…it may be roundly asserted that human ingenuity cannot concoct a cipher which human ingenuity cannot resolve.
This was my keynote talk for FOCI 2024.1.
Censorship and circumvention are often characterized as an “arms race” or “cat-and-mouse game”.
The global escalation of Internet censorship by nation-state actors has led to an ongoing arms race between censors and obfuscated circumvention proxies.
The arms race between Internet freedom advocates and censors has catalyzed the emergence of sophisticated blocking techniques…
Censorship circumvention is an arms race between covert communication systems and nation-state adversaries…
This has led to an ongoing arms race between adversaries and free speech activists…
The ongoing arms-race between the GFW and Tor has been extensively studied…
…a promising way forward in the cat-and-mouse game between censors and censorship resistors.
These terms, while having some basis in fact, are overly reductive—they don’t tell the whole story. Not false, but incomplete. They risk limiting the way we practitioners model problems, and how others think of the research field.
Let’s thoughtfully examine what assumptions we bring into research. Is the facet we’re studying well-characterized as an arms race? Maybe it is—or maybe it should get a more precise description.
…it may be roundly asserted that human ingenuity cannot concoct a cipher which human ingenuity cannot resolve.
Early-ish examples of cat-and-mouse games / arms races:
Announce a mirror, it gets blocked, announce a new one.
Tor TLSHistory (, predating pluggable transports)
This will read like a comedy of errors; please don’t judge our missteps too harshly.
Our unusual cipher list, and our our funny-looking certs made Tor pretty easy to profile. So we switched to an approach where we would begin by sending a list of ciphers hacked to match the list sent by Firefox…
We began generating bogus domain names and sticking them in the commonName part of the certificates.
Iran blocked Tor based on our choice of Diffie–Hellman parameters. We switched to copy the fixed DH parameters from Apache’s mod_ssl…
When we started getting detected and blocked based on our use of renegotiation, we switched to an improved handshake…
We know we’re in an arms race.
I hope to change the perception that the circumvention problem is a cat-and-mouse game that affords only incremental and temporary advancements. Rather, let us state the assumptions about censor behavior atop which we build circumvention designs, and let those assumptions be based on an informed understanding of censor behavior.
Any system, even a fundamentally broken one, will work to circumvent most censors, as long as it is used only by one or only a few clients. The true test arises only after the system has begun to scale and the censor to fight back. This phenomenon may have contributed to the unfortunate characterization of censorship and circumvention as a cat-and-mouse game: deploying a flawed circumvention system, watching it become more popular and then get blocked, then starting over again with another similarly flawed system. In my opinion, the cat-and-mouse game is not inevitable, but is a consequence of inadequate understanding of censors. It is possible to develop systems that resist blocking—not absolutely, but quantifiably, in terms of costs to the censor—even after they have become popular.
Thesis statement: Whereas existing systems that aim to hide censorship-resistant traffic from a censor decline in usefulness over time as assumptions limiting the censor’s ability to detect circumvention tools collapse with improvements to traffic analysis technologies, we can design and deploy usable Internet freedom tools that stand the test of time, despite open knowledge of their operation and use, and despite technological improvements that enhance the traffic analysis abilities of the censor.
The cipher should not require secrecy, and it should not be a problem if it falls into enemy hands.
The enemy knows the system being used.
Who is the cat and who is the mouse?
Alternatives to arms race modeling: costs and tradeoffs
This forces the censor to make a tradeoff between gaining trust in order to cause greater damage (i.e., learning more trusted bridges to block, inviting more censors to bridges, etc., depending on the constraints of the specific reputation system), and keeping bridges unblocked for longer periods of time, which is necessary to build trust.
Snowflake is blockable by any censor that is willing to block WebRTC. We would not try to argue otherwise. Indeed, we believe that the way to present a circumvention system is not to argue for its absolute unblockability, but to lay out what actions by a censor would be necessary to block it—or more to the point, what sacrifices a censor would have to make in order to block it. Advancing the state of the art of censorship circumvention consists in pushing blocking out of reach of more and more censors.
Research specifically on arms race aspects remains legitimate
We play out one iteration of this hypothetical arms race, and design a tweaked obfs protocol which we call obfs⋆.
Any reasonable threat model would assume that default bridges are immediately blocked. And yet in practice we find that they are often not blocked, even by censors that otherwise block Tor relays. We face a paradox: why is it that censors do not take blocking steps that we find obvious? There must be some quality of censors’ internal dynamics that we do not understand adequately.
Jumping out of the system
Censors are more capable, more determined, and have more resources and more human hours than any legitimate user. They can solve CAPTCHAs, purchase scarce resources, or solve proofs-of-work. But legitimate users have friends.
The goal of our work is to move censorship research in new directions that will lead to the development of stronger circumvention systems.
