Privacy Enhancing Technologies Symposium
July 11, 2013
Research paper (20 pages)
Use services that make HTTP requests to carry data between a censored user and a circumvention bridge.
A censor is able to blacklist IP addresses, and is reluctant to cause “collateral damage” by censoring services that have non-circumvention uses.
There is an online scanning service (OSS) outside the firewall, able to make HTTP requests to a circumvention proxy and the client.
The relay acts as a web server. The client asks an OSS to scan a URL on the relay.
“Dear OSS, please retrieve
http://relay.com/?data=UGxlYXNlIG5vdGUgdGhhdCB0aGlzIGRvY3VtZW50IGlzIHByb3ZpZGVkIGluIG9yZGVyIHRvIGRvY3VtZW50CkRlYmlhbidzIGhpc3RvcnkuICBXaGlsZSB0aGUgZ2VuZXJhbCBpZGVhcyBzdGlsbCBhcHBseSBzb21lIGRldGFpbHMKY2hhbmdlZC4KCgoqKioqKioqKioqKioqKioqKioqKgpBcHBlbmRpeApUaGUgRGViaWFuIE1hbmlmZXN0bwoqKioqKioqKioqKioqKioqKioqKgoKCgkJCVRoZSBEZWJpYW4gTGludXggTWFuaWZlc3RvCgoJCQlXcml0dGVuIGJ5ICBJYW4gQS4gTXVyZG9jawoJCQkgICAgIFJldmlzZWQgMDEvMDYvOTQKCgpXaGF0IGlzIERlYmlhbiBMaW51eD8KPT09PT09PT09PT09PT09.”
Both client and relay act as web servers. The client’s first request embeds a return address. The relay’s response contains a redirect back to the client.
The client’s response to the redirected request is another redirect back to the relay. And so on.
OSSes (with few exceptions) stop following redirects after a while. The client needs to kick off a new scan (and chain of redirects) after the previous one is exhausted.
The client needs to poll to see if the relay has anything new to send.
HTTP/1.0 301 Moved Permanently Location: URL
<frameset><frame src="URL"><frameset>
<meta http-equiv="refresh" content="0; url='URL'">
<body onload="document.form.submit();">
| OSS | # of HTTP redirects | # of meta- refresh |
|---|---|---|
| AdSense | 5 | 5 |
| Dr.Web | ∞ | 0 |
| GoMo | 15 | ∞ |
| goo.gl | 15 | 30 |
| NoVirusThanks | 10 | 0 |
| PDFmyURL | ∞ | ∞ |
| VirusTotal | 5/20 | 0/≈150 |
| vURL | 20 | 0 |
| W3C | 7 | 0 |
| Chromium | 20 | ∞ |
| Firefox | 20 | ∞ |
| Internet Explorer | 120 | ∞ |
| Safari | 16 | ∞ |
| OSS | capacity of HTTP redirects | capacity of meta-refresh |
|---|---|---|
| AdSense | 2047 | 2047 |
| Dr.Web | 8181 | 0 |
| GoMo | ∞ | ∞ |
| goo.gl | 2047 | 2047 |
| NoVirusThanks | ≈128000 | 0 |
| PDFmyURL | ∞ | ∞ |
| VirusTotal | 2047 | 0/∞ |
| vURL | ≈128000 | 0 |
| W3C | 8181 | 0 |
| Chromium | ≈262144 | ∞ |
| Firefox | ∞ | ∞ |
| Internet Explorer | ∞ | ∞ |
| Safari | ∞* | ∞* |
| OSS | bytes / s |
|---|---|
| AdSense | 500 |
| Dr.Web | 20,000 |
| GoMo | 22,000 |
| goo.gl | 350 |
| NoVirusThanks | 21,000 |
| PDFmyURL | 220,000 |
| VirusTotal | 1,000 |
| vURL | 250 |
| W3C | 4,600 |
http://relay.com/91a37a20/6fe7703b/123/50/?&data=UGxlYXNlIG5vdGUgdGhh...
flashproxy-reg-url, manual rendezvous for flash proxy.
flashproxy-reg-appspot, rendezvous using a static OSS we
control, hidden behind https://www.google.com/.