An increasing number of countries implement Internet censorship at different levels and for a variety of reasons. Consequently, there is an ongoing arms race where censorship resistance schemes (CRS) seek to enable unfettered user access to Internet resources while censors come up with new ways to restrict access. In particular, the link between the censored client and entry point to the CRS has been a censorship flash point, and consequently the focus of circumvention tools. To foster interoperability and speed up development, Tor introduced Pluggable Transports — a framework to flexibly implement schemes that transform traffic flows between Tor client and the bridge such that a censor fails to block them. Dozens of tools and proposals for pluggable transports have emerged over the last few years, each addressing specific censorship scenarios. As a result, the area has become too complex to discern a big picture.
Our recent report takes away some of this complexity by presenting a model of censor capabilities and an evaluation stack that presents a layered approach to evaluate pluggable transports. We survey 34 existing pluggable transports and highlight their inflexibility to lend themselves to feature sharability for broader defense coverage. This evaluation has led to a new design for Pluggable Transports – the Tweakable Transport: a tool for efficiently building and evaluating a wide range of Pluggable Transports so as to increase the difficulty and cost of reliably censoring the communication channel.
Link Obfuscation and Pluggable Transports
While blocking can take place at any point(s) in the network, the link between the censored client and entry point to the CRS has been a frequent target (corresponding circumvention being termed as link obfuscation). It is relatively easier for a censor to block information while it is in transit given that the censor is typically a powerful nation-state adversary that controls network infrastructure within the censored region. A CRS is effectively the composition of multiple components, each designed to defend against a set of attacker capabilities, either by itself or in combination with other components. A design trend in the development of CRSs is to separate the modules which handle link obfuscation while rest of the system can chose from a range of implementation choices, as simple proxy or full blown anonymity system. This kind of separation simplifies some of the complexity inherent in link obfuscation schemes as these defend against all blocking techniques available to censors. Also, as no one scheme has proved resistant to all potential adversaries, an arms race has developed resulting in the evolution of link obfuscation techniques to have dramatically sped up compared to other modules of a CRS. Finally, link obfuscation is a relatively new area so it is unclear which design decisions are optimal.
The concept of link obfuscation is embodied by Pluggable Transports, the de facto API for link obfuscation schemes to integrate with a CRS. This API specifies a layered framework in which application layer messages on a sender are passed on to an intermediate pluggable transport layer which obfuscates the data in some way before passing it on to the network. Data flows in the reverse direction on the receiver with a view to deobfuscation. A modular approach like this simplifies implementations while factoring out redundant components. Originally this API was designed for use with Tor, but it has since been generalised and now there is a wide variety of pluggable transport providers as well as a growing number of pluggable transport consumers in addition to Tor, with Lantern and Psiphon now able to make use of pluggable transports.
Seeing the forest for the trees
Despite the inherent complexity of link obfuscation/pluggable transports and the breadth of work in this area, there is no principled way to evaluate individual systems and compare them against each other. We recently carried out a study where we mapped 34 link obfuscation schemes to a comprehensive model of a censor’s blocking capabilities, and benchmarked the circumvention capabilities of these schemes using an abstract link obfuscation model. We note that there is a tendency for tools to cluster around resistance against either address-based blocking or content-based blocking. In reality, effective circumvention has to accommodate both “transform this byte stream to obfuscate censorable information” (content-based blocking) as well as “whom to connect to with the obfuscated traffic” (address-based blocking).
The Way Forward: Tweakable Pluggable Transports
Although the pluggable transport architecture serves as a unified framework for “plugging-in” a link obfuscation scheme to a CRS, we note that most link obfuscation schemes themselves have been designed as monolithic systems that are hard to modify and extend. Such a design is orthogonal to the requirements of CRS: speed of development is particularly important for censorship resistance because there is no one approach which is optimally efficient and resistant to all censorship mechanisms (temporal agility). A study of network traces collected at an ISP in Pakistan indicates that the country initially blocked YouTube through DNS redirection and HTTP 302 redirection to a block page in September 2012 [1]. A year later, HTTP redirection was replaced by absence of HTTP response (for example, by injecting a TCP reset after observing HTTP request for a blocked host) . Moreover, the exact mechanism through which censorship is enforced varies across different countries [2] and requires link obfuscation schemes tailored to the given location (spatial agility). To address these limitations, we present Tweakable Pluggable Transport (TPT) — a stacked architecture that represents link obfuscation schemes as a series of components, with each component defending against one or more attacks, either by itself or in conjunction with other components. This approach assists the design process by providing a set of patterns to follow, and a methodology for evaluating the censorship resistance features which are offered.
Our full report can be found on arXiv.
[1] Sheharbano Khattak, Mobin Javed, Syed Ali Khayam, Zartash Afzal Uzmi and Vern Paxson. A Look at the Consequences of Internet Censorship Through an ISP Lens, in the proceedings of the 14th ACM SIGCOMM conference on Internet measurement (IMC ’14).
[2] Ronald J. Deibert, John G. Palfrey, Rafal Rohozinski and Jonathan Zittrain (Editors) Access Denied: The Practice and Policy of Global Internet Filtering (Cambridge: MIT Press, 2008).