. Censor models guide the development of circumvention systems, so it is important to get them right. A censor model should be understood not just as a set of capabilities—such as the ability to monitor network traffic—but as a set of priorities constrained by resource limitations.
My research addresses the twin themes of modeling and circumvention. With a grounding in empirical research, I build up an abstract model of the circumvention problem and examine how to adapt it to concrete censorship challenges. I describe the results of experiments on censors that probe their strengths and weaknesses; specifically, on the subject of active probing to discover proxy servers, and on delays in their reaction to changes in circumvention. I present two circumvention designs: domain fronting, which derives its resistance to blocking from the censor’s reluctance to block other useful services; and Snowflake, based on quickly changing peer-to-peer proxy servers. I hope to change the perception that the circumvention problem is a cat-and-mouse game that affords only incremental and temporary advancements. Rather, let us state the assumptions about censor behavior atop which we build circumvention designs, and let those assumptions be based on an informed understanding of censor behavior.
- Acknowledgements
I wish to express special appreciation to those who have guided me: my advisor Doug Tygar, who helped me out of a tough spot; Vern Paxson; the other two caballeros, Sadia Afroz and Michael Tschantz; Xiao Qiang; Dan Boneh; and Steve Beaty.
I am grateful to those who offered me kindness or assistance in the course of my research: Angie Abbatecola; Barbara Goto; Nick Hopper; Lena Lau-Stewart; Heather Levien; Gordon Lyon; Deirdre Mulligan; Audrey Sillers; David Wagner; Philipp Winter, whose CensorBib is an invaluable resource; the Tor Project and the tor-dev and tor-qa mailing lists; OONI; the traffic-obf mailing list; the Open Technology Fund and the Freedom2Connect Foundation; and the SecML, BLUES, and censorship research groups at UC Berkeley. Thank you.
The opinions expressed herein are solely those of the author and do not necessarily represent any other person or organization.
- Anti-acknowledgement
My thesis is dedicated in opposition to the California State loyalty oath, a shameful relict of an un-American era.
- Availability
Source code and information related to this document are available at
Chapter 1
This is a thesis about Internet censorship. Specifically, it is about two threads of research that have occupied my attention for the past several years: gaining a better understanding of how censors work, and fielding systems that circumvent their restrictions. These two topics drive each other: better understanding leads to better circumvention systems that take into account censors’ strengths and weaknesses; and the deployment of circumvention systems affords an opportunity to observe how censors react to changing circumstances. The output of my research takes two forms: models that describe how censors behave today and how they may evolve in the future, and tools for circumvention that are sound in theory and effective in practice.
1.1 Scope
Censorship is a big topic, and even adding the “Internet” qualifier makes it hardly less so. In order to deal with the subject in detail, I must limit the scope. The subject of this work is an important special case of censorship, which I call the “border firewall.” See Figure 1.1.

A client resides within a network that is entirely controlled by a censor. Within the controlled network, the censor may observe, modify, inject, or block any communication along any link. The client’s computer, however, is trustworthy and not controlled by the censor. The censor tries to prevent some subset of the client’s communication with the wider Internet, for instance by blocking those that discuss certain topics, that are destined to certain network addresses, or that use certain protocols. The client’s goal is to evade the censor’s controls and communicate with some destination that lies outside the censor’s network; successfully doing so is called circumvention. Circumvention means somehow safely traversing a hostile network, eluding detection and blocking. The censor does not control the network outside its border; it may send messages to the outside world, but it cannot control them after they have traversed the border.
This abstract model is a good starting point, but it is not the whole story. We will have to adapt it to fit different situations, sometimes relaxing and sometimes strengthening assumptions. For example, the censor may be weaker than assumed: it may observe only the links that cross the border, not those that lie wholly inside; it may not be able to fully inspect every packet; or there may be deficiencies or dysfunctions in its detection capabilities. Or the censor may be stronger: while not fully controlling outside networks, it may perhaps exert outside influence to discourage network operators from assisting in circumvention. The client may be limited, for technical or social reasons, in the software and hardware they can use. The destination may knowingly cooperate with the client’s circumvention effort, or may not. There are many possible complications, reflecting the messiness and diversity of dealing with real censors. Adjusting the basic model to reflect real-world actors’ motivations and capabilities is the heart of threat modeling. In particular, what makes circumvention possible at all is the censor’s motivation to block only some, but not all, of the incoming and outgoing communications—this assumption will be a major focus of the next chapter.
It is not hard to see how the border firewall model relates to censorship in practice. In a common case, the censor is the government of a country, and the limits of its controlled network correspond to the country’s borders. A government typically has the power to enforce laws and control network infrastructure inside its borders, but not outside. However this is not the only case: the boundaries of censorship do not always correspond to the border of a country. Content restrictions may vary across geographic locations, even within the same country—Wright et al. [202] identified some reasons why this might be. A good model for some places is not a single unified regime, but rather several autonomous service providers, each controlling and censoring its own portion of the network, perhaps coordinating with others about what to block and perhaps not. Another important case is that of a university or corporate network, in which the only outside network access is through a single gateway router, which tries to enforce a policy on what is acceptable and what is not. These smaller networks often differ from national- or ISP-level networks in interesting ways, for instance with regard to the amount of overblocking they are willing to tolerate, or the amount of computation they can afford to spend on each communication.
Here are examples of forms of censorship that are in scope:
- blocking IP addresses
- blocking specific network protocols
- blocking DNS resolution for certain domains
- blocking keywords in URLs
- parsing application-layer data (“deep packet inspection”)
- statistical and probabilistic traffic classification
- bandwidth throttling
- active scanning to discover the use of circumvention
Some other censorship-related topics that are not in scope include:
- domain takedowns (affecting all clients globally)
- server-side blocking (servers that refuse to serve certain clients)
- forum moderation and deletion of social media posts
- anything that takes place entirely within the censor’s network and does not cross the border
- deletion-resistant publishing in the vein of the Eternity Service [10] (what Köpsell and Hillig call “censorship resistant publishing systems” [120 §1]), except insofar as access to such services may be blocked
Parts of the abstract model are deliberately left unspecified, to allow for the many variations that arise in practice. The precise nature of “blocking” can take many forms, from packet dropping, to injection of false responses, to softer forms of disruption such as bandwidth throttling. Detection does not have to be purely passive. The censor may to do work outside the context of a single connection; for example, it may compute aggregate statistics over many connections, make lists of suspected IP addresses, and defer some analysis for offline processing. The client may cooperate with other parties inside and outside the censor’s network, and indeed almost all circumvention will require the assistance of a collaborator on the outside.
It is a fair criticism that the term “Internet censorship” in the title overreaches, given that I am talking only about one specific manifestation of censorship, albeit an important one. I am sympathetic to this view, and I acknowledge that far more topics could fit under the umbrella of Internet censorship. Nevertheless, for consistency and ease of exposition, in this document I will continue to use “Internet censorship” without further qualification to mean the border firewall case.
1.2 My background
This document describes my research experience from the past five years. The next chapter, “Principles of circumvention,” is the thesis of the thesis, in which I lay out opinionated general principles of the field of circumvention. The remaining chapters are split between the topics of modeling and circumvention.
One’s point of view is colored by experience. I will therefore briefly describe the background to my research. I owe much of my experience to collaboration with the Tor Project, producers of the Tor anonymity network. whose anonymity network has been the vehicle for deployment of my circumvention systems. Although Tor was not originally intended as a circumvention system, it has grown into one thanks to pluggable transports, a modularization system for circumvention implementations. I know a lot about Tor and pluggable transports, but I have less experience (especially implementation experience) with other systems, particularly those that are developed in languages other than English. And while I have plenty of operational experience—deploying and maintaining systems with real users—I have not been in a situation where I needed to circumvent regularly, as a user.
Chapter 2
Principles of circumvention
In order to understand the challenges of circumvention, it helps to put yourself in the mindset of a censor. A censor has two high-level functions: detection and blocking. Detection is a classification problem: the censor prefers to permit some communications and deny others, and so it must have some procedure for deciding which communications fall in which category. Blocking follows detection. Once the censor detects some prohibited communication, it must take some action to stop the communication, such as terminating the connection at a network router. Censorship requires both detection and blocking. (Detection without blocking would be called surveillance, not censorship.) The flip side of this statement is that circumvention has two ways to succeed: by eluding detection, or, once detected, by somehow resisting the censor’s blocking action.
A censor is, then, essentially a traffic classifier coupled with a blocking mechanism. Though the design space is large, and many complications are possible, at its heart a censor must decide, for each communication, whether to block or allow, and then effect blocks as appropriate. Like any classifier, a censor is liable to make mistakes. When the censor fails to block something that it would have preferred to block, it is an error called a false negative; when the censor accidentally blocks something that it would have preferred to allow, it is a false positive. Techniques to avoiding detection are often called “obfuscation,” and the term is an appropriate one. It reflects not an attitude of security through obscurity; but rather a recognition that avoiding detection is about making the censor’s classification problem more difficult, and therefore more costly. Forcing the censor to trade false positives for false negatives is the core of all circumvention that is based on avoiding detection. The costs of misclassifications cannot be understood in absolute terms: they only have meaning relative to a specific censor and its resources and motivations. Understanding the relative importance that a censor assigns to classification errors—knowing what it prefers to allow and to block—is key to knowing what what kind of circumvention will be successful. Through good modeling, we can make the tradeoffs less favorable for the censor and more favorable for the circumventor.
The censor may base its classification decision on whatever criteria it finds practical. I like to divide detection techniques into two classes: detection by content and detection by address. Detection by content is based on the content or topic of the message: keyword filtering and protocol identification fall into this class. Detection by address is based on the sender or recipient of the message: IP address blacklists and DNS response tampering fall into this class. An “address” may be any kind of identifier: an IP address, a domain name, an email address. Of these two classes, my experience is that detection by address is harder to defeat. The distinction is not perfectly clear because there is no clear separation between what is content and what is an address: the layered nature of network protocols means that one layer’s address is another layer’s content. Nevertheless, I find it useful to think about detection techniques in these terms.
The censor may block the address of the destination, preventing direct access. Any communication between the client and the destination must therefore be indirect. The indirect link between client and destination is called a proxy, and it must do two things: provide an unblocked address for the client to contact; and somehow mask the contents of the channel and the eventual destination address. I will use the word “proxy” expansively to encompass any kind of intermediary, not only a single host implementing a proxy protocol such an HTTP proxy or SOCKS proxy. A VPN (virtual private network) is also a kind of proxy, as is the Tor network, as may be a specially configured network router. A proxy is anything that acts on a client’s behalf to assist in circumvention.
Proxies solve the first-order effects of censorship (detection by content and address), but they induce a second-order effect: the censor must now seek out and block proxies, in addition to the contents and addresses that are its primary targets. This is where circumvention research really begins: not with access to the destination per se, but with access to a proxy, which transitively gives access to the destination. The censor attempts to deal with detecting and blocking communication with proxies using the same tools it would for any other communication. Just as it may look for forbidden keywords in text, it may look for distinctive features of proxy protocols; just as it may block politically sensitive web sites, it may block the addresses of any proxies it can discover. The challenge for the circumventor is to use proxy addresses and proxy protocols that are difficult for the censor to detect or block.
The way of organizing censorship and circumvention techniques that I have presented is not the only one. Köpsell and Hillig [120 §4] divide detection into “content” and “circumstances”; their “circumstances” include addresses and also features that I consider more content-like: timing, data transfer characteristics, and protocols. Winter [198 §1.1] divides circumvention into three problems: bootstrapping, endpoint blocking, and traffic obfuscation. Endpoint blocking and traffic obfuscation correspond to my detection by address and detection by content; bootstrapping is the challenge of getting a copy of circumvention software and discovering initial proxy addresses. I tend to fold bootstrapping in with address-based detection; see Section 2.3. Khattak, Elahi, et al. break detection into four aspects [113 §2.4]: destinations, content, flow properties, and protocol semantics. I think of their “content,” “flow properties,” and “protocol semantics” as all fitting under the heading of content. My split between address and content mostly corresponds to Tschantz et al.’s “setup” and “usage” [182 §V] and Khattak, Elahi, et al.’s “communication establishment” and “conversation” [113 §3.1]. What I call “detection” and “blocking,” Khattak, Elahi, et al. call “fingerprinting” and “direct censorship” [113 §2.3], and Tschantz et al. call “detection” and “action” [182 §II].
A major difficulty in developing circumvention systems is that however much you model and try to predict the reactions of a censor, real-world testing is expensive. If you really want to test a design against a censor, not only must you write and deploy an implementation, integrate it with client-facing software like web browsers, and work out details of its distribution—you must also attract enough users to merit a censor’s attention. Any system, even a fundamentally broken one, will work to circumvent most censors, as long as it is used only by one or only a few clients. The true test arises only after the system has begun to scale and the censor to fight back. This phenomenon may have contributed to the unfortunate characterization of censorship and circumvention as a cat-and-mouse game: deploying a flawed circumvention system, watching it become more popular and then get blocked, then starting over again with another similarly flawed system. In my opinion, the cat-and-mouse game is not inevitable, but is a consequence of inadequate understanding of censors. It is possible to develop systems that resist blocking—not absolutely, but quantifiably, in terms of costs to the censor—even after they have become popular.
2.1 Collateral damage
What prevents the censor from shutting down all connectivity within its network, trivially preventing the client from reaching any destination? The answer is that the censor derives benefits from allowing network connectivity, other than the communications which it wants to censor. Or to put it another way: the censor incurs a cost when it overblocks: accidentally blocks something it would have preferred to allow. Because it wants to block some things and allow others, the censor is forced to run as a classifier. In order to avoid harm to itself, the censor permits some measure of circumvention traffic.
The cost of false positives is of so central importance to circumvention that researchers have a special term for it: collateral damage. The term is a bit unfortunate, evoking as it does negative connotations from other contexts. It helps to focus more on the “collateral” than the “damage”: collateral damage is any cost experienced by the censor as a result of incidental blocking done in the course of censorship. It must trade its desire to block forbidden communications against its desire to avoid harm to itself, balance underblocking with overblocking. Ideally, we force the censor into a dilemma: unable to distinguish between circumvention and other traffic, it must choose either to allow circumvention along with everything else, or else block everything and suffer maximum collateral damage. It is not necessary to reach this ideal fully before circumvention becomes possible. Better obfuscation drives up the censor’s error rate and therefore the cost of any blocking. Ideally, the potential “damage” is never realized, because the censor sees the cost as being too great.
Collateral damage, being an abstract “cost,” can take many forms. It may come in the form of civil discontent, as people try to access web sites and get annoyed with the government when unable to do so. It may be reduced productivity, as workers are unable to access resources they need to to their job. This is the usual explanation offered for why the Great Firewall of China has never blocked GitHub for for more than a few days, despite GitHub’s being used to host and distribute circumvention software: GitHub is so deeply integrated into software development, that programmers cannot get work done when it is blocked.
Collateral damage, as with other aspects of censorship, cannot be understood in isolation, but only in relation to a particular censor. Suppose that blocking one web site results in the collateral blocking of a hundred more. Is that a large amount of collateral damage? It depends. Are those other sites likely to be visited by clients in the censor’s network? Are they in the local language? Do professionals and officials rely on them to get their job done? Is someone in the censorship bureau likely to get fired as a result of their blocking? If the answers to these question is yes, then yes, the collateral damage is likely to be high. But if not, then the censor could take or leave those hundred sites—it doesn’t matter. Collateral damage is not just any harm that results from censorship, it is harm that is felt by the censor.
Censors may take actions to reduce collateral damage while still blocking most of what they intend to. (Another way to think of it is: reducing false positives without increasing false negatives.) For example, Winter and Lindskog [199], observed that the Great Firewall preferred to block individual ports, entire IP addresses, probably in a bid to reduce collateral damage. Local circumstances may serve to reduce collateral damage: for example if a domestic replacement exists for a foreign service, the censor may block the foreign service more easily.
The censor’s reluctance to cause collateral damage is what makes circumvention possible in general. (There are some exceptions, discussed in the next section, where the censor can detect but for some reason cannot block.) To deploy a circumvention system is to make a bet: that the censor cannot field a classifier that adequately distinguishes the traffic of the circumvention system from other traffic which, if blocked, would result in collateral damage. Even steganographic circumvention channels that mimic some other protocol ultimately derive their blocking resistance from the potential of collateral damage. For example, a protocol that imitates HTTP can be blocked by blocking HTTP—the question then is whether the censor can afford to block HTTP. And that’s in the best case, assuming that the circumvention protocol has no “tell” that enables the censor to distinguish it from the cover protocol it is trying to imitate. Indistinguishability is a necessary but not sufficient condition for blocking resistance: that which you are trying to be indistinguishable from must also have sufficient collateral damage. It’s no use to have a perfect steganographic imitation of a protocol that the censor doesn’t mind blocking.
In my opinion, collateral damage provides a more productive way to think about the behavior of censors than do alternatives. It takes into account different censors’ differing resources and motivations, and so is more useful for generic modeling. Moreover, it gets to the heart of what makes traffic resistant to blocking. There are other ways of characterizing censorship resistance. Many authors—Burnett et al. [25], and Jones et al. Jones2014a, for instance—call the essential element “deniability,” meaning that a client can plausibly claim to have been doing something other than circumventing when confronted with a log of their network activity. Khattak, Elahi, et al. [113 §4] consider “deniability” separately from “unblockability.” Houmansadr et al. [103, 104, 105] used the term “unobservability,” which I feel fails to capture the censor’s essential function of distinguishing, not only observation. Brubaker et al. [23] used the term “entanglement,” which I found enlightening. What they call entanglement I think of as indistinguishability—keeping in mind that that which you are trying to be indistinguishable from must be valued by the censor. Collateral damage provides a way to make statements about censorship resistance quantifiable, at least in a loose sense. Rather than saying, “the censor cannot block X,” or even, “the censor is unwilling to block X,” it is better to say “in order to block X, the censor would have to do Y,” where Y is some action bearing a cost for the censor. A statement like this makes it clear that some censors may be able to afford the cost of blocking and others may not; there is no “unblockability” in absolute terms. Now, actually quantifying the value of Y is a task in itself, by no means a trivial one. A challenge for future work in this field is to assign actual numbers (e.g., in dollars) to the costs borne by censors. If a circumvention system becomes blocked, it may simply mean that the circumventor overestimated the collateral damage or underestimated the censor’s capacity to absorb it.
We have observed that the risk of collateral damage is what prevents the censor from shutting down the network completely—and yet, censors do occasionally enact shutdowns or daily “curfews.” Shutdowns are costly—West [191] looked at 81 shutdowns in 19 countries in 2015 and 2016, and estimated that they collectively cost $2.4 billion in losses to gross domestic product. Deloitte [40] estimated that shutdowns cost millions of dollars per day per 10 million population, the amount depending on a country’s level of connectivity. This does not necessarily contradict the theory of collateral damage. It is just that, in some cases, a censor reckons that the benefits of a shutdown outweigh the costs. As always, the outcome depends on the specific censor: censors that don’t benefit as much from the Internet don’t have as much to lose by blocking it. The fact that shutdowns are limited in duration shows that even censors that can afford to a shutdown cannot afford to keep it up forever.
Complicating everything is the fact that censors are not bound to act rationally. Like any other large, complex entity, a censor is prone to err, to act impetuously, to make decisions that cause more harm than good. The imposition of censorship in the first place, I suggest, is exactly such an irrational action, retarding progress at the greater societal level.
2.2 Content obfuscation strategies
There are two general strategies to counter content-based detection. The first is to mimic some content that the censor allows, like HTTP or email. The second is to randomize the content, making it dissimilar to anything that the censor specifically blocks.
Tschantz et al. [182] call these two strategies “steganography” and “polymorphism” respectively. It is not a strict categorization—any real system will incorporate a bit of both. The two strategies reflect they reflect differing conceptions of censors. Steganography works against a “whitelisting” or “default-deny” censor, one that permits only a set of specifically enumerated protocols and blocks all others. Polymorphism, on the other hand, fails against a whitelisting censor, but works against a “blacklisting” or “default-allow” censor, one that blocks a set of specifically enumerated protocols and allows all others.
This is not to say that steganography is strictly superior to polymorphism—there are tradeoffs in both directions. Effective mimicry can be difficult to achieve, and in any case its effectiveness can only be judged against a censor’s sensitivity to collateral damage. Whitelisting, by its nature, tends to cause more collateral damage than blacklisting. And just as obfuscation protocols are not purely steganographic or polymorphic, real censors are not purely whitelisting or blacklisting. Houmansadr et al. [103] exhibited weaknesses in “parrot” circumvention systems that imperfectly mimic a cover protocol. Mimicking a protocol in every detail, down to its error behavior, is difficult, and any inconsistency is a potential feature that a censor may exploit. Wang et al. [186] found that some of the proposed attacks against parrot systems would be impractical due to high false-positive rates, but offered other attacks designed for efficiency and low false positives. Geddes et al. [95] showed that even perfect imitation may leave vulnerabilities due to mismatches between the cover protocol and the carried protocol. For instance, randomly dropping packets may disrupt circumvention more than normal use of the cover protocol. It’s worth noting, though, that apart from active probing and perhaps entropy measurement, most of the attacks proposed in academic research have not been used by censors in practice.
Some systematizations (for example those of Brubaker et al. [23 §6]; Wang et al. [186 §2]; and Khattak, Elahi, et al. [113 §6.1]) further subdivide steganographic systems into those based on mimicry (attempting to replicate the behavior of a cover protocol) and tunneling (sending through a genuine implementation of the cover protocol). I do not find the distinction very useful, except when discussing concrete implementation choices. To me, there is no clear division: there are various degrees of fidelity in imitation, and tunneling only tends to offer higher fidelity than does mimicry.
I will list some circumvention systems that represent the steganographic strategy. Infranet [62], way back in 2002, built a covert channel within HTTP, encoding upstream data as crafted requests and downstream data as steganographic images. StegoTorus [190] uses custom encoders to make traffic resemble common HTTP file types, such as PDF, JavaScript, and Flash. SkypeMorph [139] mimics a Skype video call. FreeWave [105] modulates a data stream into an acoustic signal and transmits it over VoIP. Format-transforming encryption, or FTE [58], force traffic to conform to a user-specified syntax: if you can describe it, you can imitate it. Despite receiving much research attention, steganographic systems have not been as used in practice as polymorphic ones. Of the listed systems, only FTE has seen substantial deployment.
There are many examples of the randomized, polymorphic strategy. An important subclass of these comprises the so-called look-like-nothing systems that encrypt a stream without any plaintext header or framing information, so that it appears to be a uniformly random byte sequence. A pioneering design was the obfuscated-openssh of Bruce Leidl [122], which aimed to hide the plaintext packet metadata in the SSH protocol. obfuscated-openssh worked, in essence, by first sending an encryption key, and then sending ciphertext encrypted with that key. The encryption of the obfuscation layer was an additional layer, independent of SSH’s ordinary encryption. A censor could, in principle, passively detect and deobfuscate the protocol by recovering the key and using it to decrypt the rest of the stream. obfuscated-openssh could optionally incorporate a pre-shared password into the key derivation function, which would protect against this attack. Dust [195], similarly randomized bytes (at least in its v1 version—later versions permitted fitting to distributions other than uniform). It was not susceptible to passive deobfuscation because it required an out-of-band key exchange to happen before each session. Shadowsocks [170] is a lightweight encryption layer atop a simple proxy protocol.
There is a line of successive look-like-nothing protocols—obfs2, obfs3, ScrambleSuit, and obfs4—which I like because they illustrate the mutual advances of censors and circumventors over several years. obfs2 [110], which debuted in 2012 in response to blocking in Iran [43], uses very simple obfuscation inspired by obfuscated-openssh: it is essentially equivalent to sending an encryption key, then the rest of the stream encrypted with that key. obfs2 is detectable, with no false negatives and negligible false positives, by even a passive censor who knows how it works; and it is vulnerable to active probing attacks, where the censor speculatively connects to servers to see what protocols they use. However, it sufficed against the keyword- and pattern-based censors of its era. obfs3 [111]—first available in 2013 but not really released to users until 2014 [152]—was designed to fix the passive detectability of its predecessor. obfs3 employs a Diffie–Hellman key exchange that prevents easy passive detection, but it can still be subverted by an active man in the middle, and remains vulnerable to active probing. (The Great Firewall of China had begun active-probing for obfs2 by January 2013, and for obfs3 by August 2013—see Table 4.2.) ScrambleSuit [200], first available to users in 2014 [29], arose in response to the active-probing of obfs3. Its innovations were the use of an out-of-band secret to authenticate clients, and traffic shaping techniques to perturb the underlying stream’s statistical properties. When a client connects to a ScrambleSuit proxy, it must demonstrate knowledge of the out-of-band secret before the proxy will respond, which prevents active probing. obfs4 [206], first available in 2014 [154], is an incremental advancement on ScrambleSuit that uses more efficient cryptography, and additionally authenticates the key exchange to prevent active man-in-the-middle attacks.
There is an advantage in designing polymorphic protocols, as opposed to steganographic ones, which is that every proxy can potentially have its own characteristics. ScrambleSuit and obfs4, in addition to randomizing packet contents, also shape packet sizes and timing to fit random distributions. Crucially, the chosen distributions are consistent within each proxy, but vary across proxies. That means that even if a censor is able to build a profile for a particular proxy, it is not necessarily useful for detecting other instances.
2.3 Address blocking resistance strategies
The first-order solution for reaching a destination whose address is blocked is to instead route through a proxy. But a single, static proxy is not much better than direct access, for circumvention purposes—a censor can block the proxy just as easily as it can block the destination. Circumvention systems must come up with ways of addressing this problem.
There are two reasons why resistance to blocking by address is challenging. The first is due to the nature of network routing: the client must, somehow, encode the address of the destination into the messages it sends. The second is the insider attack: legitimate clients must have some way to discover the addresses of proxies. By pretending to be a legitimate client, the censor can learn those addresses in the same way.
Compared to content obfuscation, there are relatively few strategies for resistance to blocking by address. They are basically five:
- sharing private proxies among only a few clients
- having a large population of secret proxies and distributing them carefully
- having a very large population of proxies and treating them as disposable
- proxying through a service with high collateral damage
- address spoofing
The simplest proxy infrastructure is no infrastructure at all: require every client to set up and maintain a proxy for their own personal use, or for a few of their friends. As long as the use of any single address remains low, it may escape the censor’s notice [49 §4.2]. The problem with this strategy, of course, is usability and scalability. If it were easy for everyone to set up their own proxy on an unblocked address, they would do it, and blocking by address would not be a concern. The challenge is making such techniques general so they are usable by more than experts. uProxy [184] is now working on just that: automating the process of setting up a proxy on a server.
What Köpsell and Hillig call the “many access points” model [120 §5.2] has been adopted in some form by many circumvention systems. In this model, there are many proxies in operation. They may be full-fledged general-purpose proxies, or only simple forwarders to a more capable proxy. They may be operated by volunteers or coordinated centrally. In any case, the success of the system hinges on being able to sustain a population of proxies, and distribute information about them to legitimate users, without revealing too many to the censor. Both of these considerations pose challenges.
Tor’s blocking resistance design [49], based on secret proxies called “bridges,” was of this kind. Volunteers run bridges, which report themselves to a central database called BridgeDB [181]. Clients contact BridgeDB through some unblocked out-of-band channel (HTTPS, email, or word of mouth) in order to learn bridge addresses. The BridgeDB server takes steps to prevent the easy enumeration of its database [124]. Each request returns only a small set of bridges, and repeated requests by the same client return the same small set (keyed by a hash of the client’s IP address prefix or email address). Requests through the HTTPS interface require the client to solve a captcha, and email requests are honored only from the domains of email providers that are known to limit the rate of account creation. The population of bridges is partitioned into “pools”—one pool for HTTPS distribution, one for email, and so on—so that if an adversary manages to enumerate one of the pools, it does not affect the bridges of the others. But even these defenses may not be enough. Despite public appeals for volunteers to run bridges (for example Dingledine’s initial call in 2007 [44]), there have never been more than a few thousand of them, and Dingledine reported in 2011 that the Great Firewall of China managed to enumerate both the HTTPS and email pools [45 §1, 46 §1].
Tor relies on BridgeDB to provide address blocking resistance for all its transports that otherwise have only content obfuscation. And that is a great strength of such a system. It enables, to some extent, content obfuscation to be developed independently, and rely on an existing generic proxy distribution mechanism in order to produce an overall working system. There is a whole line of research, in fact, on the question of how best to distribute information about an existing population of proxies, which is known as the “proxy distribution problem” or “proxy discovery problem.” Proposals such as Proximax [134], rBridge [188], and Salmon [54] aim to make proxy distribution robust by tracking the reputation of clients and the unblocked lifetimes of proxies.
A way to make proxy distribution more robust against censors (but at the same time less usable by clients) is to “poison” the set of proxy addresses with the addresses of important servers, the blocking of which would result in high collateral damage. VPN Gate employed this idea [144 §4.2], mixing into the their public proxy list the addresses of root DNS servers and Windows Update servers.
Apart from “in-band” discovery of bridges via subversion of a proxy distribution system, one must also worry about “out-of-band” discovery, for example by mass scanning [46 §6, 49 §9.3]. Durumeric et al. found about 80% of existing (unobfuscated) Tor bridges [57 §4.4] by scanning all of IPv4 on a handful of common bridge ports. Matic et al. had similar results in 2017 [133 §V.D], using public search engines in lieu of active scanning. The best solution to the scanning problem is to do as ScrambleSuit [200], obfs4 [206], and Shadowsocks [170] do, and associate with each proxy a secret, without which a scanner cannot initiate a connection. Scanning for bridges is closely related to active probing, the topic of Chapter 4.
Another way of achieving address blocking resistance is to treat proxies as temporary and disposable, rather than permanent and valuable. This is the idea underlying flash proxy [84] and Snowflake (Chapter 7). Most proxy distribution strategies are designed around proxies lasting at least on the order days. In contrast, disposable proxies may last only minutes or hours. Setting up a Tor bridge or even something lighter-weight like a SOCKS proxy still requires installing some software on a server somewhere. The proxies of flash proxy and Snowflake have a low set-up and tear-down cost: you can run one just by visiting a web page. These designs do not need a sophisticated proxy distribution strategy as long as the rate of proxy creation is kept higher than the censor’s rate of discovery.
The logic behind diffusing many proxies widely is that a censor would have to block large swaths of the Internet in order to effectively block them. However, it also makes sense to take the opposite tack: have just one or a few proxies, but choose them to have high enough collateral damage that the censor does not dare block them. Refraction networking [160] puts proxy capability into network routers—in the middle of paths, rather than at the end. Clients cryptographically tag certain flows in a way that is invisible to the censor but detectable to a refraction-capable router, which redirects from its apparent destination to some other, covert destination. In order to prevent circumvention, the censor has to induce routes that avoid the special routers [168], which is costly [106]. Domain fronting [89] has similar properties. Rather than a router, it uses another kind of network intermediary: a content delivery network. Using properties of HTTPS, a client may request one site while appearing (to the censor) to request another. Domain fronting is the topic of Chapter 6. The big advantage of this general strategy is that the proxies do not need to be kept secret from the censor.
The final strategy for address blocking resistance is address spoofing. The notable design in this category is CensorSpoofer [187]. A CensorSpoofer client never communicates directly with a proxy. It sends upstream data through a low-bandwidth, indirect channel such as email or instant messaging, and downstream data through a simulated VoIP conversation, spoofed to appear as if it were coming from some unrelated dummy IP address. The asymmetric design is feasible because of the nature of web browsing: typical clients send much less than they receive. The client never even needs to know the actual address of the proxy, meaning that CensorSpoofer has high resistance to insider attack: even running the same software as a legitimate client, the censor does not learn enough information to effect a block. The idea of address spoofing goes back farther; as early as 2001, TriangleBoy [167] employed lighter-weight intermediate proxies that simply forwarded client requests to a long-lived proxy at a static, easily blockable address. In the downstream direction, the long-lived proxy would, rather than route back through the intermediate proxy, only spoof its responses to look as if they came from proxy. TriangleBoy did not match CensorSpoofer’s resistance to insider attack, because clients still needed to find and communicate directly with a proxy, so the whole system basically reduced to the proxy discovery problem, despite the use of address spoofing.
2.4 Spheres of influence and visibility
It is usual to assume, conservatively, that whatever the censor can detect, it also can block; that is, to ignore blocking per se and focus only on the detection problem. We know from experience, however, that there are cases in practice where a censor’s reach exceeds its grasp: where it is able to detect circumvention but for some reason cannot block it. It may be useful to consider this possibility when modeling. Khattak, Elahi, et al. [113] express it nicely by subdividing the censor’s network into a sphere of influence within which the censor has active control, and a potentially larger sphere of visibility within which the censor may only observe, but not act.
A landmark example of this kind of thinking is the 2006 research on “Ignoring the Great Firewall of China” by Clayton et al. [31]. They found that the firewall would block connections by injecting phony TCP RST packets (which cause the connection to be torn down) or SYN/ACK packets (which cause the connection to become unsynchronized), and that simply ignoring the anomalous packets rendered blocking ineffective. (Why did the censor choose to inject its own packets, rather than drop those of the client or server? The answer is probably that injection is technically easier to achieve, highlighting a limit on the censor’s power.) One can think of this ignoring as shrinking the censor’s sphere of influence: it can still technically act within this sphere, but not in a way that actually achieves blocking. Additionally, intensive measurements revealed many failures to block, and blocking rates that changed over time, suggesting that even when the firewall intends a policy of blocking, it does not always succeed.
Another fascinating example of “look, but don’t touch” communication is the “filecasting” technique used by Toosheh [142], a file distribution service based on satellite television broadcasts. Clients tune their satellite receivers to a certain channel and record the broadcast to a USB flash drive. Later, they run a program on the recording that decodes the information and extracts a bundle of files. The system is unidirectional: clients can only receive the files that the operators choose to provide. The censor can easily see that Toosheh is in use—it’s a broadcast, after all—but cannot identify users, or block the signal in any way short of continuous radio jamming or tearing down satellite dishes.
There are parallels between the study of Internet censorship and that of network intrusion detection. One is that a censor’s detector may be implemented as a network intrusion detection system or monitor, a device “on the side” of a communication link that receives a copy of the packets that flow over the link, but that, unlike a router, is not responsible for forwarding the packets onward. Another parallel is that censors are susceptible to the same kinds of evasion and obfuscation attacks that affect network monitors more generally. In 1998, Ptacek and Newsham [158] and Paxson [149 §5.3] outlined various attacks against network intrusion detection systems—such as manipulating the IP time-to-live field or sending overlapping IP fragments—that cause a monitor either to accept what the receiver will reject, or reject what the receiver will accept. A basic problem is that a monitor’s position in the middle of the network does not enable it to predict exactly how each packet will be interpreted by the endpoints. Cronin et al. [36] posit that the monitor’s conflicting goals of sensitivity (recording all that is relevant) and selectivity (recording only what is relevant) give rise to an unavoidable “eavesdropper’s dilemma.”
Monitor evasion techniques can be used to reduce a censor’s sphere of visibility—remove certain traffic features from its consideration. Crandall et al. [33] in 2007 suggested using IP fragmentation to prevent keyword matching. In 2008 and 2009, Park and Crandall [148] explicitly characterized the Great Firewall as a network intrusion detection system and found that a lack of TCP reassembly allowed evading keyword matching. Winter and Lindskog [199] found that the Great Firewall still did not do TCP segment reassembly in 2012. They released a tool, brdgrd [196], that by manipulating the TCP window size, prevented the censor’s scanners from receiving a full response in the first packet, thereby foiling active probing. Anderson [9] gave technical information on the implementation of the Great Firewall as it existed in 2012, and observed that it is implemented as an “on-the-side” monitor. Khattak et al. [114] applied a wide array of evasion experiments to the Great Firewall in 2013, identifying classes of working evasions and estimating the cost to counteract them. Wang et al. [189] did further evasion experiments against the Great Firewall a few years later, finding that the firewall had evolved to prevent some previous evasion techniques, and discovering new ones.
2.5 Early censorship and circumvention
Internet censorship and circumvention began to rise to importance in the mid-1990s, coinciding with the popularization of the World Wide Web. Even before national-level censorship by governments became an issue, researchers investigated the blocking policies of personal firewall products—those intended, for example, for parents to install on the family computer. Meeks and McCullagh [138] reported in 1996 on the secret blocking lists of several programs. Bennett Haselton and Peacefire [100] found many cases of programs blocking more than they claimed, including web sites related to politics and health.
Governments were not far behind in building legal and technical structures to control the flow of information on the web, in some cases adapting the same technology originally developed for personal firewalls. The term “Great Firewall of China” first appeared in an article in Wired [15] in 1997. In the wake of the first signs of blocking by ISPs, people were thinking about how to bypass filters. The circumvention systems of that era were largely HTML-rewriting web proxies: essentially a form on a web page into which a client would enter a URL. The server would fetch the desired page on behalf of the client, and before returning the response, rewrite all the links and external references in the page to make them relative to the proxy. CGIProxy [131], SafeWeb [132], Circumventor [99], and the first version of Psiphon [28] were all of this kind.
These systems were effective against their censors of their day—at least with respect to the blocking of destinations. They had the major advantage of requiring no special client-side software other than a web browser. The difficulty they faced was second-order blocking as censors discovered and blocked the proxies themselves. Circumvention designers deployed some countermeasures; for example Circumventor had a mailing list [49 §7.4] which would send out fresh proxy addresses every few days. A 1996 article by Rich Morin [140] presented a prototype HTML-rewriting proxy called Rover, which eventually became CGIProxy. The article predicted the failure of censorship based on URL or IP address, as long as a significant fraction of web servers ran such proxies. That vision has not come to pass. Accumulating a sufficient number of proxies and communicating their addresses securely to clients—in short, the proxy distribution problem—turned out not to follow automatically, but to be a major sub-problem of its own.
Threat models had to evolve along with censor capabilities. The first censors would be considered weak by today’s standards, mostly easy to circumvent by simple countermeasures, such as tweaking a protocol or using an alternative DNS server. (We see the same progression play out again when countries first begin to experiment with censorship, such as in Turkey in 2014, where alternative DNS servers briefly sufficed to circumvent a block of Twitter [35].) Not only censors were changing—the world around them was changing as well. In field of circumvention, which is so heavily affected by concerns about collateral damage, the milieu in which censors operate is as important as the censors themselves. A good example of this is the paper on Infranet, the first academic circumvention design I am aware of. Its authors argued, not unreasonably for 2001, that TLS would not suffice as a cover protocol [62 §3.2], because the relatively few TLS-using services at that time could all be blocked without much harm. Certainly the circumstances are different today—domain fronting and all refraction networking schemes require the censor to permit TLS. As long as circumvention remains relevant, it will have to change along with changing times, just as censors do.
Chapter 3
Understanding censors
The main tool we have to build relevant threat models is the study of censors. The study of censors is complicated by difficulty of access: censors are not forthcoming about their methods. Researchers are obligated to treat censors as a black box, drawing inferences about their internal workings from their externally visible characteristics. The easiest thing to learn is the censor’s what—the destinations and contents that are blocked. Somewhat harder is the investigation into where and how, the specific technical mechanisms used to effect censorship and where they are deployed in the network. Most difficult to infer is the why, the motivations and goals that underlie an apparatus of censorship.
From past measurement studies we may draw a few general conclusions. Censors change over time, and not always in the direction of more restrictions. Censorship differs greatly across countries, not only in subject but in mechanism and motivation. However it is reasonable to assume a basic set of capabilities that many censors have in common:
- blocking of specific IP addresses and ports
- control of default DNS servers
- blocking DNS queries
- injection of false DNS responses
- injection of TCP RSTs
- keyword filtering in unencrypted contents
- application protocol parsing (“deep packet inspection”)
- participation in a circumvention system as a client
- scanning to discover proxies
- throttling connections
- temporary total shutdowns
Not all censors will be able—or motivated—to do all of these. As the amount of traffic to be handled increases, in-path attacks such as throttling become relatively more expensive. Whether a particular act of censorship even makes sense will depend on a local cost–benefit analysis, a weighing of the expected gains against the potential collateral damage. Some censors may be able to tolerate a brief total shutdown, while for others the importance of Internet connectivity is too great for such a blunt instrument.
The Great Firewall of China (GFW), because of its unparalleled technical sophistication, is tempting to use as a model adversary. There has indeed been more research focused on China than any other country. But the GFW is in many ways an outlier, and not representative of other censors. A worldwide view is needed.
Building accurate models of censor behavior is not only needed for the purpose of circumvention. It also has implications for ethical measurement [108 §2, 202 §5]. For example, a common way to test for censorship is to ask volunteers to run software that connects to potentially censored destinations and records the results. This potentially puts volunteers at risk. Suppose the software accesses a destination that violates local law. Could the volunteer be held liable for the access? Quantifying the degree of risk depends on modeling how a censor will react to a given stimulus [32 §2.2].
3.1 Censorship measurement studies
A large part of research on censorship is composed of studies of censor behavior in the wild. In this section I summarize past studies, which, taken together, present a picture of censor behavior in general. They are based on those in an evaluation study done by me and others in 2016 [182 §IV.A]. The studies are diverse and there are many possible ways to categorize them. Here, I have divided them into one-time experiments and generic measurement platforms.
One-shot studies
One of the earliest technical studies of censorship occurred in a place you might not expect, the German state of North Rhein-Westphalia. Dornseif [52] tested ISPs’ implementation of a controversial legal order to block web sites circa 2002. While there were many possible ways to implement the block, none were trivial to implement, nor free of overblocking side effects. The most popular implementation used DNS tampering, which is returning (or injecting) false responses to DNS requests for the blocked sites. An in-depth survey of DNS tampering found a variety of implementations, some blocking more and some blocking less than required by the order. This time period seems to mark the beginning of censorship by DNS tampering in general; Dong [51] reported it in China in late 2002.
Zittrain and Edelman [208] used open proxies to experimentally analyze censorship in China in late 2002. They tested around 200,000 web sites and found around 19,000 of them to be blocked. There were multiple methods of censorship: web server IP address blocking, DNS server IP address blocking, DNS poisoning, and keyword filtering.
Clayton [30] in 2006 studied a “hybrid” blocking system, CleanFeed by the British ISP BT, that aimed for a better balance of costs and benefits: a “fast path” IP address and port matcher acted as a prefilter for the “slow path,” a full HTTP proxy. The system, in use since 2004, was designed to block access to any of a secret list of web sites. The system was vulnerable to a number of evasions, such a using a proxy, using an alternate IP address or port, and obfuscating URLs. The two-level nature of the blocking system unintentionally made it an oracle that could reveal the IP addresses of sites in the secret blocking list.
In 2006, Clayton, Murdoch, and Watson [31] further studied the technical aspects of the Great Firewall of China. They relied on an observation that the firewall was symmetric, treating incoming and outgoing traffic equally. By sending web requests from outside the firewall to a web server inside, they could provoke the same blocking behavior that someone on the inside would see. They sent HTTP requests containing forbidden keywords that caused the firewall to inject RST packets towards both the client and server. Simply ignoring RST packets (on both ends) rendered the blocking mostly ineffective. The injected packets had inconsistent TTLs and other anomalies that enabled their identification. Rudimentary countermeasures, such as splitting keywords across packets, were also effective in avoiding blocking. The authors brought up an important point that would become a major theme of future censorship modeling: censors are forced to trade blocking effectiveness against performance. In order to cope with high load at a reasonable costs, censors may employ the “on-path” architecture of a network monitor or intrusion detection system; i.e., one that can passively monitor and inject packets, but cannot delay or drop them.
Contemporaneous studies of the Great Firewall by Wolfgarten [201] and Tokachu [175] found cases of DNS tampering, search engine filtering, and RST injection caused by keyword detection. In 2007, Lowe, Winters, and Marcus [125] did detailed experiments on DNS tampering in China. They tested about 1,600 recursive DNS servers in China against a list of about 950 likely-censored domains. For about 400 domains, responses came back with bogus IP addresses, chosen from a set of about 20 distinct IP addresses. Eight of the bogus addresses were used more than the others: a whois lookup placed them in Australia, Canada, China, Hong Kong, and the U.S. By manipulating the IP time-to-live field, the authors found that the false responses were injected by an intermediate router, evidenced by the fact that the authentic response would be received as well, only later. A more comprehensive survey [12] of DNS tampering occurred in 2014, giving remarkable insight into the internal structure of the censorship machines. DNS injection happened only at border routers. IP ID and TTL analysis showed that each node was a cluster of several hundred processes that collectively injected censored responses. They found 174 bogus IP addresses, more than previously documented, and extracted a blacklist of about 15,000 keywords.
The Great Firewall, because of its unusual sophistication, has been an enduring object of study. Part of what makes it interesting is its many blocking modalities, both active and passive, proactive and reactive. The ConceptDoppler project of Crandall et al. [33] measured keyword filtering by the Great Firewall and showed how to discover new keywords automatically by latent semantic analysis, using the Chinese-language Wikipedia as a corpus. They found limited statefulness in the firewall: sending a naked HTTP request without a preceding SYN resulted in no blocking. In 2008 and 2009, Park and Crandall [148] further tested keyword filtering of HTTP responses. Injecting RST packets into responses is more difficult than doing the same to requests, because of the greater uncertainty in predicting TCP sequence numbers once a session is well underway. In fact, RST injection into responses was hit or miss, succeeding only 51% of the time, with some, apparently diurnal, variation. They also found inconsistencies in the statefulness of the firewall. Two of ten injection servers would react to a naked HTTP request; that it, one sent outside of an established TCP connection. The remaining eight of ten required an established TCP connection. Xu et al. [204] continued the theme of keyword filtering in 2011, with the goal of discovering where filters are located at the IP and autonomous system levels. Most filtering is done at border networks (autonomous systems with at least one peer outside China). In their measurements, the firewall was fully stateful: blocking was never triggered by an HTTP request outside an established TCP connection. Much filtering occurred at smaller regional providers, rather than on the network backbone. Anderson [9] gave a detailed description of the design of the Great Firewall in 2012. He described IP address blocking by null routing, RST injection, and DNS poisoning, and documented cases of collateral damage affecting clients inside and outside China.
Dainotti et al. [37] reported on the total Internet shutdowns that took place in Egypt and Libya in the early months of 2011. They used multiple measurements to document the outages as they occurred. During the shutdowns, they measured a drop in scanning traffic (mainly from the Conficker botnet). By comparing these different measurements, they showed that the shutdown in Libya was accomplished in more than one way, both by altering network routes and by firewalls dropping packets.
Winter and Lindskog [199], and later Ensafi et al. [60] did a formal investigation into active probing, a reported capability of the Great Firewall since around October 2011. They focused on the firewall’s probing of Tor and its most common pluggable transports.
Anderson [6] documented network throttling in Iran, which occurred over two major periods between 2011 and 2012. Throttling degrades network access without totally blocking it, and is harder to detect than blocking. Academic institutions were affected by throttling, but less so than other networks. Aryan et al. [14] tested censorship in Iran during the two months before the June 2013 presidential election. They found multiple blocking methods: HTTP request keyword filtering, DNS tampering, and throttling. The most usual method was HTTP request filtering; DNS tampering (directing to a blackhole IP address) affected only the three domains,, and SSH connections were throttled down to about 15% of the link capacity, while randomized protocols were throttled almost down to zero, 60 seconds into a connection’s lifetime. Throttling seemed to be achieved by dropping packets, which causes TCP to slow down.
Khattak et al. [114] evaluated the Great Firewall from the perspective that it works like an intrusion detection system or network monitor, and applied existing techniques for evading a monitor to the problem of circumvention. They looked particularly for ways to evade detection that are expensive for the censor to remedy. They found that the firewall was stateful, but only in the client-to-server direction. The firewall was vulnerable to a variety of TCP- and HTTP-based evasion techniques, such as overlapping fragments, TTL-limited packets, and URL encodings.
Nabi [141] investigated web censorship in Pakistan in 2013, using a publicly available list of banned web sites. Over half of the sites on the list were blocked by DNS tampering; less than 2% were additionally blocked by HTTP filtering (an injected redirect before April 2013, or a static block page after that). They conducted a small survey to find the most commonly used circumvention methods; the most common was public VPNs, at 45% of respondents. Khattak et al. [115] looked at two censorship events that took place in Pakistan in 2011 and 2012. Their analysis is special because unlike most studies of censorship, theirs uses traffic traces taken directly from an ISP. They observe that users quickly switched to TLS-based circumvention following a block of YouTube. The blocks had side effects beyond a loss of connectivity: the ISP had to deal with more ciphertext than before, and users turned to alternatives for the blocked sites. Their survey found that the most common method of circumvention was VPNs. Aceto and Pescapè [2] revisited Pakistan in 2016. Their analysis of six months of active measurements in five ISPs showed that blocking techniques differed across ISPs; some used DNS poisoning and others used HTTP filtering. They did their own survey of commonly used circumvention technologies, and again the winner was VPNs with 51% of respondents.
Ensafi et al. [61] employed an intriguing technique to measure censorship from many locations in China—a “hybrid idle scan.” The hybrid idle scan allows one to test TCP connectivity between two Internet hosts, without needing to control either one. They selected roughly uniformly geographically distributed sites in China from which to measure connectivity to Tor relays, Tor directory authorities, and the web servers of popular Chinese web sites. There were frequent failures of the firewall resulting in temporary connectivity, typically occurring in bursts of hours.
In 2015, Marczak et al. [129] investigated an innovation in the capabilities of the border routers of China, an attack tool dubbed the Great Cannon. The cannon was responsible for denial-of-service attacks on Amazon CloudFront and GitHub. The unwitting participants in the attack were web browsers located outside of China, who began their attack when the cannon injected malicious JavaScript into certain HTTP responses originating inside of China. The new attack tool was noteworthy because it demonstrated previously unseen in-path behavior, such as packet dropping.
A major aspect of censor modeling is that many censors use commercial firewall hardware. Dalek et al. [39], Dalek et al. [38], and Marquis-Boire et al. [130] documented the use of commercial firewalls made by Blue Coat, McAfee, and Netsweeper in a number of countries. Chaabane et al. [27] analyzed 600 GB of leaked logs from Blue Coat proxies that were being used for censorship in Syria. The logs cover 9 days in July and August 2011, and contain an entry for every HTTP request. The authors of the study found evidence of IP address blocking, DNS blocking, and HTTP request keyword blocking; and also evidence of users circumventing censorship by downloading circumvention software or using cache feature of Google search. All subdomains of .il, the top-level domain for Israel, were blocked, as were many IP address ranges in Israel. Blocked URL keywords included “proxy”, which resulted in collateral damage to the Google Toolbar and the Facebook like button because they included the string “proxy” in HTTP requests. Tor was only lightly censored: only one of several proxies blocked it, and only sporadically.
Generic measurement platforms
For a decade, the OpenNet Initiative produced reports on Internet filtering and surveillance in dozens of countries, until it ceased operation in 2014. For example, their 2005 report on Internet filtering in China [146] studied the problem from many perspectives, political, technical, and legal. They tested the extent of filtering of web sites, search engines, blogs, and email. They found a number of blocked web sites, some related to news and politics, and some on sensitive subjects such as Tibet and Taiwan. In some cases, entire domains were blocked; in others, only specific URLs within the domain were blocked. There were cases of overblocking: apparently inadvertently blocked sites that happened to share an IP address or URL keyword with an intentionally blocked site. The firewall terminated connections by injecting a TCP RST packet, then injecting a zero-sized TCP window, which would prevent any communication with the same server for a short time. Using technical tricks, the authors inferred that Chinese search engines indexed blocked sites (perhaps having a special exemption from the general firewall policy), but did not return them in search results [147]. Censorship of blogs included keyword blocking by domestic blogging services, and blocking of external domains such as [145]. Email filtering was done by the email providers themselves, not by an independent network firewall. Email providers seemed to implement their filtering rules independently and inconsistently: messages were blocked by some providers and not others.
Sfakianakis et al. [169] built CensMon, a system for testing web censorship using PlanetLab, a distributed network research platform. They ran the system for 14 days in 2011 across 33 countries, testing about 5,000 unique URLs. They found 193 blocked domain–country pairs, 176 of them in China. CensMon was not run on a continuing basis. Verkamp and Gupta [185] did a separate study in 11 countries, using a combination of PlanetLab nodes and the computers of volunteers. Censorship techniques varied across countries; for example, some showed overt block pages and others did not.
OONI [92] and ICLab [107] are dedicated censorship measurement platforms. Razaghpanah et al. [159] provide a comparison of the two platforms. They work by running regular network measurements from the computers of volunteers or through VPNs. UBICA [3] is another system based on volunteers running probes; its authors used it to investigate several forms of censorship in Italy, Pakistan, and South Korea.
Anderson et al. [8] used RIPE Atlas a globally distributed Internet measurement network, to examine two case studies of censorship: Turkey’s ban on social media sites in March 2014 and Russia’s blocking of certain LiveJournal blogs in March 2014. Atlas allows 4 types of measurements: ping, traceroute, DNS resolution, and TLS certificate fetching. In Turkey, they found at least six shifts in policy during two weeks of site blocking. They observed an escalation in blocking in Turkey: the authorities first poisoned DNS for, then blocked the IP addresses of the Google public DNS servers, then finally blocked Twitter’s IP addresses directly. In Russia, they found ten unique bogus IP addresses used to poison DNS.
Pearce, Ensafi, et al. [150] made Augur, a scaled-up version of the hybrid idle scan of Ensafi et al. [61], designed for continuous, global measurement of disruptions of TCP connectivity. The basic tool is the ability to detect packet drops between two remote hosts; but expanding it to a global scale poses a number of technical challenges. Pearce et al.[151] built Iris, as system to measure DNS manipulation globally. Iris uses open resolvers and evaluates measurements against the detection metrics of consistency (answers from different locations should the same or similar) and independent verifiability (checking results against other sources of data like TLS certificates) in order to decide when they constitute manipulation.
3.2 The evaluation of circumvention systems
Evaluating the quality of circumvention systems is tricky, whether they are only proposed or actually deployed. The problem of evaluation is directly tied to threat modeling. Circumvention is judged according to how well it works under a given model; the evaluation is therefore meaningful only as far as the threat model reflects reality. Without grounding in reality, researchers risk running an imaginary arms race that evolves independently of the real one.
I took part, with Michael Carl Tschantz, Sadia Afroz, and Vern Paxson, in a meta-study [182] of how circumvention systems are evaluated by their authors and designers, and comparing those to empirically determined censor models. This kind of work is rather different than the direct evaluations of circumvention tools that have happened before, for example those done by the Berkman Center [162] and Freedom House [26] in 2011. Rather than testing tools against censors, we evaluated how closely aligned designers’ own models were to models derived from actual observations of censors.
This research was partly born out of frustration with some typical assumptions made in academic research on circumvention, which we felt placed undue emphasis on steganography and obfuscation of traffic streams, while not paying enough attention to the perhaps more important problems of proxy distribution and initial rendezvous between client and proxy. We wanted to help bridge the gap by laying out a research agenda to align the incentives of researchers with those of circumventors. This work was built on extensive surveys of circumvention tools, measurement studies, and known censorship events against Tor. Our survey included over 50 circumvention tools.
One outcome of the research is that that academic designs tended to be concerned with detection in the steady state after a connection is established (related to detection by content), while actually deployed systems cared more about how the connection is established initially (related to detection by address). Designers tend to misperceive the censor’s weighting of false positives and false negatives—assuming a whitelist rather than a blacklist, say. Real censors care greatly about the cost of running detection, and prefer cheap, passive, stateless solutions whenever possible. It is important to guard against these modes of detection before becoming too concerned with those that require sophisticated computation, packet flow blocking, or lots of state.
Chapter 4
Active probing
The Great Firewall of China rolled out an innovation in the identification of proxy servers around 2010: active probing of suspected proxy addresses. In active probing, the censor pretends to be a legitimate client, making its own connections to suspected addresses to see whether they speak a proxy protocol. Any addresses that are found to be proxies are added to a blacklist so that access to them will be blocked in the future. The input to the active probing subsystem, a set of suspected addresses, comes from passive observation of the content of client connections. The censor sees a client connect to a destination and tries to determine, by content inspection, what protocol is in use. When the censor’s content classifier is unsure whether the protocol is a proxy protocol, it passes the destination address to the active probing subsystem. Active prober then checks, by connecting to the destination, whether it actually is a proxy. Figure 4.1 illustrates the process.

Active probing makes good sense for the censor, whose main restriction is the risk of false-positive classifications that result in collateral damage. Any classifier based purely on passive content inspection must be very precise (have a low rate of false positives). Active probing increases precision by blocking only those servers that are determined, through active inspection, to really be proxies. The censor can get away with a mediocre content classifier—it can return a superset of the set of actual proxy connections, and active probes will weed out its false positives. A further benefit of active probing, from the censor’s point of view, is that it can run asynchronously, separate from the firewall’s other responsibilities that require a low response time.
Active probing, as I use the term in this chapter, is distinguished from other types of active scans by being reactive, driven by observation of client connections. It is distinct from proactive, wide-scale port scanning, in which a censor regularly scans likely ports across the Internet to find proxies, independent of client activity. The potential for the latter kind of scanning has been appreciated for over a decade. Dingledine and Mathewson [49 §9.3] raised scanning resistance as a consideration in the design document for Tor bridges. McLachlan and Hopper [136 §3.2] observed that the bridges’ tendency to run on a handful of popular ports would make them more discoverable in an Internet-wide scan, which they estimated would take weeks using then-current technology. Dingledine [46 §6] mentioned indiscriminate scanning as one of ten ways to discover Tor bridges—while also bringing up the possibility of reactive probing which the Great Firewall was then just beginning to use. Durumeric et al. [57 §4.4] demonstrated the effectiveness of Internet-wide scanning, targeting only two ports to discover about 80% of public Tor bridges in only a few hours, Tsyrklevich [183] and Matic et al. [133 §V.D] later showed how existing public repositories of Internet scan data could reveal bridges, without even the necessity of running one’s own scan.
The Great Firewall of China is the only censor known to employ active probing. It has increased in sophistication over time, adding support for new protocols and reducing the delay between a client’s connection and the sending of probes. The Great Firewall has the documented ability to probe the plain Tor protocol and some of its pluggable transports, as well as certain VPN protocols and certain HTTPS-based proxies. Probing takes place only seconds or minutes after a connection by a legitimate client, and the active-probing connections come from a large range of source IP addresses. The experimental results in this chapter all have to do with China.
Active probing occupies a space somewhere in the middle of the dichotomy, put forward in Chapter 2, of detection by content and detection by address. An active probing system takes suspected addresses as input and produces to-be-blocked addresses as output. But it is content-based classification that produces the list of suspected addresses in the first place. The existence of active probing is The use of active probing is, in a sense, a good sign for circumvention: it only became relevant content obfuscation had gotten better. If a censor could easily identify the use of circumvention protocols by mere passive inspection, then it would not go to the extra trouble of active probing.
Contemporary circumvention systems must be designed to resist active probing attacks. The strategy of the look-like-nothing systems ScrambleSuit [200], obfs4 [206], and Shadowsocks [126, 156] is to authenticate clients using a per-proxy password or public key; i.e., to require some additional secret information beyond just an IP address and port number. Domain fronting (Chapter 6) deals with active probing by co-locating proxies with important web services: the censor can tell that circumvention is taking place but cannot block the proxy without unacceptable collateral damage. In Snowflake (Chapter 7), proxies are web browsers running ordinary peer-to-peer protocols, authenticated using a per-connection shared secret. Even if a censor discovers one of Snowflake’s proxies, it cannot verify that the proxy is running Snowflake or something else, without having first negotiated a shared secret through Snowflake’s broker mechanism.
4.1 History of active probing research
Active probing research has mainly focused on Tor and its pluggable transports. There is also some work on Shadowsocks. Table 4.2 summarizes the research covered in this section.
Nixon notices unusual, random-looking connections from China in SSH logs [143]. | |
– | Nixon’s random-looking probes are temporarily replaced by TLS probes before changing back again [143]. |
hrimfaxi reports that Tor bridges are quickly detected by the GFW [41]. | |
Nixon publishes observations and hypotheses about the strange SSH connections [143]. | |
Wilde investigates Tor probing [48, 193, 194]. He finds two kinds of probe: “garbage” random probes and Tor-specific ones. | |
The obfs2 transport becomes available [43]. The Great Firewall is initially unable to probe for it. | |
Winter and Lindskog investigate Tor probing in detail [199]. | |
The Great Firewall begins to active-probe obfs2 [47, 60 §4.3]. The obfs3 transport becomes available [68]. | |
– | Majkowski observes TLS and garbage probes and identifies fingerprintable features of the probers [128]. |
The Great Firewall begins to active-probe obfs3 [60 Figure 8]. | |
The ScrambleSuit transport, which is resistant to active probing, becomes available [153]. | |
The obfs4 transport (resistant to active probing) becomes available [154]. | |
BreakWa11 finds an active-probing vulnerability in Shadowsocks [19, 156 §2]. | |
Ensafi et al. [60] publish results of multi-modal experiments on active probing. | |
Shadowsocks changes its protocol to better resist active probing [102]. | |
Wang et al. [189 §7.3] find that bridges that are discovered by active probing are blocked on the entire IP address, not an individual port. |
Nixon [143] published in late 2011 an analysis of suspicious connections from IP addresses in China that his servers had at that point been receiving for a year. The connections were to the SSH port, but did not follow the SSH protocol; rather they contained apparently random bytes, resulting in error messages in the log file. Nixon discovered a pattern: the random-looking “garbage” probes were preceded, at an interval of 5–20 seconds, by a legitimate SSH login from some other IP address in China. The same pattern was repeated at three other sites. Nixon supposed that the probes were triggered by legitimate SSH users, as their connections traversed the firewall; and that the random payloads were a simple form of service identification, sent only to see how the server would respond to them. For a few weeks in May and June 2011, the probes did not look random, but instead looked like TLS.
In October 2011, Tor user hrimfaxi reported that a newly set up, unpublished Tor bridge would be blocked within 10 minutes of their first being accessed from China [41]. Moving the bridge to another port on the same IP address would work temporarily, but the new address would also be blocked within another 10 minutes. Wilde systematically investigated the phenomenon in December 2011 and published an extensive analysis of active probing that was triggered by connections from inside China to outside [193, 194]. There were two kinds of probes: “garbage” random probes like those Nixon had described, and specialized Tor probes that established a TLS session and inside the session sent the Tor protocol. The garbage probes were triggered by TLS connections to port 443, and were sent immediately following the original connection. The Tor probes, in contrast, were triggered by TLS connections to any port, as long as the TLS client handshake matched that of Tor’s implementation [48]. The Tor probes were not sent immediately, but in batches of 15 minutes. The probes came from diverse IP addresses in China: 20 different /8 networks [192]. Bridges using the obfs2 transport were, at that time, neither probed nor blocked.
Winter and Lindskog revisited the question of Tor probing a few months later in 2012 [199]. They used open proxies and a server in China to reach bridges and relays in Russia, Singapore, and Sweden. The bridges and relays were configured so that ordinary users would not connect to them by accident. They confirmed Wilde’s finding that the blocking of one port did not affect other ports on the same IP address. Blocked ports became reachable again 12 hours. By simulating multiple Tor connections, they collected over 3,000 active probe samples in 17 days. During that time, there were about 72 hours which where mysteriously free of active probing. Half of the probes came from a single IP address,; the other half were almost all unique. Reverse-scanning the probes’ source IP addresses, a few minutes after the probes were received, sometimes found a live host, though usually with a different IP TTL than was used during the probing, which the authors suggested may be a sign of address spoofing by the probing infrastructure. Because probing was triggered by patterns in the TLS client handshake, they developed a server-side tool, brdgrd [196], that rewrote the TCP window so that the client’s handshake would be split across packets. The tool sufficed, at the time, to prevent active probing, but stopped working in 2013 [197 §Software].
The obfs2 pluggable transport, first available in February 2012 [43], worked against active probing for about a year. The first report of its being probing arrived in March 2013 [47]. I found evidence for an even earlier onset, in January 2013, by analyzing the logs of my web server [60 §4.3]. At about the same time, the obfs3 pluggable transport became available [68]. It was, in principle, as vulnerable to active probing as obfs2 was, but the firewall did not gain the ability to probe for it until August 2013 [60 Figure 8].
Majkowski [128] documented a change in the GFW between June and July 2013. In June, he reproduced the observations of Winter and Lindskog: pairs of TLS probes, one from and one from some other IP address. He also provided TLS fingerprints for the probers, which differed from those of ordinary Tor clients. In July, he began to see pairs of probes with apparently random contents, like the garbage probes Wilde described. The TLS fingerprints of the July probes differed from those seen earlier, but were still distinctive.
The ScrambleSuit transport, designed to be immune to active-probing attacks, first shipped with Tor Browser 4.0 in October 2014 [153]. The successor transport obfs4, similarly immune, shipped in Tor Browser 4.5 in April 2015 [154].
In August 2015, developer BreakWa11 described an active-probing vulnerability in the Shadowsocks protocol [19, 156 §2]. The flaw had to do with a lack of integrity protection, allowing a prober to introduce errors into ciphertext and watch the server’s reaction. As a stopgap, the developers deployed a protocol change that proved to have its own vulnerabilities to probing. They deployed another protocol in February 2017, adding cryptographic integrity protection and fixing the problem [102]. Despite the long window of vulnerability, I know of no evidence that the Great Firewall tried to probe for Shadowsocks servers.
Ensafi et al. (including me) [60] did the largest controlled study of active probing to date throughout early 2015. We collected data from a variety of sources: a private network of our own bridges, isolated so that only we and active probers would connect to them; induced intensive probing of a single bridge over a short time period, in the manner of Winter and Lindskog; analysis of server log files going back to 2010; and reverse-scanning active prober source IP addresses using tools such as ping, traceroute, and Nmap. Using these sources of data, we investigated many aspects of active probing, such as the types of probes the firewall was capable of sending, the probers’ source addresses, and potentially fingerprintable peculiarities of the probers’ protocol implementations. Observations from this research project appear in the remaining sections of this chapter.
Wang et al. [189 §7.3] tried connecting to bridges from 11 networks in China. They found that connections from four of the networks did not result in active probing, while connections from the other seven did. A bridge that was probed became blocked on all ports, a change from the single-port blocking that had been documented earlier.
4.2 Types of probes
Our experiments confirmed the existence of known probe types from prior research, and new types that had not been documented before. Our observations of the known probe types were consistent with previous reports, with only minor differences in some details. We found, at varying times, these kinds of probes:
- Tor
We found probing of the Tor protocol, as expected. The probes we observed in 2015, however, differed from those Wilde described in 2011, which proceeded as far as building a circuit. The ones we saw used less of the Tor protocol: after the TLS handshake they only queried the server’s version and disconnected. Also, in contrast to what Winter and Lindskog found in 2012, the probes were sent immediately after a connection, not batched to a multiple of 15 minutes.
- obfs2
The obfs2 protocol is meant to look like a random stream, but it has a weakness that makes it trivial to identify, passively and retroactively, needing only the first 20 bytes sent by the client. We turned the weakness of obfs2 to our advantage. It allowed us to distinguish obfs2 from other random-looking payloads, isolating a set of connections that could belong only to legitimate circumventors or to active probers.
- obfs3
The obfs3 protocol is also meant to look like a random stream; but unlike obfs2, it is not trivially identifiable passively. It is not possible to retroactively recognize obfs3 connections (from, say, a packet capture) with certainty: sure classification requires active participation in the protocol. In some of our experiments, we ran an obfs3 server that was able to participate in the handshake and so confirm that the protocol really was obfs3. In the passive log analysis, we labeled “obfs3” any probes that looked random but were not obfs2.
- SoftEther
We unexpectedly found evidence of probe types other than Tor-related ones. One of these was an HTTPS request:
POST /vpnsvc/connect.cgi HTTP/1.1 Connection: Keep-Alive Content-Length: 1972 Content-Type: image/jpeg GIF89a...
Both the path “/vpnsvc/connect.cgi”, and the body being a GIF image despite having a Content-Type of “image/jpeg”, are characteristic of the client handshake of the SoftEther VPN software that underlies the VPN Gate circumvention system [144].
- AppSpot
This type of probe is also an HTTPS request:
GET / HTTP/1.1 Accept-Encoding: identity Connection: close Host: Accept: */* User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/34.0.1847.116 Chrome/34.0.1847.116 Safari/537.36
where the ‘
’ is a number that varies. The intent of this probe seems to be the discovery of servers that are capable of domain fronting for Google services, including Google App Engine, which runs at (See Chapter 6 for more on domain fronting.) At one time, there were simple proxies running at - urllib
This probe type is new since our 2015 paper. I discovered it while re-analyzing my server logs in order to update Figure 4.3. It is a particular request that was sent over both HTTP and HTTPS:
GET / HTTP/1.1 Accept-Encoding: identity Host: Connection: close User-Agent: Python-urllib/2.7
The urllib requests are unremarkable except for having been sent from an IP address that at some other time send another kind of active probe. The User-Agent “Python-urllib/2.7” and appears many other places in my logs, not in an active probing context. I cannot guess what this probe’s purpose may be, except to observe that Nobori and Shinjo also caught a “Python-urllib” client scraping the VPN Gate server list [144 §6.3].
These probe types are not necessarily exhaustive. The purpose of the random “garbage” probes is still not known; they were not obfs2 and were too early to be obfs3, so they must have had some other purpose.

Most of our experiments were designed around exploring known Tor-related probe types: plain Tor, obfs2, and obfs3. The server log analysis, however, unexpectedly turned up the other probe types. The server log data set consisted of application-layer logs from my personal web and mail server, which was also a Tor bridge. Application-layer logs lack much of the fidelity you would normally want in a measurement experiment; they do not have precise timestamps or transport-layer headers, for example, and web server logs truncate the client’s payload at the first ‘\0’ or ‘\n’ byte. But they make up for that with time coverage. Figure 4.3 shows the history of probes received at my server since 2013 (there were no probes before that, though the logs go back to 2010). We began by searching the logs for definite probes: those that were classifiable as obfs2 or otherwise looked like random garbage. Then we looked for what else appeared in the logs for the IP addresses that had, at any time, sent a probe. In a small fraction of cases, the other logs lines appeared to be genuine HTTP requests from legitimate clients; but usually they were other probe-like payloads. We continued this process, adding new classifiers for likely probes, until reaching a fixed point with the probe types described above.
4.3 Probing infrastructure
The most striking feature of active probes is the large number of source addresses from which they are sent, or appear to be sent. The 13,089 probes received by the HTTP and HTTPS ports of my server came from 11,907 distinct IP addresses, representing 47 /8 networks and 26 autonomous systems. 96% of the addresses appeared only once. There is one extreme outlier, the address, which by itself accounted for 2% of the probes. (Even this substantial fraction stands in contrast to previous studies, where that single IP address accounted for roughly half the probes [199 §4.5.1].) Among the address ranges are ones belonging to residential ISPs.

Despite the many source addresses, the probes seems to be managed by only a few underlying processes. The evidence for this lies in shared patterns in metadata: TCP initial sequence numbers and TCP timestamps. Figure 4.4 shows clear patterns in TCP timestamps, from about six months during which we ran a full packet capture on my web server, in addition to application-layer logging.
We tried connecting back to the source address of probes. Immediately after receiving a probe, the probing IP address would be completely unresponsive to any stimulus we could think to apply. In some cases though, within an hour the address became responsive. The responsive hosts looked like what you would expect to find if you scanned such address ranges, with a variety of operating systems and open ports.
4.4 Fingerprinting the probers
A potential countermeasure against active probing is for each proxy, when it receives a connection, to somehow decide whether the connection comes from a legitimate client, or from a prober. Of course, the right way to identify legitimate clients is with cryptographic authentication, whether at the transport layer (like BridgeSPA [172]) or at the application layer (like ScrambleSuit, obfs4, and Shadowsocks). But when that is not possible, one might hope to distinguish probers by their fingerprints, idiosyncrasies in their implementation that make them stand out from ordinary clients. In the case of the Great Firewall, the source IP address does not suffice as a fingerprint because of the great diversity of source addresses the system makes use of. And in a reversal of the usual collateral damage, the source addresses include those where we might expect legitimate clients to reside. The probes do, however, exhibit certain fingerprints at the application layer. While none of the ones we found were robust enough to effectively exclude active probers, they do hint at how the probing is implemented.
The active probers have an unusual TLS fingerprint, TLSv1.0 with a peculiar list of ciphersuites. Tor probes sent only a VERSIONS cell [50 §4.1], waited for a response, then closed the connection. The format of the VERSIONS cell was that of a “v2” Tor handshake that has been superseded since 2011, though still in use by a small number of real clients. The Tor probes described by Wilde in 2011 went further into the protocol. It hints at the possibility that at one time, the active probers used a (possibly modified) Tor client, and later switched to a custom implementation.
The obfs2 probes were conformant with the protocol specification, and unremarkable except for the fact that sometimes payloads were duplicated. obfs2 clients are supposed to use fresh randomness for each connection, but a small fraction, about 0.65%, of obfs2 probes shared an identical payload with one other probe. The two probes in a pair came from different source IP addresses and arrived within a second of each other. The apparently separate probers must therefore share some state—at least a shared pseudorandom number generator.
The obfs3 protocol calls for the client to send a random amount of random bytes as padding. The active probers’ implementation of the protocol gets the probability distribution wrong, half the time sending too much padding. This feature would be difficult to exploit for detection, though, because it would rely on application-layer proxy code being able to infer TCP segment boundaries.
The SoftEther probes seem to have been based on an earlier version of the official SoftEther client software than was current at the time, differing from current version in that they lack an HTTP Host header. They also differed from the official client in that their POST request was not preceded by a GET request. The TLS fingerprint of the official client is much different from that of the probers, again hinting at a custom implementation.
The AppSpot probes have a User-Agent header that claims to be a specific version of the Chrome browser; however the rest of the header, and the TLS fingerprint are inconsistent with Chrome.
Chapter 5
Time delays in censors’ reactions
Censors’ inner workings are mysterious. To the researcher hoping to understand them they present only a hostile, black-box interface. However some of their externally visible behaviors offers hints about their internal decision making. In this chapter I describe the results of an experiment that is designed to shed light on the actions of censors; namely, a test of how quickly they react to and block a certain kind of Tor bridge.
Tor bridges are secret proxies that help clients get around censorship. The effectiveness of bridges depends on their secrecy—a censor that learns a bridge’s address can simply block its IP address. Since the beginning, the designers of Tor’s bridge system envisioned that users would learn of bridges through covert or social channels [49 §7], in order to prevent any one actor from learning about and blocking a large number of them.
But as it turns out, most users do not use bridges in the way envisioned. Rather, most users who use bridges use one of a small number of default bridges hardcoded in a configuration file within Tor Browser. (According to Matic et al. [133 §VII.C], over 90% of bridge users use a default bridge.) At a conceptual level, the notion of a “default” bridge is a contradiction: bridges are meant to be secret, not plainly listed in the source code. Any reasonable threat model would assume that default bridges are immediately blocked. And yet in practice we find that they are often not blocked, even by censors that otherwise block Tor relays. We face a paradox: why is it that censors do not take blocking steps that we find obvious? There must be some quality of censors’ internal dynamics that we do not understand adequately.
The purpose of this chapter is to begin to go beneath the surface of censorship for insight into why censors behave as they do—particularly when they behave contrary to expectations. We posit that censors, far from being unitary entities of focused purpose, are rather complex organizations composed of human and machine components, with perhaps conflicting goals; this project is a small step towards better understanding what lies under the face that censors present. The main vehicle for the exploration of this subject is the observation of default Tor bridges to find out how quickly they are blocked after they first become discoverable by a censor. I took part in this project along with Lynn Tsai and Qi Zhong; the results in this chapter are an extension of work Lynn and I published in 2016 [91]. Through active measurements of default bridges from probe sites in China, Iran, and Kazakhstan, we uncovered previously undocumented behaviors of censors that hint at how they operate at a deeper level.
It was with a similar spirit that Aase, Crandall, Díaz, Knockel, Ocaña Molinero, Saia, Wallach, and Zhu [1] looked into case studies of censorship with a focus on understanding censors’ motivation, resources, and time sensitivity. They “had assumed that censors are fully motivated to block content and the censored are fully motivated to disseminate it,” but some of their observations challenged that assumption, with varied and seemingly undirected censorship hinting at behind-the-scenes resource limitations. They describe an apparent “intern effect,” by which keyword lists seem to have been compiled by a bored and unmotivated worker, without much guidance. Knockel et al. [117] looked into censorship of keywords in Chinese mobile games, finding that censorship enforcement in that context is similarly decentralized, different from the centralized control we commonly envision when thinking about censorship.
Zhu et al. [207] studied the question of censor reaction time in a different context: deletion of posts on the Chinese microblogging service Sina Weibo. Through frequent polling, they were able to measure—down to the minute—the delay between when a user made a post and when a censor deleted it. About 90% of deletions happened within 24 hours, and 30% within 30 minutes—but there was a long tail of posts that survived several weeks before being deleted. The authors used their observations to make educated guesses about the inner workings of the censors. Posts on trending topics tended to be deleted more quickly. Posts made late at night had a longer average lifetime, seemingly reflecting workers arriving in the morning and clearing out a nightly backlog of posts. King et al. [116] examined six months’ worth of deleted posts on Chinese social networks. The pattern of deletions seemed to reveal the censor’s motivation: not to prevent criticism of the government, as might be expected, but to forestall collective public action.
Nobori and Shinjo give a timeline [144 §6.3] of circumventor and censor actions and reactions during the first month and a half of the deployment of VPN Gate in China. Within the first four days, the firewall had blocked their main proxy distribution server, and begun scraping the proxy list. When they blocked the single scraping server, the firewall began scraping from multiple other locations within a day. After VPN Gate deployed the countermeasure of mixing high-collateral-damage servers into their proxy list, the firewall stopped blocking for two days, then resumed again, with an additional check that an IP addresses really was a VPN Gate proxy before blocking it.
Wright et al. [202 §2] motivated a desire for fine-grained censorship measurement by highlighting limitations that tend to prevent a censor from begin equally effective everywhere in its controlled network. Not only resource limitations, but also administrative and logistical requirements, make it difficult to manage a system as complex as a national censorship apparatus.
There has been no prior long-term study dedicated to measuring time delays in the blocking of default bridges. There have, however, been a couple of point measurements that put bounds on what blocking delays in the past must have been. Tor Browser first shipped with default obfs2 bridges on [43]; Winter and Lindskog tested them 41 days later [199 §5.1] and found all 13 of them blocked. (The bridges then were blocked by RST injection, a different blocking technique than the timeouts we have seen more recently.) In 2015 I used public reports of blocking and non-blocking of the first batch of default obfs4 bridges to infer a blocking delay of not less than 15 and not more than 76 days [70].
As security researchers, are accustomed to making conservative assumptions when building threat models. For example, we assume that when a computer is compromised, it’s game over: the attacker will cause the worst possible outcome for the computer’s owner. But the actual effects of a compromise can vary from grave to almost benign, and it is an interesting question, what really happens and how severe it is. Similarly, it is prudent to assume while modeling that the disclosure of any secret bridge will result in its immediate blocking by every censor everywhere. But as that does not happen in practice, it is an interesting question, what really does happen, and why?
5.1 The experiment
Our experiment primarily involved frequent, active test of the reachability of default bridges from probe sites in China, Iran, and Kazakhstan (countries well known to censor the network), as well as a control site in the U.S. We used a script that, every 20 minutes, attempted to make a TCP connection to each default bridge. The script recorded, for each attempt, whether the connection was successful, the time elapsed, and any error code. The error code allows us to distinguish between different kinds of failures such as “timeout” and “connection refused.” The control site in the U.S. enables us to distinguish temporary bridge failures from actual blocking.
The script only tested whether it is possible to make a TCP connection, which is a necessary but not sufficient precondition to actually establishing a Tor circuit through the bridge. In Kazakhstan, we deployed an additional script that attempted to establish a full Tor-in-obfs4 connection, in order to better understand the different type of blocking we discovered there.
The experiment was opportunistic in nature: we ran from China, Iran, and Kazakhstan not only because they are likely suspects for Tor blocking, but because we happened to have access to a site in each from which we could run probes over some period of time. Therefore the measurements cover different dates in different countries. We began at a time when Tor was building up its stock of default bridges. We began monitoring each new bridges as it was added, coordinating with the Tor Browser developers to get advance notice of their addition when possible. Additionally we had the developers run certain more controlled experiments for us—such as adding a bridge to the source code but commenting it out—that are further detailed below.
We were only concerned with default bridges, not secret ones. Our goal was not to estimate the difficulty of the proxy discovery problem, but to better understand how censors deal with what should be an easy task. We focused on bridges using the obfs4 pluggable transport [206], which not only is the most-used transport and the one marked “recommended” in the interface, but also has properties that help in our experiment. The content obfuscation of obfs4 reduces the risk of its passive detection. More importantly, it resists active probing attacks as described in Chapter 4. We could not have done the experiment with obfs3 bridges, because whether default or not, active probing would cause them to be blocked shortly after their first use.
Bridges are identified by a nickname and a port number. The nickname is an arbitrary identifier, chosen by the bridge operator. So, for example, “ndnop3:24215” is one bridge, and “ndnop3:10527” is another on the same IP address. We pulled the list of bridges from Tor Browser and Orbot, which is the port of Tor for Android. Tor Browser and Orbot mostly shared bridges in common, though there were a few Orbot-only bridges. A list of the bridges and other destinations we measured appears in Table 5.1. Along with the fresh bridges, we tested some existing bridges for comparison purposes.
New Tor Browser default obfs4 bridges | ||
ndnop3 | : | 24215, 10527 |
ndnop5 | : | 13764 |
riemann | : | 443 |
noether | : | 443 |
Mosaddegh | : | 41835, 80, 443, 2934, 9332, 15937 |
MaBishomarim | : | 49868, 80, 443, 2413, 7920, 16488 |
GreenBelt | : | 60873, 80, 443, 5881, 7013, 12166 |
JonbesheSabz | : | 80, 1894, 4148, 4304 |
Azadi | : | 443, 4319, 6041, 16815 |
Lisbeth | : | 443 |
NX01 | : | 443 |
LeifEricson | : | 50000, 50001, 50002 |
cymrubridge31 | : | 80 |
cymrubridge33 | : | 80 |
Orbot-only default obfs4 bridges | ||
Mosaddegh | : | 1984 |
MaBishomarim | : | 1984 |
JonbesheSabz | : | 1984 |
Azadi | : | 1984 |
Already existing default bridges | ||
LeifEricson | : | 41213 (obfs4) |
fdctorbridge01 | : | 80 (FTE) |
Never-published bridges | ||
ndnop4 | : | 27668 (obfs4) |
There are four stages in the process of deploying a new default bridge. At the beginning, the bridge is secret, perhaps having been discussed on a private mailing list. Each successive stage of deployment makes the bridge more public, increasing the number of places where a censor may look to discover it. The whole process takes a few days to a few weeks, mostly depending on Tor Browser’s release schedule.
- Ticket filed
The process begins with the filing of a ticket in Tor’s public issue tracker. The ticket includes the bridge’s IP address. A censor that pays attention to the issue tracker could discover bridges as early as this stage.
- Ticket merged
After review, the ticket is merged and the new bridge is added to the source code of Tor Browser. From there it will begin to be included in nightly builds. A censor that reads the bridge configuration file from the source code repository, or downloads nightly builds, could discover bridges at this stage.
- Testing release
Just prior to a public release, Tor Browser developers send candidate builds to a public mailing list to solicit quality assurance testing. A censor that follows testing releases would find ready-made executables with embedded bridges at this stage. Occasionally the developers skip the testing period, such as in the case of an urgent security release.
- Public relase
After testing, the releases are made public and announced on the Tor Blog. A censor could learn of bridges at this stage by reading the blog and downloading executables. This is also the stage at which the new bridges begin to have an appreciable number of users. There are two release tracks of Tor Browser: stable and alpha. Alpha releases are distinguished by an ‘a’ in their version number, for example 6.5a4. According to Tor Metrics [180], stable downloads outnumber alpha downloads by a factor of about 30 to 1.
We advised operators to configure their bridges so that they would not become public except via the four stages described above. Specifically, we made sure the bridges did not appear in BridgeDB [181], the online database of secret bridges, and that the bridges did not expose any transports other than obfs4. We wanted to ensure that any blocking of bridges could only be the result of their status as default bridges, and not a side effect of some other detection system.
5.2 Results from China
We had access to probe sites in China for just over a year, from December 2015 to January 2017. Due to the difficulty of getting access to hosts in China, we used four different IP addresses (all in the same autonomous system) at different points in time. The times during which we had control of each IP address partially overlap, but there is a 21-day gap in the measurements during August 2016.
Our observations in China turned up several interesting behaviors of the censor. Throughout this section, refer to Figure 5.2, which shows the timeline of reachability of every bridge, in context with dates related to tickets and releases. Circled references in the text (ⓐ, ⓑ, etc.) refer to marked points in the figure. A “batch” is a set of Tor Browser releases that all contained the same default bridges.

The most significant single event—covered in detail in Section 5.2.7—was a change in the censor’s detection and blocking strategy in October 2016. Before that date, blocking was port-specific and happened only after the “public release” stage. After, bridges began to be blocked on all ports simultaneously, and were blocked soon after the “ticket merged” stage. We believe that this change reflects a shift in how the censor discovered bridges, a shift from running the finished software to see what addresses it accesses, to extracting the addresses from source code. More details and evidence appear in the following subsections.
5.2.1 Per-port blocking
In the first few release batches, the censor blocked individual ports, not an entire IP address. For example, see point ⓐ in Figure 5.2: after ndnop3:24215 was blocked, we opened ndnop3:10527 on the same IP address. The alternate port remained reachable until it, too, was blocked in the next release batch. We used this technique of rotating ports in several release batches.
Per-port blocking is also evident in the continued reachability of non-bridge ports. For example, many of the bridges had an SSH port open, in addition to their obfs4 ports. After riemann:443 (obfs4) was blocked (point ⓒ in Figure 5.2), riemann:22 (SSH) remained reachable for a further nine months, until it was finally blocked at point ⓜ. Per-port blocking would give way to whole-IP blocking in October 2016.
5.2.2 Blocking only after public release
In the first six batches, blocking occurred only after public release—despite the fact that the censor could potentially have learned about and blocked the bridges in an earlier stage. In the 5.5.5/6.0a5/6.0 batch, the censor even seems to have missed the 5.5.5 and 6.0a5 releases (point ⓔ in Figure 5.2), only blocking after the 6.0 release, 36 days later. This observation hints that, before October 2016 anyway, the censor was somehow extracting bridge addresses from the release packages themselves. In subsections 5.2.3 and 5.2.6 we present more evidence that supports the hypothesis that the censor extracted bridge addresses only from public releases, not reacting at any earlier phase.
An evident change in blocking technique occurred around October 2016 with the 6.0.6/6.5a4 batch, when for the first time bridge were blocked before a public or testing release was available. The changed technique is the subject of Section 5.2.7.
5.2.3 Simultaneous blocking of all bridges in a batch
The first five blocking incidents were single events: when a batch contained more than one bridge, all were blocked at the same time; that is, within one of our 20-minute probing periods. These incidents appear as crisp vertical columns of blocking icons in Figure 5.2, for example at point ⓒ. This fact supports the idea that the censor discovered bridges by examining released executables directly, and did not, for example, detect bridges one by one by examining network traffic.
The 6.0.5/6.5a3 batch is an exception to the pattern of simultaneous blocking. In that batch, one bridge (LeifEricson:50000) was already blocked, three were blocked simultaneously as in the previous batches, but two others (GreenBelt:5881 and Azadi:4319) were temporarily unscathed. At the time, GreenBelt:5881 was experiencing a temporary outage—which could explain why it was not blocked—but Azadi:4319 was operational. This specific case is discussed further in Section 5.2.6.
5.2.4 Variable delays before blocking
During the time when the censor was blocking bridges simultaneously after a public release, we found no pattern in the length of time between the release and the blocking event. The blocking events did not seem to occur after a fixed length of time, nor did they occur on the same day of the week or at the same time of day. The delays were 7, 2, 18, 10, 35, and 6 days after a batch’s first public release—up to 57 days after the filing of the first ticket. Recall from Section 4.3 that the firewall was even at that time capable of detecting and blocking secret bridges within minutes. Delays of days or weeks stand out in contrast.
- .il (top-level domain of Israel), ¶87
- (Kazakh VPN node), ¶198
- 200 (HTTP status code), Figure 6.3, Figure 7.2
- (active prober), ¶106, ¶108, ¶128
- 404 (HTTP status code), ¶228
-, ¶255
- Aase, Nicholas, ¶141
- Abbatecola, Angie, ¶4
- Aben, Emile, ¶80
- Accept (HTTP header), ¶121
- Accept-Encoding (HTTP header), ¶121, ¶124
- Aceto, Giuseppe, ¶84
- ACK, ¶59
active probing, ¶39, ¶43, ¶62, ¶69, ¶81, ¶97, Figure 4.1, ¶98–103, Table 4.2, ¶104–126, Figure 4.3, ¶127, ¶128, Figure 4.3, ¶129–136, ¶150, ¶203
- proactive versus reactive, ¶99
- see also port scanning
- address spoofing, ¶48, ¶57, ¶106
- address, detection/blocking by, see detection/blocking by address
- Afroz, Sadia, ¶3, ¶26, ¶38, ¶73, ¶94
- Ahmad, Tahir, ¶84
-, ¶255
- Akella, Aditya, ¶39, ¶40, ¶218, ¶246
- Allot Communications, ¶262
Amazon CloudFront, ¶86, Table 6.5, ¶232, ¶240, ¶241
- see also meek-amazon
- An, Anne, ¶225
- Anderson, Collin, ¶82, ¶91
- Anderson, Daniel, ¶62
- Anderson, Philip D., ¶62, ¶83
Android, ¶151, ¶190
- see also Orbot
- Anonymous, ¶257
- answer (Snowflake), Figure 7.1, ¶275, ¶276, ¶279, Figure 7.2
- App Engine, see Google App Engine
- Appelbaum, Jacob, ¶224
-, ¶122
- see also Google App Engine
- APT29, see Cozy Bear
-, ¶294
- arms race, ¶93
- Aryan, Homa, ¶82
- Aryan, Simurgh, ¶82
- AS, see autonomous system
- Athanasopoulos, Elias, ¶89
- Augur, ¶92
- Australia, ¶78
authentication, ¶42, ¶43, ¶56, ¶102, ¶131, ¶228
- see also integrity
autonomous system, ¶79, ¶128, ¶158
- AS 203087, ¶198
- Awan, M. Faheem, ¶84
- Azadi (Tor bridge), Table 5.1, Figure 5.2, ¶166, ¶172–174, ¶181–183, ¶186, Figure 5.3
- Azure, see Microsoft Azure
- Balakrishnan, Hari, ¶41, ¶281
- Balazinska, Magdalena, ¶41, ¶281
- Barr, Alistair, ¶239
- Barr, Earl, ¶62, ¶79
- Beaty, Steve, ¶3
- blacklist, ¶23, ¶38, ¶39, ¶76, ¶78, ¶96, ¶97, Figure 4.1
- Blaze, Matt, ¶61
- block page, ¶84, ¶89
- blocking
- blogs, ¶88, ¶91, ¶156, ¶235
- Blue Coat, ¶87
- BLUES research group, ¶4
- Boe, Bryce, ¶214
- Boneh, Dan, ¶3
- border firewall, ¶9, Figure 1.1, ¶10–12
- Borisov, Nikita, ¶34
- botnet, ¶80, ¶254
- Botta, Alessio, ¶84
- Brazil, ¶258, ¶261, ¶263
- brdgrd, ¶62, ¶106
- BreakWa11, Table 4.2, ¶110
- Breault, Arlo, ¶224, ¶228, ¶270
- bridge, see Tor bridge
- bridge configuration file, ¶139, ¶154, ¶173, ¶174, ¶177, ¶180, ¶182, ¶184, ¶190, ¶194
- BridgeDB, ¶51, ¶52, ¶157, ¶194
- BridgeSPA, ¶131
- broker (Snowflake), ¶102, Figure 7.1, ¶272, ¶275, ¶279, Figure 7.2, ¶287
- Brown, Ian, ¶12, ¶144
- Brubaker, Chad, ¶34, ¶39, ¶40
- BT, ¶76
- Burnett, Sam, ¶34
- Byrd, Michael, ¶62, ¶79
- Caballero, Juan, ¶54, ¶99, ¶139
- Caesar, Matthew, ¶34
- California State loyalty oath, ¶6
- Canada, ¶78
- Cao, Yue, ¶62, Table 4.2, ¶112, ¶187
- captcha, ¶51
- Carr, Nick, ¶254
- cat-and-mouse game, ¶27
- CC0, ¶230
- CDN, ¶203, ¶210–214, ¶219, Figure 6.2, ¶228, ¶239, ¶243, ¶249, ¶261
- CensMon, ¶89
- censor, ¶10
- CensorBib, ¶4, ¶294
- CensorSpoofer, ¶57
certificate, ¶91, ¶92, ¶205, Figure 6.1, ¶209, ¶245, ¶290, ¶292
- see also common name (X.509); TLS
- CGIProxy, ¶64, ¶65
- Chaabane, Abdelberi, ¶87
- Chang, Lan, ¶234
- Channey, Kanwaljeet Singh, ¶256
- Chen, Terence, ¶87
- Chiesa, Marco, ¶80
China, ¶71, ¶74, ¶75, ¶78, ¶85, ¶86, ¶88, ¶89, ¶100, Table 4.2, ¶104–106, ¶112, ¶140–143, ¶147, ¶149, ¶158, ¶159, Figure 5.2, ¶160–194, ¶196, ¶199, ¶225, ¶232, ¶239, ¶264
- see also Great Firewall of China
- Chinese language, ¶79, ¶218, ¶246
- Chrome web browser, ¶121, ¶136, ¶230, ¶291
- ciphersuite, see TLS ciphersuite
- circumvention, ¶10
- Circumventor, ¶64, ¶65
- Cirripede, ¶215
- Claffy, Kimberly C., ¶80
classification, ¶14, ¶21–23, ¶28, ¶33, ¶97, ¶98, ¶116, ¶218, ¶246, ¶255
- see also detection; false positive; false negative
- Clayton, Richard, ¶59, ¶76, ¶77, ¶187
- CleanFeed, ¶76
- client, ¶10
- Cloudflare, ¶228, ¶239
- CloudFront, see Amazon CloudFront
- CloudTransport, ¶216
- collateral damage, ¶28–36, ¶48, ¶53, ¶56, ¶66, ¶70, ¶87, ¶98, ¶102, ¶131, ¶143, ¶203, Figure 6.1, ¶210, ¶212, ¶213, ¶215, ¶232, ¶255
- “collateral freedom”, ¶225, ¶239
- command and control, ¶254
- common name (X.509), ¶205, Figure 6.1, ¶292
- ConceptDoppler, ¶79
- Conficker, ¶80
- Connection (HTTP header), ¶118, ¶121, ¶124
- content delivery network, see CDN
- content, detection/blocking by, see detection/blocking by content
- Content-Length (HTTP header), ¶118, Figure 6.3
- Content-Type (HTTP header), ¶118, ¶119
- Cozy Bear, ¶254
- Crandall, Jedidiah R., ¶62, ¶79, ¶85, ¶92, ¶141, ¶142
- Creative Commons, ¶230
- Crete-Nishihata, Masashi, ¶87, ¶141
- Cristofaro, Emiliano De, ¶87
- Cronin, Eric, ¶61
- CS261N (network security course), ¶229
- Cunche, Mathieu, ¶87
- CurveBall, ¶215
- Cyberoam, ¶255, ¶256
- cymrubridge31 (Tor bridge), Table 5.1, Figure 5.4, Figure 5.5, ¶200
- cymrubridge33 (Tor bridge), Table 5.1, Figure 5.4, Figure 5.5, ¶200
- Dainotti, Alberto, ¶80
- Dalek, Jakub, ¶86, ¶87
- dead-parrot attacks, ¶39, ¶291
- decoy routing, see refraction networking
- deep packet inspection, ¶14, ¶69
- default bridge, see Tor bridge, default
- Deibert, Ronald, ¶86, ¶87
- Deloitte, ¶35
- deniability, ¶34
- denial of service, ¶86, ¶239
- DerbyCon, ¶254
- destination, ¶10
- detection, ¶22, ¶218
- Diffie–Hellman key exchange, ¶43
- Dingledine, Roger, ¶51, ¶99
- distinguishability, ¶29, ¶33, ¶34, ¶115, ¶131, ¶203, ¶221, ¶284, ¶289, ¶292
- DNS, ¶53, ¶66, ¶69, ¶75, ¶87, ¶91, ¶92, ¶205
domain fronting, ¶56, ¶66, ¶102, ¶122, ¶203–208, Figure 6.1, ¶209–219, Figure 6.2, ¶220, Figure 6.3, ¶221–223, Figure 6.4, Table 6.5, ¶224–264, ¶280
- costs of, ¶211, Table 6.5, ¶280
- in Snowflake rendezvous, Figure 7.1, ¶279, Figure 7.2
- see also front domain; meek
- Domain Name System, see DNS
- Dong, Bill, ¶74
- Dornseif, Maximillian, ¶74
- Dou, Eva, ¶239
- DPI, see deep packet inspection
DTLS, ¶289, ¶292
- fingerprinting, ¶293
- see also TLS
- DTLS-SRTP, ¶289
- Dunwoody, Matthew, ¶254
- Durumeric, Zakir, ¶54, ¶99
- Dust, ¶42
- Dyer, Kevin P., ¶39, ¶40, ¶218, ¶246
- Díaz, Álvaro, ¶141
- East, Rich, ¶62, ¶79
- eavesdropper’s dilemma, ¶61
- Edelman, Benjamin G., ¶75
- edge server, ¶210, ¶213, ¶249
- Egypt, ¶80, ¶248
- Elahi, Tariq, ¶26, ¶34, ¶40, ¶58
- email, ¶23, ¶37, ¶51, ¶57, ¶88, ¶127, ¶224, ¶225
- encryption, ¶42, ¶43, ¶69, ¶206, Figure 6.1, ¶209, ¶210, ¶214–216, ¶267, ¶278, ¶289
- end-to-middle proxying, see refraction networking
- English language, ¶20
- Ensafi, Roya, ¶81, ¶85, ¶86, ¶92, Table 4.2, ¶111, ¶187
- entanglement, ¶34
entropy, ¶39, ¶218, ¶246
- see also Kullback–Leibler divergence
- Eternity Service, ¶16
- ethics, ¶72
- Facebook, ¶82
- false negative, ¶22, ¶22, ¶29, ¶32, ¶43, ¶218
false positive, ¶22, ¶22, ¶28, ¶29, ¶32, ¶39, ¶43, ¶88, ¶98, ¶218, ¶246
- see also collateral damage
- Fang, Binxing, ¶218, ¶246
- fdctorbridge01 (Tor bridge), Table 5.1, Figure 5.2, Figure 5.3
- Feamster, Nick, ¶34, ¶41, ¶81, ¶92, Table 4.2, ¶111, ¶187, ¶281
- Fifield, David, ¶26, ¶38, ¶73, ¶81, ¶86, ¶94, Table 4.2, ¶111, ¶140, ¶187, ¶217, ¶234, ¶238, ¶285
- Filastò, Arturo, ¶90
- file descriptor limit, ¶201
- filecasting, ¶60
fingerprinting, ¶111, ¶131–136
- see also TLS/DTLS fingerprinting
- Firefox web browser, ¶230, ¶255, ¶256
- flash proxy, ¶55, ¶224, ¶225, ¶235, ¶236, ¶266, ¶268, ¶279
- format-transforming encryption, see FTE
- FortiGuard, ¶256
- forum moderation, ¶16, ¶142
- fragmentation, ¶61, ¶62, ¶77, ¶83, ¶106
- Freedom2Connect Foundation, ¶4
- FreeWave, ¶41
- Friedman, Arik, ¶87
- front domain, ¶203, Figure 6.1, ¶210, ¶255–257
- FTE, ¶41, Table 5.1, ¶236
- GAEuploader, ¶259
- garbage probes, Table 4.2, ¶104, ¶105, ¶108, ¶126, ¶127
- Geddes, John, ¶39
- geolocation, ¶247
- Germany, ¶74
- GET (HTTP method), ¶121, ¶124, ¶135, Figure 7.2
- GFW, see Great Firewall of China
- Gil Epner, Mia, ¶270, ¶285
- Gill, Phillipa, ¶87, ¶90
- Git, ¶228
- GitHub, ¶30, ¶86
- GoAgent, ¶214, ¶225
-, ¶198
- Goldberg, Ian, ¶26, ¶34, ¶40, ¶58
- Google, ¶87, ¶122, ¶169, ¶232, ¶233, ¶241, ¶242, ¶244, ¶254, ¶292
- Goto, Barbara, ¶4
- Great Cannon, ¶86, ¶239
- Great Firewall of China, ¶30, ¶32, ¶43, ¶51, ¶59, ¶62, ¶64, ¶71, ¶77–79, ¶81, ¶83, ¶97, ¶99, ¶100, Table 4.2, ¶107, ¶110, Figure 4.3, ¶131, ¶143, ¶168, ¶180, ¶186, ¶187, ¶221, ¶232, ¶249
- GreatFire, ¶239
- GreenBelt (Tor bridge), Table 5.1, Figure 5.2, ¶166, ¶170, ¶172, ¶173, ¶185, Figure 5.3, Figure 5.4, Figure 5.5, ¶200
- Guo, Li, ¶218, ¶246
- Gupta, Minaxi, ¶89
- Halderman, J. Alex, ¶54, ¶79, ¶82, ¶99
- Han, Serene, ¶270
- Harfst, Greg, ¶41
- Haselton, Bennett, ¶63, ¶87
- Hillig, Ulf, ¶16, ¶26, ¶50, ¶214
- Hong Kong, ¶78
- Hopper, Nicholas, ¶4, ¶39, ¶99
- Host (HTTP header), ¶121, ¶124, ¶135, ¶207–210, ¶215, Figure 6.2, Figure 6.3, ¶239
- Houmansadr, Amir, ¶34, ¶39, ¶40
- hrimfaxi, Table 4.2, ¶105
- HTML-rewriting proxy, ¶64, ¶65, ¶224
- HTTP, ¶33, ¶37, ¶41, ¶77, ¶79, ¶82–84, ¶86, ¶87, ¶118, ¶121, ¶123, Figure 4.3, ¶127, ¶128, ¶207, Figure 6.1, ¶209, ¶210, ¶219, ¶220, Figure 6.3, ¶224, ¶225, ¶227, ¶231, ¶240, ¶247, ¶279, Figure 7.2
- HTTPS, ¶51, ¶56, ¶100, ¶118, ¶120, ¶123, Figure 4.3, ¶128, ¶203, ¶204, ¶211, ¶212, ¶214, ¶216, ¶221, ¶232
- hybrid idle scan, ¶85
- Hynes, Rod, ¶217, ¶238
- ICE, ¶269, ¶288
- ICLab, ¶90
- idle scan, see hybrid idle scan
- indistinguishability, see distinguishability
- Infranet, ¶41, ¶66
- injection, see packet injection
- insider attack, ¶46, ¶57, ¶69
- instant messaging, ¶57, ¶287
integrity, ¶110, ¶278
- see also authentication
- Interactive Connectivity Establishment, see ICE
- intern effect, ¶141
- Internet Archive, ¶294
- “Internet censorship”, ¶18
- Internet service provider, see ISP
- intrusion detection, ¶61, ¶62, ¶77, ¶83
- Ioannidis, Sotiris, ¶89
- Iran, ¶43, ¶82, ¶140, ¶147, ¶149, ¶195, Figure 5.3, ¶196, ¶197
- Iris, ¶92
- ISP, ¶12, ¶64, ¶74, ¶76, ¶128
- Israel, ¶87
- Italy, ¶90
- JavaScript, ¶41, ¶86, ¶266
- Javed, Mobin, ¶62, ¶83, ¶84
- JonbesheSabz (Tor bridge), Table 5.1, Figure 5.2, ¶171, ¶185, Figure 5.3
- Jones, Ben, ¶92
- Kaafar, Mohamed Ali, ¶87
- Kadianakis, George, ¶227
- Karger, David, ¶41, ¶281
- Kazakhstan, ¶140, ¶147–149, ¶197, ¶198, Figure 5.4, Figure 5.5, ¶199–202, ¶257, ¶262
keyword filtering, ¶23, ¶25, ¶43, ¶62, ¶69, ¶75, ¶77–79, ¶82, ¶87, ¶88, ¶141, ¶232
- see also blocking by content
- Khattak, Sheharbano, ¶26, ¶34, ¶40, ¶58, ¶62, ¶83, ¶84
- Khayam, Syed Ali, ¶84
- King, Gary, ¶142
- Knockel, Jeffrey, ¶141
- Krishnamurthy, Srikanth V., ¶62, Table 4.2, ¶112, ¶187
- Kullback–Leibler divergence, ¶218, ¶246
- Köpsell, Stefan, ¶16, ¶26, ¶50, ¶214
- Lan, Chang, ¶217, ¶229, ¶230, ¶238
- Lantern, ¶217, ¶231, ¶233, ¶239
- Lau-Stewart, Lena, ¶4
- Lawrence Berkeley National Laboratory, ¶293
- Leidl, Bruce, ¶42
- LeifEricson (Tor bridge), Table 5.1, Figure 5.2, ¶166, ¶172, ¶176, ¶177, ¶179, ¶188, ¶189, Figure 5.3, ¶199
- Levien, Heather, ¶4
- Li, Anke, ¶90
- Li, Frank, ¶92
- Li, Katherine, ¶259
- Libya, ¶80
- Lindskog, Stefan, ¶32, ¶62, ¶81, Table 4.2, ¶106, ¶108, ¶111, ¶114, ¶145, ¶187
- Lisbeth (Tor bridge), Table 5.1, Figure 5.2, ¶177, ¶179, ¶180, Figure 5.4, Figure 5.5, ¶200
- LiveJournal, ¶91
- look-like-nothing transport, ¶42, ¶43, ¶82, ¶102, ¶115, ¶116
- Lowe, Graham, ¶78
- Lyon, Gordon, ¶4
- MaBishomarim (Tor bridge), Table 5.1, Figure 5.2, ¶171, ¶185, Figure 5.3
- Majkowski, Marek, Table 4.2, ¶108
- man in the middle, ¶43
- Mao, Z. Morley, ¶79
- Marcus, Michael L., ¶78
- Marczak, Bill, ¶86
- Marquis-Boire, Morgan, ¶87
- Mathewson, Nick, ¶99
- Matic, Srdjan, ¶54, ¶99, ¶139
- McAfee, ¶87
- McCullagh, Declan B., ¶63
- McKune, Sarah, ¶86, ¶87
- McLachlan, Jon, ¶99
- meek, ¶212, ¶217–219, Figure 6.2, ¶220, Figure 6.3, ¶221–223, Figure 6.4, Table 6.5, ¶224–264, ¶283
- meeker, ¶227
- Meeks, Brock N., ¶63
microblogging, ¶142
- see also Twitter; Sina Weibo
- Microsoft, ¶241
- MITM, see man in the middle
- modeling, ¶11, ¶12, ¶17, ¶19, ¶22, ¶27, ¶34, ¶67, ¶72, ¶77, ¶146
- Mohajeri Moghaddam, Hooman, ¶270
- Morin, Rich, ¶65
- Mosaddegh (Tor bridge), Table 5.1, Figure 5.2, ¶170, ¶171, ¶186, Figure 5.3, Figure 5.4, Figure 5.5, ¶200
- Mueen, Abdullah, ¶85, ¶92
- Mulligan, Deirdre, ¶4
- Murdoch, Steven J., ¶26, ¶34, ¶40, ¶58, ¶59, ¶77, ¶187
- Nabi, Zubair, ¶84
- NAT, ¶266, ¶267, ¶282, ¶288
- National Congress (Communist Party of China), ¶264
- ndnop3 (Tor bridge), ¶151, Table 5.1, Figure 5.2, ¶161, ¶168, Figure 5.3, Figure 5.4, Figure 5.5, ¶201
- ndnop4 (Tor bridge), Table 5.1, Figure 5.2, ¶194, Figure 5.3
- ndnop5 (Tor bridge), Table 5.1, Figure 5.2, Figure 5.3, Figure 5.4, Figure 5.5, ¶201
- NDSS, see Network and Distributed System Security Symposium
- Netsweeper, ¶87
- network address translation, see NAT
- Network and Distributed System Security Symposium, ¶234
- network intrusion detection system, see intrusion detection
- network monitor, ¶61, ¶62, ¶77, ¶83
- Newsham, Timothy N., ¶61
- Nguyen, Giang T. K., ¶34
- nickname, see Tor bridge, nicknames
- NIDS, see intrusion detection
- Nithyanand, Rishab, ¶90
- Nixon, Leif, Table 4.2, ¶104
- Nmap, ¶111
- Nobori, Daiyuu, ¶143
- noether (Tor bridge), Table 5.1, Figure 5.2, Figure 5.3
- Noman, Helmi, ¶87
- North Rhein-Westphalia, ¶74
- NX01 (Tor bridge), Table 5.1, Figure 5.2, ¶177, ¶179, ¶184, Figure 5.4, Figure 5.5, ¶200
- obfs2, ¶43, Table 4.2, ¶105, ¶107, ¶115, ¶116, ¶126, Figure 4.3, ¶127, ¶133, ¶145, ¶266
- obfs3, ¶43, Table 4.2, ¶107, ¶116, ¶126, Figure 4.3, ¶127, ¶134, ¶150, ¶236, ¶266
- obfs4, ¶43, ¶54, ¶102, Table 4.2, ¶109, ¶131, ¶145, ¶148, ¶150, Table 5.1, ¶157, ¶162, ¶186, ¶188, ¶200, ¶222
- obfuscated-openssh, ¶42
- Ocaña Molinero, Jorge, ¶141
- offer (Snowflake), Figure 7.1, ¶275, ¶276, ¶279, Figure 7.2
- onion service, ¶254
- OONI, ¶4, ¶90
- open proxy, ¶75, ¶106
- Open Technology Fund, ¶4
- OpenITP, ¶231
- OpenNet Initiative, ¶88
- OpenSSH, see obfuscated-openssh
- OpenTokRTC, ¶292
- Orbot, ¶151, Table 5.1, ¶185, ¶190–192, ¶237, ¶259–261
- origin server, ¶210
- overblocking, see false positive
- packet dropping, ¶17, ¶39, ¶59, ¶77, ¶80, ¶82, ¶86
- packet injection, ¶17, ¶59, ¶69, ¶74, ¶77–79, ¶86, ¶88, ¶145
- packet size and timing, ¶26, ¶43, ¶44, ¶217, ¶218, ¶234, ¶246
- Pakistan, ¶84, ¶90
- Pan, Jennifer, ¶142
- Park, Jong Chun, ¶62, ¶79
- Paxson, Vern, ¶3, ¶26, ¶38, ¶61, ¶62, ¶73, ¶81, ¶83, ¶84, ¶86, ¶92, ¶94, Table 4.2, ¶111, ¶187, ¶217, ¶229, ¶234, ¶238
- Peacefire, ¶63
- Pearce, Paul, ¶92
- Pescapè, Antonio, ¶80, ¶84
- PETS, see Privacy Enhancing Technologies Symposium
- Phipps, David, ¶142
- PHP, ¶228
- ping, ¶111
- PlanetLab, ¶89
pluggable transports, ¶20, ¶81, ¶100, ¶103, ¶150, ¶199, ¶219, ¶231, ¶247, ¶248, ¶255, ¶262, ¶266
- see also flash proxy; FTE; meek; obfs2; obfs3; obfs4; ScrambleSuit; Snowflake
- polymorphism, ¶38, ¶42–44
port scanning, ¶54, ¶69, ¶99, ¶130
- see also active probing; hybrid idle scan
- POST (HTTP method), ¶118, ¶135, ¶219, ¶220, Figure 6.3, Figure 7.2
- precision, see false positive
- Pridgen, Adam, ¶142
- Privacy Enhancing Technologies Symposium, ¶238
- Proximax, ¶52
- proxy, ¶24
- proxy discovery, ¶150
- proxy distribution, ¶48, ¶52, ¶57, ¶65, ¶95, ¶213, ¶268
- Psiphon, ¶64, ¶217, ¶233, ¶238, ¶262
- Ptacek, Thomas H., ¶61
- public domain, ¶230
- Python, ¶124
- radio jamming, ¶60
- randomization, ¶37, ¶42, ¶44, ¶82, ¶133, ¶134
- rate limiting, ¶241, ¶248
- Razaghpanah, Abbas, ¶90
- rBridge, ¶52
- recall, see false negative
- refraction networking, ¶56, ¶66, ¶215
- relative entropy, see Kullback–Leibler divergence
- rendezvous, ¶95, ¶225
- reset, see RST
- Rey, Arn, ¶86
- Riedl, Thomas, ¶34
- riemann (Tor bridge), Table 5.1, Figure 5.2, ¶162, ¶168, ¶186, Figure 5.3
- RIPE Atlas, ¶91
- Ristenpart, Thomas, ¶39, ¶40, ¶218, ¶246
- Roberts, Margaret E., ¶142
- Robinson, David, ¶225
- Rover, ¶65
- RST, ¶59, ¶69, ¶77–79, ¶88, ¶145
- Ruan, Lotus, ¶141
- Russia, ¶91, ¶106
- Russo, Michele, ¶80
- SafeWeb, ¶64
- Saia, Jared, ¶141
- Salmon, ¶52
- satellite television, ¶60
- Schuchard, Max, ¶39
- Scott, Will, ¶90
- Scott-Railton, John, ¶86
- ScrambleSuit, ¶43, ¶54, ¶102, Table 4.2, ¶109, ¶131, ¶236
- SDES, ¶289
- SecML research group, ¶4
- Secure Sockets Layer, see TLS
- security through obscurity, ¶22
- Senft, Adam, ¶87
- Server Name Indication, see SNI
- Sfakianakis, Andreas, ¶89
- Shadowsocks, ¶42, ¶54, ¶102, ¶103, Table 4.2, ¶110, ¶131
- Sharefest, ¶292
- Sherr, Micah, ¶61
- Shi, Jinqiao, ¶218, ¶246
- Shinjo, Yasushi, ¶143
- Shmatikov, Vitaly, ¶34, ¶39, ¶40
- Shrimpton, Thomas, ¶39, ¶40, ¶218, ¶246
- shutdowns, ¶28, ¶35, ¶69, ¶70, ¶80
- Sillers, Audrey, ¶4
- Simon, Laurent, ¶26, ¶34, ¶40, ¶58
- Sina Weibo, ¶142
- Singapore, ¶106
- Singer, Andrew, ¶34
- Skype, ¶41
- SkypeMorph, ¶41
- SNI, ¶205, ¶209, ¶214, Figure 6.2, ¶239, ¶255, ¶256
- Snowflake, ¶55, ¶102, ¶265–270, Figure 7.1, ¶271–279, Figure 7.2, ¶280–293
- social media, ¶16, ¶66, ¶91, ¶142
- SOCKS, ¶24, ¶55
- SoftEther VPN, ¶119, ¶135
- SOFTWARE (STUN attribute), ¶288
- Song, Chengyu, ¶62, Table 4.2, ¶112, ¶187
- source code, ¶7
- South Korea, ¶90
- Souza, Tulio de, ¶12, ¶144
- sphere of influence/visibility, ¶58–62
- spoofing, see address spoofing
- Squarcella, Claudio, ¶80
- SRTP, ¶289
- SSH, ¶42, ¶82, Table 4.2, ¶104, Table 5.1, ¶162, ¶186, ¶188
- SSL, see TLS
- steganography, ¶33, ¶38–41, ¶44, ¶95
- StegoTorus, ¶41
- STUN, ¶288, ¶292
- Swanson, Colleen M., ¶26, ¶34, ¶40, ¶58
- Sweden, ¶106
- SYN, ¶59, ¶79
- Syria, ¶87
- Taiwan, ¶88
- Tan, Qingfeng, ¶218, ¶246
- TCP, ¶59, ¶69, ¶79, ¶82, ¶83, ¶85, ¶88, ¶92, ¶134, ¶147, ¶148, Figure 5.2, ¶197, Figure 5.4, Figure 5.5, ¶199, ¶200, ¶227, ¶240, ¶266
- Team Cymru, ¶261
- television, ¶60
- Telex, ¶215
- terms of service, ¶242, ¶251, ¶254
- threat modeling, see modeling
- throttling, ¶14, ¶17, ¶69, ¶70, ¶82
- Tibet, ¶88
- time to live, see TTL
- TLS, ¶66, Table 4.2, ¶104, ¶105, ¶108, ¶114, ¶132, ¶205, Figure 6.1, ¶209, ¶210, ¶215, ¶240, ¶245, ¶255, ¶290
- Tokachu, ¶78
- Toosheh, ¶60
Tor, ¶20, ¶85, ¶108, ¶132, ¶173, ¶190, ¶217, ¶221, ¶222, ¶231, ¶233, ¶235, ¶247, ¶248, ¶262, ¶273
- Blog, ¶156
- bootstrapping, Figure 5.5, ¶200, ¶201
- bridge, ¶51, ¶54, ¶99, Table 4.2, ¶105, ¶127, ¶138, ¶219, Figure 6.2, ¶228, ¶235, ¶236, ¶240, ¶241, ¶247, ¶273
- Browser, ¶109, ¶145, ¶149, ¶151, Table 5.1, ¶152, ¶154, ¶173, ¶190, ¶192, ¶194, ¶222, ¶230, ¶232, ¶235–237, ¶245, ¶255, ¶256, ¶259–261, ¶270
- circuit, ¶114, ¶148, Figure 5.5, ¶200, ¶273
- directory authorities, ¶85, ¶196
- Metrics, ¶156, ¶197, Figure 6.4, ¶247, ¶257
- onion service, ¶254
- Project, ¶4, ¶20, ¶149, ¶153, ¶248
- protocol, ¶81, ¶87, ¶100, ¶103, Table 4.2, ¶105, ¶114, Figure 4.3, ¶127, ¶132, ¶149, ¶199
- tor-dev mailing list, ¶4, ¶228
- tor-qa mailing list, ¶4, ¶155
- traceroute, ¶111
- traffic-obf mailing list, ¶4
- TriangleBoy, ¶57
- Troncoso, Carmela, ¶54, ¶99, ¶139
- Tsai, Lynn, ¶140
- Tschantz, Michael Carl, ¶3, ¶26, ¶38, ¶73, ¶94
- Tsyrklevich, Vladislav, ¶99
- TTL, ¶61, ¶77, ¶78, ¶83, ¶106
- tunneling, ¶40, ¶212, ¶231, ¶267, ¶278
- Turkey, ¶66, ¶91
- TURN, ¶288
- Twitter, ¶66, ¶91
- Tygar, J.D., ¶3
- type I error, see false positive
- type II error, see false negative
- U.S., see United States of America
- UBICA, ¶90
- UDP, ¶267
- unblockability, ¶34, ¶213
- United Kingdom, ¶76
- United States of America, ¶6, ¶78, ¶147, ¶172, ¶201, ¶214, ¶247
- University of California, Berkeley, ¶4
- unobservability, ¶34
- untrusted messenger delivery, ¶281
- uProxy, ¶49, ¶268
- URL, ¶14, ¶64, ¶76, ¶89, ¶268, ¶294
- urllib, ¶125
- usability, ¶49, ¶53, ¶266
- User-Agent (HTTP header), ¶121, ¶124, ¶136
- Uzmi, Zartash Afzal, ¶84
- Vempala, Santosh, ¶34
- Verkamp, John-Paul, ¶89
- VERSIONS (Tor cell), ¶132
- Ververis, Vasilis, ¶90
- virtual hosting, ¶209, ¶210
- virtual private network, see VPN
- voice over IP, see VoIP
- VoIP, ¶41, ¶57
- VPN, ¶24, ¶84, ¶90, ¶100, ¶198, ¶243, ¶262
- VPN Gate, ¶53, ¶119, ¶125, ¶143
- Wagner, David, ¶4
- Wall Street Journal, ¶239
- Wallach, Dan, ¶141, ¶142
- Wang, Liang, ¶39, ¶40, ¶218, ¶246
- Wang, Winston, ¶281
- Wang, Xuebin, ¶218, ¶246
- Wang, Zhongjie, ¶62, Table 4.2, ¶112, ¶187
- Watson, Robert N. M., ¶59, ¶77, ¶187
- Weaver, Nicholas, ¶81, ¶86, ¶92, Table 4.2, ¶111, ¶187
web browser, ¶27, ¶65, ¶86, ¶102, ¶221, ¶224, ¶228, ¶255, ¶265, ¶266, ¶273, ¶281, ¶282
- see also Chrome; Firefox; Tor Browser
- WebRTC, ¶267–269, Figure 7.1, ¶272–278, ¶280, ¶282–287, ¶289, ¶291–293
- WebSocket, ¶225, ¶266, ¶267, ¶277
- Wegmann, Percy, ¶217, ¶231, ¶238
- Wei, Bingjie, ¶218, ¶246
- West, Darrell M., ¶35
- whitelist, ¶38, ¶39, ¶96, ¶214
- Wikipedia, ¶79
- Wilde, Tim, Table 4.2, ¶105, ¶106, ¶108, ¶114, ¶132
- Windows Update, ¶53
- Winter, Philipp, ¶4, ¶26, ¶32, ¶62, ¶81, ¶85, ¶91, ¶92, Table 4.2, ¶106, ¶108, ¶111, ¶114, ¶145, ¶187
- Winters, Patrick, ¶78
- Wired, ¶64
- Wolfgarten, Sebastian, ¶78
World Wide Web, ¶63
- see also HTTP; HTTPS; web browser
- Wright, Joss, ¶12, ¶144
- Wustrow, Eric, ¶54, ¶99
-, ¶224, ¶255, ¶256