r13703@catbus: nickm | 2007-07-12 11:41:38 -0400
[tor.git] / doc / design-paper / blocking.tex
bloba6da81b959bd84abbb8fbe2d39de4fc9056585d9
1 \documentclass{llncs}
3 \usepackage{url}
4 \usepackage{amsmath}
5 \usepackage{epsfig}
7 \setlength{\textwidth}{6.0in}
8 \setlength{\textheight}{8.5in}
9 \setlength{\topmargin}{.5cm}
10 \setlength{\oddsidemargin}{1cm}
11 \setlength{\evensidemargin}{1cm}
13 \newenvironment{tightlist}{\begin{list}{$\bullet$}{
14 \setlength{\itemsep}{0mm}
15 \setlength{\parsep}{0mm}
16 % \setlength{\labelsep}{0mm}
17 % \setlength{\labelwidth}{0mm}
18 % \setlength{\topsep}{0mm}
19 }}{\end{list}}
21 \begin{document}
23 \title{Design of a blocking-resistant anonymity system\\DRAFT}
25 %\author{Roger Dingledine\inst{1} \and Nick Mathewson\inst{1}}
26 \author{Roger Dingledine \and Nick Mathewson}
27 \institute{The Free Haven Project\\
28 \email{\{arma,nickm\}@freehaven.net}}
30 \maketitle
31 \pagestyle{plain}
33 \begin{abstract}
35 Internet censorship is on the rise as websites around the world are
36 increasingly blocked by government-level firewalls. Although popular
37 anonymizing networks like Tor were originally designed to keep attackers from
38 tracing people's activities, many people are also using them to evade local
39 censorship. But if the censor simply denies access to the Tor network
40 itself, blocked users can no longer benefit from the security Tor offers.
42 Here we describe a design that builds upon the current Tor network
43 to provide an anonymizing network that resists blocking
44 by government-level attackers.
46 \end{abstract}
48 \section{Introduction and Goals}
50 Anonymizing networks like Tor~\cite{tor-design} bounce traffic around a
51 network of encrypting relays. Unlike encryption, which hides only {\it what}
52 is said, these networks also aim to hide who is communicating with whom, which
53 users are using which websites, and similar relations. These systems have a
54 broad range of users, including ordinary citizens who want to avoid being
55 profiled for targeted advertisements, corporations who don't want to reveal
56 information to their competitors, and law enforcement and government
57 intelligence agencies who need to do operations on the Internet without being
58 noticed.
60 Historical anonymity research has focused on an
61 attacker who monitors the user (call her Alice) and tries to discover her
62 activities, yet lets her reach any piece of the network. In more modern
63 threat models such as Tor's, the adversary is allowed to perform active
64 attacks such as modifying communications to trick Alice
65 into revealing her destination, or intercepting some connections
66 to run a man-in-the-middle attack. But these systems still assume that
67 Alice can eventually reach the anonymizing network.
69 An increasing number of users are using the Tor software
70 less for its anonymity properties than for its censorship
71 resistance properties---if they use Tor to access Internet sites like
72 Wikipedia
73 and Blogspot, they are no longer affected by local censorship
74 and firewall rules. In fact, an informal user study
75 %(described in Appendix~\ref{app:geoip})
76 showed China as the third largest user base
77 for Tor clients, with perhaps ten thousand people accessing the Tor
78 network from China each day.
80 The current Tor design is easy to block if the attacker controls Alice's
81 connection to the Tor network---by blocking the directory authorities,
82 by blocking all the server IP addresses in the directory, or by filtering
83 based on the fingerprint of the Tor TLS handshake. Here we describe an
84 extended design that builds upon the current Tor network to provide an
85 anonymizing
86 network that resists censorship as well as anonymity-breaking attacks.
87 In section~\ref{sec:adversary} we discuss our threat model---that is,
88 the assumptions we make about our adversary. Section~\ref{sec:current-tor}
89 describes the components of the current Tor design and how they can be
90 leveraged for a new blocking-resistant design. Section~\ref{sec:related}
91 explains the features and drawbacks of the currently deployed solutions.
92 In sections~\ref{sec:bridges} through~\ref{sec:discovery}, we explore the
93 components of our designs in detail. Section~\ref{sec:security} considers
94 security implications and Section~\ref{sec:reachability} presents other
95 issues with maintaining connectivity and sustainability for the design.
96 Section~\ref{sec:future} speculates about future more complex designs,
97 and finally Section~\ref{sec:conclusion} summarizes our next steps and
98 recommendations.
100 % The other motivation is for places where we're concerned they will
101 % try to enumerate a list of Tor users. So even if they're not blocking
102 % the Tor network, it may be smart to not be visible as connecting to it.
104 %And adding more different classes of users and goals to the Tor network
105 %improves the anonymity for all Tor users~\cite{econymics,usability:weis2006}.
107 % Adding use classes for countering blocking as well as anonymity has
108 % benefits too. Should add something about how providing undetected
109 % access to Tor would facilitate people talking to, e.g., govt. authorities
110 % about threats to public safety etc. in an environment where Tor use
111 % is not otherwise widespread and would make one stand out.
113 \section{Adversary assumptions}
114 \label{sec:adversary}
116 To design an effective anti-censorship tool, we need a good model for the
117 goals and resources of the censors we are evading. Otherwise, we risk
118 spending our effort on keeping the adversaries from doing things they have no
119 interest in doing, and thwarting techniques they do not use.
120 The history of blocking-resistance designs is littered with conflicting
121 assumptions about what adversaries to expect and what problems are
122 in the critical path to a solution. Here we describe our best
123 understanding of the current situation around the world.
125 In the traditional security style, we aim to defeat a strong
126 attacker---if we can defend against this attacker, we inherit protection
127 against weaker attackers as well. After all, we want a general design
128 that will work for citizens of China, Thailand, and other censored
129 countries; for
130 whistleblowers in firewalled corporate networks; and for people in
131 unanticipated oppressive situations. In fact, by designing with
132 a variety of adversaries in mind, we can take advantage of the fact that
133 adversaries will be in different stages of the arms race at each location,
134 so a server blocked in one locale can still be useful in others.
136 We assume that the attackers' goals are somewhat complex.
137 \begin{tightlist}
138 \item The attacker would like to restrict the flow of certain kinds of
139 information, particularly when this information is seen as embarrassing to
140 those in power (such as information about rights violations or corruption),
141 or when it enables or encourages others to oppose them effectively (such as
142 information about opposition movements or sites that are used to organize
143 protests).
144 \item As a second-order effect, censors aim to chill citizens' behavior by
145 creating an impression that their online activities are monitored.
146 \item In some cases, censors make a token attempt to block a few sites for
147 obscenity, blasphemy, and so on, but their efforts here are mainly for
148 show. In other cases, they really do try hard to block such content.
149 \item Complete blocking (where nobody at all can ever download censored
150 content) is not a
151 goal. Attackers typically recognize that perfect censorship is not only
152 impossible, but unnecessary: if ``undesirable'' information is known only
153 to a small few, further censoring efforts can be focused elsewhere.
154 \item Similarly, the censors are not attempting to shut down or block {\it
155 every} anti-censorship tool---merely the tools that are popular and
156 effective (because these tools impede the censors' information restriction
157 goals) and those tools that are highly visible (thus making the censors
158 look ineffectual to their citizens and their bosses).
159 \item Reprisal against {\it most} passive consumers of {\it most} kinds of
160 blocked information is also not a goal, given the broadness of most
161 censorship regimes. This seems borne out by fact.\footnote{So far in places
162 like China, the authorities mainly go after people who publish materials
163 and coordinate organized movements~\cite{mackinnon-personal}.
164 If they find that a
165 user happens to be reading a site that should be blocked, the typical
166 response is simply to block the site. Of course, even with an encrypted
167 connection, the adversary may be able to distinguish readers from
168 publishers by observing whether Alice is mostly downloading bytes or mostly
169 uploading them---we discuss this issue more in
170 Section~\ref{subsec:upload-padding}.}
171 \item Producers and distributors of targeted information are in much
172 greater danger than consumers; the attacker would like to not only block
173 their work, but identify them for reprisal.
174 \item The censors (or their governments) would like to have a working, useful
175 Internet. There are economic, political, and social factors that prevent
176 them from ``censoring'' the Internet by outlawing it entirely, or by
177 blocking access to all but a tiny list of sites.
178 Nevertheless, the censors {\it are} willing to block innocuous content
179 (like the bulk of a newspaper's reporting) in order to censor other content
180 distributed through the same channels (like that newspaper's coverage of
181 the censored country).
182 \end{tightlist}
184 We assume there are three main technical network attacks in use by censors
185 currently~\cite{clayton:pet2006}:
187 \begin{tightlist}
188 \item Block a destination or type of traffic by automatically searching for
189 certain strings or patterns in TCP packets. Offending packets can be
190 dropped, or can trigger a response like closing the
191 connection.
192 \item Block a destination by listing its IP address at a
193 firewall or other routing control point.
194 \item Intercept DNS requests and give bogus responses for certain
195 destination hostnames.
196 \end{tightlist}
198 We assume the network firewall has limited CPU and memory per
199 connection~\cite{clayton:pet2006}. Against an adversary who could carefully
200 examine the contents of every packet and correlate the packets in every
201 stream on the network, we would need some stronger mechanism such as
202 steganography, which introduces its own
203 problems~\cite{active-wardens,tcpstego}. But we make a ``weak
204 steganography'' assumption here: to remain unblocked, it is necessary to
205 remain unobservable only by computational resources on par with a modern
206 router, firewall, proxy, or IDS.
208 We assume that while various different regimes can coordinate and share
209 notes, there will be a time lag between one attacker learning how to overcome
210 a facet of our design and other attackers picking it up. (The most common
211 vector of transmission seems to be commercial providers of censorship tools:
212 once a provider adds a feature to meet one country's needs or requests, the
213 feature is available to all of the provider's customers.) Conversely, we
214 assume that insider attacks become a higher risk only after the early stages
215 of network development, once the system has reached a certain level of
216 success and visibility.
218 We do not assume that government-level attackers are always uniform
219 across the country. For example, users of different ISPs in China
220 experience different censorship policies and mechanisms.
221 %there is no single centralized place in China
222 %that coordinates its specific censorship decisions and steps.
224 We assume that the attacker may be able to use political and economic
225 resources to secure the cooperation of extraterritorial or multinational
226 corporations and entities in investigating information sources.
227 For example, the censors can threaten the service providers of
228 troublesome blogs with economic reprisals if they do not reveal the
229 authors' identities.
231 We assume that our users have control over their hardware and
232 software---they don't have any spyware installed, there are no
233 cameras watching their screens, etc. Unfortunately, in many situations
234 these threats are real~\cite{zuckerman-threatmodels}; yet
235 software-based security systems like ours are poorly equipped to handle
236 a user who is entirely observed and controlled by the adversary. See
237 Section~\ref{subsec:cafes-and-livecds} for more discussion of what little
238 we can do about this issue.
240 Similarly, we assume that the user will be able to fetch a genuine
241 version of Tor, rather than one supplied by the adversary; see
242 Section~\ref{subsec:trust-chain} for discussion on helping the user
243 confirm that he has a genuine version and that he can connect to the
244 real Tor network.
246 \section{Adapting the current Tor design to anti-censorship}
247 \label{sec:current-tor}
249 Tor is popular and sees a lot of use---it's the largest anonymity
250 network of its kind, and has
251 attracted more than 800 volunteer-operated routers from around the
252 world. Tor protects each user by routing their traffic through a multiply
253 encrypted ``circuit'' built of a few randomly selected servers, each of which
254 can remove only a single layer of encryption. Each server sees only the step
255 before it and the step after it in the circuit, and so no single server can
256 learn the connection between a user and her chosen communication partners.
257 In this section, we examine some of the reasons why Tor has become popular,
258 with particular emphasis to how we can take advantage of these properties
259 for a blocking-resistance design.
261 Tor aims to provide three security properties:
262 \begin{tightlist}
263 \item 1. A local network attacker can't learn, or influence, your
264 destination.
265 \item 2. No single router in the Tor network can link you to your
266 destination.
267 \item 3. The destination, or somebody watching the destination,
268 can't learn your location.
269 \end{tightlist}
271 For blocking-resistance, we care most clearly about the first
272 property. But as the arms race progresses, the second property
273 will become important---for example, to discourage an adversary
274 from volunteering a relay in order to learn that Alice is reading
275 or posting to certain websites. The third property helps keep users safe from
276 collaborating websites: consider websites and other Internet services
277 that have been pressured
278 recently into revealing the identity of bloggers
279 %~\cite{arrested-bloggers}
280 or treating clients differently depending on their network
281 location~\cite{goodell-syverson06}.
282 %~\cite{google-geolocation}.
284 The Tor design provides other features as well that are not typically
285 present in manual or ad hoc circumvention techniques.
287 First, Tor has a well-analyzed and well-understood way to distribute
288 information about servers.
289 Tor directory authorities automatically aggregate, test,
290 and publish signed summaries of the available Tor routers. Tor clients
291 can fetch these summaries to learn which routers are available and
292 which routers are suitable for their needs. Directory information is cached
293 throughout the Tor network, so once clients have bootstrapped they never
294 need to interact with the authorities directly. (To tolerate a minority
295 of compromised directory authorities, we use a threshold trust scheme---
296 see Section~\ref{subsec:trust-chain} for details.)
298 Second, the list of directory authorities is not hard-wired.
299 Clients use the default authorities if no others are specified,
300 but it's easy to start a separate (or even overlapping) Tor network just
301 by running a different set of authorities and convincing users to prefer
302 a modified client. For example, we could launch a distinct Tor network
303 inside China; some users could even use an aggregate network made up of
304 both the main network and the China network. (But we should not be too
305 quick to create other Tor networks---part of Tor's anonymity comes from
306 users behaving like other users, and there are many unsolved anonymity
307 questions if different users know about different pieces of the network.)
309 Third, in addition to automatically learning from the chosen directories
310 which Tor routers are available and working, Tor takes care of building
311 paths through the network and rebuilding them as needed. So the user
312 never has to know how paths are chosen, never has to manually pick
313 working proxies, and so on. More generally, at its core the Tor protocol
314 is simply a tool that can build paths given a set of routers. Tor is
315 quite flexible about how it learns about the routers and how it chooses
316 the paths. Harvard's Blossom project~\cite{blossom-thesis} makes this
317 flexibility more concrete: Blossom makes use of Tor not for its security
318 properties but for its reachability properties. It runs a separate set
319 of directory authorities, its own set of Tor routers (called the Blossom
320 network), and uses Tor's flexible path-building to let users view Internet
321 resources from any point in the Blossom network.
323 Fourth, Tor separates the role of \emph{internal relay} from the
324 role of \emph{exit relay}. That is, some volunteers choose just to relay
325 traffic between Tor users and Tor routers, and others choose to also allow
326 connections to external Internet resources. Because we don't force all
327 volunteers to play both roles, we end up with more relays. This increased
328 diversity in turn is what gives Tor its security: the more options the
329 user has for her first hop, and the more options she has for her last hop,
330 the less likely it is that a given attacker will be watching both ends
331 of her circuit~\cite{tor-design}. As a bonus, because our design attracts
332 more internal relays that want to help out but don't want to deal with
333 being an exit relay, we end up providing more options for the first
334 hop---the one most critical to being able to reach the Tor network.
336 Fifth, Tor is sustainable. Zero-Knowledge Systems offered the commercial
337 but now defunct Freedom Network~\cite{freedom21-security}, a design with
338 security comparable to Tor's, but its funding model relied on collecting
339 money from users to pay relay operators. Modern commercial proxy systems
340 similarly
341 need to keep collecting money to support their infrastructure. On the
342 other hand, Tor has built a self-sustaining community of volunteers who
343 donate their time and resources. This community trust is rooted in Tor's
344 open design: we tell the world exactly how Tor works, and we provide all
345 the source code. Users can decide for themselves, or pay any security
346 expert to decide, whether it is safe to use. Further, Tor's modularity
347 as described above, along with its open license, mean that its impact
348 will continue to grow.
350 Sixth, Tor has an established user base of hundreds of
351 thousands of people from around the world. This diversity of
352 users contributes to sustainability as above: Tor is used by
353 ordinary citizens, activists, corporations, law enforcement, and
354 even government and military users,
355 %\footnote{\url{http://tor.eff.org/overview}}
356 and they can
357 only achieve their security goals by blending together in the same
358 network~\cite{econymics,usability:weis2006}. This user base also provides
359 something else: hundreds of thousands of different and often-changing
360 addresses that we can leverage for our blocking-resistance design.
362 Finally and perhaps most importantly, Tor provides anonymity and prevents any
363 single server from linking users to their communication partners. Despite
364 initial appearances, {\it distributed-trust anonymity is critical for
365 anti-censorship efforts}. If any single server can expose dissident bloggers
366 or compile a list of users' behavior, the censors can profitably compromise
367 that server's operator, perhaps by applying economic pressure to their
368 employers,
369 breaking into their computer, pressuring their family (if they have relatives
370 in the censored area), or so on. Furthermore, in designs where any relay can
371 expose its users, the censors can spread suspicion that they are running some
372 of the relays and use this belief to chill use of the network.
374 We discuss and adapt these components further in
375 Section~\ref{sec:bridges}. But first we examine the strengths and
376 weaknesses of other blocking-resistance approaches, so we can expand
377 our repertoire of building blocks and ideas.
379 \section{Current proxy solutions}
380 \label{sec:related}
382 Relay-based blocking-resistance schemes generally have two main
383 components: a relay component and a discovery component. The relay part
384 encompasses the process of establishing a connection, sending traffic
385 back and forth, and so on---everything that's done once the user knows
386 where she's going to connect. Discovery is the step before that: the
387 process of finding one or more usable relays.
389 For example, we can divide the pieces of Tor in the previous section
390 into the process of building paths and sending
391 traffic over them (relay) and the process of learning from the directory
392 servers about what routers are available (discovery). With this distinction
393 in mind, we now examine several categories of relay-based schemes.
395 \subsection{Centrally-controlled shared proxies}
397 Existing commercial anonymity solutions (like Anonymizer.com) are based
398 on a set of single-hop proxies. In these systems, each user connects to
399 a single proxy, which then relays traffic between the user and her
400 destination. These public proxy
401 systems are typically characterized by two features: they control and
402 operate the proxies centrally, and many different users get assigned
403 to each proxy.
405 In terms of the relay component, single proxies provide weak security
406 compared to systems that distribute trust over multiple relays, since a
407 compromised proxy can trivially observe all of its users' actions, and
408 an eavesdropper only needs to watch a single proxy to perform timing
409 correlation attacks against all its users' traffic and thus learn where
410 everyone is connecting. Worse, all users
411 need to trust the proxy company to have good security itself as well as
412 to not reveal user activities.
414 On the other hand, single-hop proxies are easier to deploy, and they
415 can provide better performance than distributed-trust designs like Tor,
416 since traffic only goes through one relay. They're also more convenient
417 from the user's perspective---since users entirely trust the proxy,
418 they can just use their web browser directly.
420 Whether public proxy schemes are more or less scalable than Tor is
421 still up for debate: commercial anonymity systems can use some of their
422 revenue to provision more bandwidth as they grow, whereas volunteer-based
423 anonymity systems can attract thousands of fast relays to spread the load.
425 The discovery piece can take several forms. Most commercial anonymous
426 proxies have one or a handful of commonly known websites, and their users
427 log in to those websites and relay their traffic through them. When
428 these websites get blocked (generally soon after the company becomes
429 popular), if the company cares about users in the blocked areas, they
430 start renting lots of disparate IP addresses and rotating through them
431 as they get blocked. They notify their users of new addresses (by email,
432 for example). It's an arms race, since attackers can sign up to receive the
433 email too, but operators have one nice trick available to them: because they
434 have a list of paying subscribers, they can notify certain subscribers
435 about updates earlier than others.
437 Access control systems on the proxy let them provide service only to
438 users with certain characteristics, such as paying customers or people
439 from certain IP address ranges.
441 Discovery in the face of a government-level firewall is a complex and
442 unsolved
443 topic, and we're stuck in this same arms race ourselves; we explore it
444 in more detail in Section~\ref{sec:discovery}. But first we examine the
445 other end of the spectrum---getting volunteers to run the proxies,
446 and telling only a few people about each proxy.
448 \subsection{Independent personal proxies}
450 Personal proxies such as Circumventor~\cite{circumventor} and
451 CGIProxy~\cite{cgiproxy} use the same technology as the public ones as
452 far as the relay component goes, but they use a different strategy for
453 discovery. Rather than managing a few centralized proxies and constantly
454 getting new addresses for them as the old addresses are blocked, they
455 aim to have a large number of entirely independent proxies, each managing
456 its own (much smaller) set of users.
458 As the Circumventor site explains, ``You don't
459 actually install the Circumventor \emph{on} the computer that is blocked
460 from accessing Web sites. You, or a friend of yours, has to install the
461 Circumventor on some \emph{other} machine which is not censored.''
463 This tactic has great advantages in terms of blocking-resistance---recall
464 our assumption in Section~\ref{sec:adversary} that the attention
465 a system attracts from the attacker is proportional to its number of
466 users and level of publicity. If each proxy only has a few users, and
467 there is no central list of proxies, most of them will never get noticed by
468 the censors.
470 On the other hand, there's a huge scalability question that so far has
471 prevented these schemes from being widely useful: how does the fellow
472 in China find a person in Ohio who will run a Circumventor for him? In
473 some cases he may know and trust some people on the outside, but in many
474 cases he's just out of luck. Just as hard, how does a new volunteer in
475 Ohio find a person in China who needs it?
477 % another key feature of a proxy run by your uncle is that you
478 % self-censor, so you're unlikely to bring abuse complaints onto
479 % your uncle. self-censoring clearly has a downside too, though.
481 This challenge leads to a hybrid design---centrally-distributed
482 personal proxies---which we will investigate in more detail in
483 Section~\ref{sec:discovery}.
485 \subsection{Open proxies}
487 Yet another currently used approach to bypassing firewalls is to locate
488 open and misconfigured proxies on the Internet. A quick Google search
489 for ``open proxy list'' yields a wide variety of freely available lists
490 of HTTP, HTTPS, and SOCKS proxies. Many small companies have sprung up
491 providing more refined lists to paying customers.
493 There are some downsides to using these open proxies though. First,
494 the proxies are of widely varying quality in terms of bandwidth and
495 stability, and many of them are entirely unreachable. Second, unlike
496 networks of volunteers like Tor, the legality of routing traffic through
497 these proxies is questionable: it's widely believed that most of them
498 don't realize what they're offering, and probably wouldn't allow it if
499 they realized. Third, in many cases the connection to the proxy is
500 unencrypted, so firewalls that filter based on keywords in IP packets
501 will not be hindered. Fourth, in many countries (including China), the
502 firewall authorities hunt for open proxies as well, to preemptively
503 block them. And last, many users are suspicious that some
504 open proxies are a little \emph{too} convenient: are they run by the
505 adversary, in which case they get to monitor all the user's requests
506 just as single-hop proxies can?
508 A distributed-trust design like Tor resolves each of these issues for
509 the relay component, but a constantly changing set of thousands of open
510 relays is clearly a useful idea for a discovery component. For example,
511 users might be able to make use of these proxies to bootstrap their
512 first introduction into the Tor network.
514 \subsection{Blocking resistance and JAP}
516 K\"{o}psell and Hilling's Blocking Resistance
517 design~\cite{koepsell:wpes2004} is probably
518 the closest related work, and is the starting point for the design in this
519 paper. In this design, the JAP anonymity system~\cite{web-mix} is used
520 as a base instead of Tor. Volunteers operate a large number of access
521 points that relay traffic to the core JAP
522 network, which in turn anonymizes users' traffic. The software to run these
523 relays is, as in our design, included in the JAP client software and enabled
524 only when the user decides to enable it. Discovery is handled with a
525 CAPTCHA-based mechanism; users prove that they aren't an automated process,
526 and are given the address of an access point. (The problem of a determined
527 attacker with enough manpower to launch many requests and enumerate all the
528 access points is not considered in depth.) There is also some suggestion
529 that information about access points could spread through existing social
530 networks.
532 \subsection{Infranet}
534 The Infranet design~\cite{infranet} uses one-hop relays to deliver web
535 content, but disguises its communications as ordinary HTTP traffic. Requests
536 are split into multiple requests for URLs on the relay, which then encodes
537 its responses in the content it returns. The relay needs to be an actual
538 website with plausible content and a number of URLs which the user might want
539 to access---if the Infranet software produced its own cover content, it would
540 be far easier for censors to identify. To keep the censors from noticing
541 that cover content changes depending on what data is embedded, Infranet needs
542 the cover content to have an innocuous reason for changing frequently: the
543 paper recommends watermarked images and webcams.
545 The attacker and relay operators in Infranet's threat model are significantly
546 different than in ours. Unlike our attacker, Infranet's censor can't be
547 bypassed with encrypted traffic (presumably because the censor blocks
548 encrypted traffic, or at least considers it suspicious), and has more
549 computational resources to devote to each connection than ours (so it can
550 notice subtle patterns over time). Unlike our bridge operators, Infranet's
551 operators (and users) have more bandwidth to spare; the overhead in typical
552 steganography schemes is far higher than Tor's.
554 The Infranet design does not include a discovery element. Discovery,
555 however, is a critical point: if whatever mechanism allows users to learn
556 about relays also allows the censor to do so, he can trivially discover and
557 block their addresses, even if the steganography would prevent mere traffic
558 observation from revealing the relays' addresses.
560 \subsection{RST-evasion and other packet-level tricks}
562 In their analysis of China's firewall's content-based blocking, Clayton,
563 Murdoch and Watson discovered that rather than blocking all packets in a TCP
564 streams once a forbidden word was noticed, the firewall was simply forging
565 RST packets to make the communicating parties believe that the connection was
566 closed~\cite{clayton:pet2006}. They proposed altering operating systems
567 to ignore forged RST packets. This approach might work in some cases, but
568 in practice it appears that many firewalls start filtering by IP address
569 once a sufficient number of RST packets have been sent.
571 Other packet-level responses to filtering include splitting
572 sensitive words across multiple TCP packets, so that the censors'
573 firewalls can't notice them without performing expensive stream
574 reconstruction~\cite{ptacek98insertion}. This technique relies on the
575 same insight as our weak steganography assumption.
577 \subsection{Internal caching networks}
579 Freenet~\cite{freenet-pets00} is an anonymous peer-to-peer data store.
580 Analyzing Freenet's security can be difficult, as its design is in flux as
581 new discovery and routing mechanisms are proposed, and no complete
582 specification has (to our knowledge) been written. Freenet servers relay
583 requests for specific content (indexed by a digest of the content)
584 ``toward'' the server that hosts it, and then cache the content as it
585 follows the same path back to
586 the requesting user. If Freenet's routing mechanism is successful in
587 allowing nodes to learn about each other and route correctly even as some
588 node-to-node links are blocked by firewalls, then users inside censored areas
589 can ask a local Freenet server for a piece of content, and get an answer
590 without having to connect out of the country at all. Of course, operators of
591 servers inside the censored area can still be targeted, and the addresses of
592 external servers can still be blocked.
594 \subsection{Skype}
596 The popular Skype voice-over-IP software uses multiple techniques to tolerate
597 restrictive networks, some of which allow it to continue operating in the
598 presence of censorship. By switching ports and using encryption, Skype
599 attempts to resist trivial blocking and content filtering. Even if no
600 encryption were used, it would still be expensive to scan all voice
601 traffic for sensitive words. Also, most current keyloggers are unable to
602 store voice traffic. Nevertheless, Skype can still be blocked, especially at
603 its central login server.
604 %*sjmurdoch* "we consider the login server to be the only central component in
605 %the Skype p2p network."
606 %*sjmurdoch* http://www1.cs.columbia.edu/~salman/publications/skype1_4.pdf
607 %-> *sjmurdoch* ok. what is the login server's role?
608 %-> *sjmurdoch* and do you need to reach it directly to use skype?
609 %*sjmurdoch* It checks the username and password
610 %*sjmurdoch* It is necessary in the current implementation, but I don't know if
611 %it is a fundemental limitation of the architecture
613 \subsection{Tor itself}
615 And last, we include Tor itself in the list of current solutions
616 to firewalls. Tens of thousands of people use Tor from countries that
617 routinely filter their Internet. Tor's website has been blocked in most
618 of them. But why hasn't the Tor network been blocked yet?
620 We have several theories. The first is the most straightforward: tens of
621 thousands of people are simply too few to matter. It may help that Tor is
622 perceived to be for experts only, and thus not worth attention yet. The
623 more subtle variant on this theory is that we've positioned Tor in the
624 public eye as a tool for retaining civil liberties in more free countries,
625 so perhaps blocking authorities don't view it as a threat. (We revisit
626 this idea when we consider whether and how to publicize a Tor variant
627 that improves blocking-resistance---see Section~\ref{subsec:publicity}
628 for more discussion.)
630 The broader explanation is that the maintenance of most government-level
631 filters is aimed at stopping widespread information flow and appearing to be
632 in control, not by the impossible goal of blocking all possible ways to bypass
633 censorship. Censors realize that there will always
634 be ways for a few people to get around the firewall, and as long as Tor
635 has not publically threatened their control, they see no urgent need to
636 block it yet.
638 We should recognize that we're \emph{already} in the arms race. These
639 constraints can give us insight into the priorities and capabilities of
640 our various attackers.
642 \section{The relay component of our blocking-resistant design}
643 \label{sec:bridges}
645 Section~\ref{sec:current-tor} describes many reasons why Tor is
646 well-suited as a building block in our context, but several changes will
647 allow the design to resist blocking better. The most critical changes are
648 to get more relay addresses, and to distribute them to users differently.
650 %We need to address three problems:
651 %- adapting the relay component of Tor so it resists blocking better.
652 %- Discovery.
653 %- Tor's network fingerprint.
655 %Here we describe the new pieces we need to add to the current Tor design.
657 \subsection{Bridge relays}
659 Today, Tor servers operate on less than a thousand distinct IP addresses;
660 an adversary
661 could enumerate and block them all with little trouble. To provide a
662 means of ingress to the network, we need a larger set of entry points, most
663 of which an adversary won't be able to enumerate easily. Fortunately, we
664 have such a set: the Tor users.
666 Hundreds of thousands of people around the world use Tor. We can leverage
667 our already self-selected user base to produce a list of thousands of
668 frequently-changing IP addresses. Specifically, we can give them a little
669 button in the GUI that says ``Tor for Freedom'', and users who click
670 the button will turn into \emph{bridge relays} (or just \emph{bridges}
671 for short). They can rate limit relayed connections to 10 KB/s (almost
672 nothing for a broadband user in a free country, but plenty for a user
673 who otherwise has no access at all), and since they are just relaying
674 bytes back and forth between blocked users and the main Tor network, they
675 won't need to make any external connections to Internet sites. Because
676 of this separation of roles, and because we're making use of software
677 that the volunteers have already installed for their own use, we expect
678 our scheme to attract and maintain more volunteers than previous schemes.
680 As usual, there are new anonymity and security implications from running a
681 bridge relay, particularly from letting people relay traffic through your
682 Tor client; but we leave this discussion for Section~\ref{sec:security}.
684 %...need to outline instructions for a Tor config that will publish
685 %to an alternate directory authority, and for controller commands
686 %that will do this cleanly.
688 \subsection{The bridge directory authority}
690 How do the bridge relays advertise their existence to the world? We
691 introduce a second new component of the design: a specialized directory
692 authority that aggregates and tracks bridges. Bridge relays periodically
693 publish server descriptors (summaries of their keys, locations, etc,
694 signed by their long-term identity key), just like the relays in the
695 ``main'' Tor network, but in this case they publish them only to the
696 bridge directory authorities.
698 The main difference between bridge authorities and the directory
699 authorities for the main Tor network is that the main authorities provide
700 a list of every known relay, but the bridge authorities only give
701 out a server descriptor if you already know its identity key. That is,
702 you can keep up-to-date on a bridge's location and other information
703 once you know about it, but you can't just grab a list of all the bridges.
705 The identity key, IP address, and directory port for each bridge
706 authority ship by default with the Tor software, so the bridge relays
707 can be confident they're publishing to the right location, and the
708 blocked users can establish an encrypted authenticated channel. See
709 Section~\ref{subsec:trust-chain} for more discussion of the public key
710 infrastructure and trust chain.
712 Bridges use Tor to publish their descriptors privately and securely,
713 so even an attacker monitoring the bridge directory authority's network
714 can't make a list of all the addresses contacting the authority.
715 Bridges may publish to only a subset of the
716 authorities, to limit the potential impact of an authority compromise.
719 %\subsection{A simple matter of engineering}
721 %Although we've described bridges and bridge authorities in simple terms
722 %above, some design modifications and features are needed in the Tor
723 %codebase to add them. We describe the four main changes here.
725 %Firstly, we need to get smarter about rate limiting:
726 %Bandwidth classes
728 %Secondly, while users can in fact configure which directory authorities
729 %they use, we need to add a new type of directory authority and teach
730 %bridges to fetch directory information from the main authorities while
731 %publishing server descriptors to the bridge authorities. We're most of
732 %the way there, since we can already specify attributes for directory
733 %authorities:
734 %add a separate flag named ``blocking''.
736 %Thirdly, need to build paths using bridges as the first
737 %hop. One more hole in the non-clique assumption.
739 %Lastly, since bridge authorities don't answer full network statuses,
740 %we need to add a new way for users to learn the current status for a
741 %single relay or a small set of relays---to answer such questions as
742 %``is it running?'' or ``is it behaving correctly?'' We describe in
743 %Section~\ref{subsec:enclave-dirs} a way for the bridge authority to
744 %publish this information without resorting to signing each answer
745 %individually.
747 \subsection{Putting them together}
748 \label{subsec:relay-together}
750 If a blocked user knows the identity keys of a set of bridge relays, and
751 he has correct address information for at least one of them, he can use
752 that one to make a secure connection to the bridge authority and update
753 his knowledge about the other bridge relays. He can also use it to make
754 secure connections to the main Tor network and directory servers, so he
755 can build circuits and connect to the rest of the Internet. All of these
756 updates happen in the background: from the blocked user's perspective,
757 he just accesses the Internet via his Tor client like always.
759 So now we've reduced the problem from how to circumvent the firewall
760 for all transactions (and how to know that the pages you get have not
761 been modified by the local attacker) to how to learn about a working
762 bridge relay.
764 There's another catch though. We need to make sure that the network
765 traffic we generate by simply connecting to a bridge relay doesn't stand
766 out too much.
768 %The following section describes ways to bootstrap knowledge of your first
769 %bridge relay, and ways to maintain connectivity once you know a few
770 %bridge relays.
772 % (See Section~\ref{subsec:first-bridge} for a discussion
773 %of exactly what information is sufficient to characterize a bridge relay.)
777 \section{Hiding Tor's network fingerprint}
778 \label{sec:network-fingerprint}
779 \label{subsec:enclave-dirs}
781 Currently, Tor uses two protocols for its network communications. The
782 main protocol uses TLS for encrypted and authenticated communication
783 between Tor instances. The second protocol is standard HTTP, used for
784 fetching directory information. All Tor servers listen on their ``ORPort''
785 for TLS connections, and some of them opt to listen on their ``DirPort''
786 as well, to serve directory information. Tor servers choose whatever port
787 numbers they like; the server descriptor they publish to the directory
788 tells users where to connect.
790 One format for communicating address information about a bridge relay is
791 its IP address and DirPort. From there, the user can ask the bridge's
792 directory cache for an up-to-date copy of its server descriptor, and
793 learn its current circuit keys, its ORPort, and so on.
795 However, connecting directly to the directory cache involves a plaintext
796 HTTP request. A censor could create a network fingerprint (known as a
797 \emph{signature} in the intrusion detection field) for the request
798 and/or its response, thus preventing these connections. To resolve this
799 vulnerability, we've modified the Tor protocol so that users can connect
800 to the directory cache via the main Tor port---they establish a TLS
801 connection with the bridge as normal, and then send a special ``begindir''
802 relay command to establish an internal connection to its directory cache.
804 Therefore a better way to summarize a bridge's address is by its IP
805 address and ORPort, so all communications between the client and the
806 bridge will use ordinary TLS. But there are other details that need
807 more investigation.
809 What port should bridges pick for their ORPort? We currently recommend
810 that they listen on port 443 (the default HTTPS port) if they want to
811 be most useful, because clients behind standard firewalls will have
812 the best chance to reach them. Is this the best choice in all cases,
813 or should we encourage some fraction of them pick random ports, or other
814 ports commonly permitted through firewalls like 53 (DNS) or 110
815 (POP)? Or perhaps we should use other ports where TLS traffic is
816 expected, like 993 (IMAPS) or 995 (POP3S). We need more research on our
817 potential users, and their current and anticipated firewall restrictions.
819 Furthermore, we need to look at the specifics of Tor's TLS handshake.
820 Right now Tor uses some predictable strings in its TLS handshakes. For
821 example, it sets the X.509 organizationName field to ``Tor'', and it puts
822 the Tor server's nickname in the certificate's commonName field. We
823 should tweak the handshake protocol so it doesn't rely on any unusual details
824 in the certificate, yet it remains secure; the certificate itself
825 should be made to resemble an ordinary HTTPS certificate. We should also try
826 to make our advertised cipher-suites closer to what an ordinary web server
827 would support.
829 Tor's TLS handshake uses two-certificate chains: one certificate
830 contains the self-signed identity key for
831 the router, and the second contains a current TLS key, signed by the
832 identity key. We use these to authenticate that we're talking to the right
833 router, and to limit the impact of TLS-key exposure. Most (though far from
834 all) consumer-oriented HTTPS services provide only a single certificate.
835 These extra certificates may help identify Tor's TLS handshake; instead,
836 bridges should consider using only a single TLS key certificate signed by
837 their identity key, and providing the full value of the identity key in an
838 early handshake cell. More significantly, Tor currently has all clients
839 present certificates, so that clients are harder to distinguish from servers.
840 But in a blocking-resistance environment, clients should not present
841 certificates at all.
843 Last, what if the adversary starts observing the network traffic even
844 more closely? Even if our TLS handshake looks innocent, our traffic timing
845 and volume still look different than a user making a secure web connection
846 to his bank. The same techniques used in the growing trend to build tools
847 to recognize encrypted Bittorrent traffic
848 %~\cite{bt-traffic-shaping}
849 could be used to identify Tor communication and recognize bridge
850 relays. Rather than trying to look like encrypted web traffic, we may be
851 better off trying to blend with some other encrypted network protocol. The
852 first step is to compare typical network behavior for a Tor client to
853 typical network behavior for various other protocols. This statistical
854 cat-and-mouse game is made more complex by the fact that Tor transports a
855 variety of protocols, and we'll want to automatically handle web browsing
856 differently from, say, instant messaging.
858 % Tor cells are 512 bytes each. So TLS records will be roughly
859 % multiples of this size? How bad is this? -RD
860 % Look at ``Inferring the Source of Encrypted HTTP Connections''
861 % by Marc Liberatore and Brian Neil Levine (CCS 2006)
862 % They substantially flesh out the numbers for the web fingerprinting
863 % attack. -PS
864 % Yes, but I meant detecting the fingerprint of Tor traffic itself, not
865 % learning what websites we're going to. I wouldn't be surprised to
866 % learn that these are related problems, but it's not obvious to me. -RD
868 \subsection{Identity keys as part of addressing information}
869 \label{subsec:id-address}
871 We have described a way for the blocked user to bootstrap into the
872 network once he knows the IP address and ORPort of a bridge. What about
873 local spoofing attacks? That is, since we never learned an identity
874 key fingerprint for the bridge, a local attacker could intercept our
875 connection and pretend to be the bridge we had in mind. It turns out
876 that giving false information isn't that bad---since the Tor client
877 ships with trusted keys for the bridge directory authority and the Tor
878 network directory authorities, the user can learn whether he's being
879 given a real connection to the bridge authorities or not. (After all,
880 if the adversary intercepts every connection the user makes and gives
881 him a bad connection each time, there's nothing we can do.)
883 What about anonymity-breaking attacks from observing traffic, if the
884 blocked user doesn't start out knowing the identity key of his intended
885 bridge? The vulnerabilities aren't so bad in this case either---the
886 adversary could do similar attacks just by monitoring the network
887 traffic.
888 % cue paper by steven and george
890 Once the Tor client has fetched the bridge's server descriptor, it should
891 remember the identity key fingerprint for that bridge relay. Thus if
892 the bridge relay moves to a new IP address, the client can query the
893 bridge directory authority to look up a fresh server descriptor using
894 this fingerprint.
896 So we've shown that it's \emph{possible} to bootstrap into the network
897 just by learning the IP address and ORPort of a bridge, but are there
898 situations where it's more convenient or more secure to learn the bridge's
899 identity fingerprint as well as instead, while bootstrapping? We keep
900 that question in mind as we next investigate bootstrapping and discovery.
902 \section{Discovering working bridge relays}
903 \label{sec:discovery}
905 Tor's modular design means that we can develop a better relay component
906 independently of developing the discovery component. This modularity's
907 great promise is that we can pick any discovery approach we like; but the
908 unfortunate fact is that we have no magic bullet for discovery. We're
909 in the same arms race as all the other designs we described in
910 Section~\ref{sec:related}.
912 In this section we describe a variety of approaches to adding discovery
913 components for our design.
915 \subsection{Bootstrapping: finding your first bridge.}
916 \label{subsec:first-bridge}
918 In Section~\ref{subsec:relay-together}, we showed that a user who knows
919 a working bridge address can use it to reach the bridge authority and
920 to stay connected to the Tor network. But how do new users reach the
921 bridge authority in the first place? After all, the bridge authority
922 will be one of the first addresses that a censor blocks.
924 First, we should recognize that most government firewalls are not
925 perfect. That is, they may allow connections to Google cache or some
926 open proxy servers, or they let file-sharing traffic, Skype, instant
927 messaging, or World-of-Warcraft connections through. Different users will
928 have different mechanisms for bypassing the firewall initially. Second,
929 we should remember that most people don't operate in a vacuum; users will
930 hopefully know other people who are in other situations or have other
931 resources available. In the rest of this section we develop a toolkit
932 of different options and mechanisms, so that we can enable users in a
933 diverse set of contexts to bootstrap into the system.
935 (For users who can't use any of these techniques, hopefully they know
936 a friend who can---for example, perhaps the friend already knows some
937 bridge relay addresses. If they can't get around it at all, then we
938 can't help them---they should go meet more people or learn more about
939 the technology running the firewall in their area.)
941 By deploying all the schemes in the toolkit at once, we let bridges and
942 blocked users employ the discovery approach that is most appropriate
943 for their situation.
945 \subsection{Independent bridges, no central discovery}
947 The first design is simply to have no centralized discovery component at
948 all. Volunteers run bridges, and we assume they have some blocked users
949 in mind and communicate their address information to them out-of-band
950 (for example, through Gmail). This design allows for small personal
951 bridges that have only one or a handful of users in mind, but it can
952 also support an entire community of users. For example, Citizen Lab's
953 upcoming Psiphon single-hop proxy tool~\cite{psiphon} plans to use this
954 \emph{social network} approach as its discovery component.
956 There are several ways to do bootstrapping in this design. In the simple
957 case, the operator of the bridge informs each chosen user about his
958 bridge's address information and/or keys. A different approach involves
959 blocked users introducing new blocked users to the bridges they know.
960 That is, somebody in the blocked area can pass along a bridge's address to
961 somebody else they trust. This scheme brings in appealing but complex game
962 theoretic properties: the blocked user making the decision has an incentive
963 only to delegate to trustworthy people, since an adversary who learns
964 the bridge's address and filters it makes it unavailable for both of them.
965 Also, delegating known bridges to members of your social network can be
966 dangerous: an the adversary who can learn who knows which bridges may
967 be able to reconstruct the social network.
969 Note that a central set of bridge directory authorities can still be
970 compatible with a decentralized discovery process. That is, how users
971 first learn about bridges is entirely up to the bridges, but the process
972 of fetching up-to-date descriptors for them can still proceed as described
973 in Section~\ref{sec:bridges}. Of course, creating a central place that
974 knows about all the bridges may not be smart, especially if every other
975 piece of the system is decentralized. Further, if a user only knows
976 about one bridge and he loses track of it, it may be quite a hassle to
977 reach the bridge authority. We address these concerns next.
979 \subsection{Families of bridges, no central discovery}
981 Because the blocked users are running our software too, we have many
982 opportunities to improve usability or robustness. Our second design builds
983 on the first by encouraging volunteers to run several bridges at once
984 (or coordinate with other bridge volunteers), such that some
985 of the bridges are likely to be available at any given time.
987 The blocked user's Tor client would periodically fetch an updated set of
988 recommended bridges from any of the working bridges. Now the client can
989 learn new additions to the bridge pool, and can expire abandoned bridges
990 or bridges that the adversary has blocked, without the user ever needing
991 to care. To simplify maintenance of the community's bridge pool, each
992 community could run its own bridge directory authority---reachable via
993 the available bridges, and also mirrored at each bridge.
995 \subsection{Public bridges with central discovery}
997 What about people who want to volunteer as bridges but don't know any
998 suitable blocked users? What about people who are blocked but don't
999 know anybody on the outside? Here we describe how to make use of these
1000 \emph{public bridges} in a way that still makes it hard for the attacker
1001 to learn all of them.
1003 The basic idea is to divide public bridges into a set of pools based on
1004 identity key. Each pool corresponds to a \emph{distribution strategy}:
1005 an approach to distributing its bridge addresses to users. Each strategy
1006 is designed to exercise a different scarce resource or property of
1007 the user.
1009 How do we divide bridges between these strategy pools such that they're
1010 evenly distributed and the allocation is hard to influence or predict,
1011 but also in a way that's amenable to creating more strategies later
1012 on without reshuffling all the pools? We assign a given bridge
1013 to a strategy pool by hashing the bridge's identity key along with a
1014 secret that only the bridge authority knows: the first $n$ bits of this
1015 hash dictate the strategy pool number, where $n$ is a parameter that
1016 describes how many strategy pools we want at this point. We choose $n=3$
1017 to start, so we divide bridges between 8 pools; but as we later invent
1018 new distribution strategies, we can increment $n$ to split the 8 into
1019 16. Since a bridge can't predict the next bit in its hash, it can't
1020 anticipate which identity key will correspond to a certain new pool
1021 when the pools are split. Further, since the bridge authority doesn't
1022 provide any feedback to the bridge about which strategy pool it's in,
1023 an adversary who signs up bridges with the goal of filling a certain
1024 pool~\cite{casc-rep} will be hindered.
1026 % This algorithm is not ideal. When we split pools, each existing
1027 % pool is cut in half, where half the bridges remain with the
1028 % old distribution policy, and half will be under what the new one
1029 % is. So the new distribution policy inherits a bunch of blocked
1030 % bridges if the old policy was too loose, or a bunch of unblocked
1031 % bridges if its policy was still secure. -RD
1033 % I think it should be more chordlike.
1034 % Bridges are allocated to wherever on the ring which is divided
1035 % into arcs (buckets).
1036 % If a bucket gets too full, you can just split it.
1037 % More on this below. -PFS
1039 The first distribution strategy (used for the first pool) publishes bridge
1040 addresses in a time-release fashion. The bridge authority divides the
1041 available bridges into partitions, and each partition is deterministically
1042 available only in certain time windows. That is, over the course of a
1043 given time slot (say, an hour), each requester is given a random bridge
1044 from within that partition. When the next time slot arrives, a new set
1045 of bridges from the pool are available for discovery. Thus some bridge
1046 address is always available when a new
1047 user arrives, but to learn about all bridges the attacker needs to fetch
1048 all new addresses at every new time slot. By varying the length of the
1049 time slots, we can make it harder for the attacker to guess when to check
1050 back. We expect these bridges will be the first to be blocked, but they'll
1051 help the system bootstrap until they \emph{do} get blocked. Further,
1052 remember that we're dealing with different blocking regimes around the
1053 world that will progress at different rates---so this pool will still
1054 be useful to some users even as the arms races progress.
1056 The second distribution strategy publishes bridge addresses based on the IP
1057 address of the requesting user. Specifically, the bridge authority will
1058 divide the available bridges in the pool into a bunch of partitions
1059 (as in the first distribution scheme), hash the requester's IP address
1060 with a secret of its own (as in the above allocation scheme for creating
1061 pools), and give the requester a random bridge from the appropriate
1062 partition. To raise the bar, we should discard the last octet of the
1063 IP address before inputting it to the hash function, so an attacker
1064 who only controls a single ``/24'' network only counts as one user. A
1065 large attacker like China will still be able to control many addresses,
1066 but the hassle of establishing connections from each network (or spoofing
1067 TCP connections) may still slow them down. Similarly, as a special case,
1068 we should treat IP addresses that are Tor exit nodes as all being on
1069 the same network.
1071 The third strategy combines the time-based and location-based
1072 strategies to further constrain and rate-limit the available bridge
1073 addresses. Specifically, the bridge address provided in a given time
1074 slot to a given network location is deterministic within the partition,
1075 rather than chosen randomly each time from the partition. Thus, repeated
1076 requests during that time slot from a given network are given the same
1077 bridge address as the first request.
1079 The fourth strategy is based on Circumventor's discovery strategy.
1080 The Circumventor project, realizing that its adoption will remain limited
1081 if it has no central coordination mechanism, has started a mailing list to
1082 distribute new proxy addresses every few days. From experimentation it
1083 seems they have concluded that sending updates every three or four days
1084 is sufficient to stay ahead of the current attackers.
1086 The fifth strategy provides an alternative approach to a mailing list:
1087 users provide an email address and receive an automated response
1088 listing an available bridge address. We could limit one response per
1089 email address. To further rate limit queries, we could require a CAPTCHA
1090 solution
1091 %~\cite{captcha}
1092 in each case too. In fact, we wouldn't need to
1093 implement the CAPTCHA on our side: if we only deliver bridge addresses
1094 to Yahoo or GMail addresses, we can leverage the rate-limiting schemes
1095 that other parties already impose for account creation.
1097 The sixth strategy ties in the social network design with public
1098 bridges and a reputation system. We pick some seeds---trusted people in
1099 blocked areas---and give them each a few dozen bridge addresses and a few
1100 \emph{delegation tokens}. We run a website next to the bridge authority,
1101 where users can log in (they connect via Tor, and they don't need to
1102 provide actual identities, just persistent pseudonyms). Users can delegate
1103 trust to other people they know by giving them a token, which can be
1104 exchanged for a new account on the website. Accounts in ``good standing''
1105 then accrue new bridge addresses and new tokens. As usual, reputation
1106 schemes bring in a host of new complexities~\cite{rep-anon}: how do we
1107 decide that an account is in good standing? We could tie reputation
1108 to whether the bridges they're told about have been blocked---see
1109 Section~\ref{subsec:geoip} below for initial thoughts on how to discover
1110 whether bridges have been blocked. We could track reputation between
1111 accounts (if you delegate to somebody who screws up, it impacts you too),
1112 or we could use blinded delegation tokens~\cite{chaum-blind} to prevent
1113 the website from mapping the seeds' social network. We put off deeper
1114 discussion of the social network reputation strategy for future work.
1116 Pools seven and eight are held in reserve, in case our currently deployed
1117 tricks all fail at once and the adversary blocks all those bridges---so
1118 we can adapt and move to new approaches quickly, and have some bridges
1119 immediately available for the new schemes. New strategies might be based
1120 on some other scarce resource, such as relaying traffic for others or
1121 other proof of energy spent. (We might also worry about the incentives
1122 for bridges that sign up and get allocated to the reserve pools: will they
1123 be unhappy that they're not being used? But this is a transient problem:
1124 if Tor users are bridges by default, nobody will mind not being used yet.
1125 See also Section~\ref{subsec:incentives}.)
1127 %Is it useful to load balance which bridges are handed out? The above
1128 %pool concept makes some bridges wildly popular and others less so.
1129 %But I guess that's the point.
1131 \subsection{Public bridges with coordinated discovery}
1133 We presented the above discovery strategies in the context of a single
1134 bridge directory authority, but in practice we will want to distribute the
1135 operations over several bridge authorities---a single point of failure
1136 or attack is a bad move. The first answer is to run several independent
1137 bridge directory authorities, and bridges gravitate to one based on
1138 their identity key. The better answer would be some federation of bridge
1139 authorities that work together to provide redundancy but don't introduce
1140 new security issues. We could even imagine designs where the bridge
1141 authorities have encrypted versions of the bridge's server descriptors,
1142 and the users learn a decryption key that they keep private when they
1143 first hear about the bridge---this way the bridge authorities would not
1144 be able to learn the IP address of the bridges.
1146 We leave this design question for future work.
1148 \subsection{Assessing whether bridges are useful}
1150 Learning whether a bridge is useful is important in the bridge authority's
1151 decision to include it in responses to blocked users. For example, if
1152 we end up with a list of thousands of bridges and only a few dozen of
1153 them are reachable right now, most blocked users will not end up knowing
1154 about working bridges.
1156 There are three components for assessing how useful a bridge is. First,
1157 is it reachable from the public Internet? Second, what proportion of
1158 the time is it available? Third, is it blocked in certain jurisdictions?
1160 The first component can be tested just as we test reachability of
1161 ordinary Tor servers. Specifically, the bridges do a self-test---connect
1162 to themselves via the Tor network---before they are willing to
1163 publish their descriptor, to make sure they're not obviously broken or
1164 misconfigured. Once the bridges publish, the bridge authority also tests
1165 reachability to make sure they're not confused or outright lying.
1167 The second component can be measured and tracked by the bridge authority.
1168 By doing periodic reachability tests, we can get a sense of how often the
1169 bridge is available. More complex tests will involve bandwidth-intensive
1170 checks to force the bridge to commit resources in order to be counted as
1171 available. We need to evaluate how the relationship of uptime percentage
1172 should weigh into our choice of which bridges to advertise. We leave
1173 this to future work.
1175 The third component is perhaps the trickiest: with many different
1176 adversaries out there, how do we keep track of which adversaries have
1177 blocked which bridges, and how do we learn about new blocks as they
1178 occur? We examine this problem next.
1180 \subsection{How do we know if a bridge relay has been blocked?}
1181 \label{subsec:geoip}
1183 There are two main mechanisms for testing whether bridges are reachable
1184 from inside each blocked area: active testing via users, and passive
1185 testing via bridges.
1187 In the case of active testing, certain users inside each area
1188 sign up as testing relays. The bridge authorities can then use a
1189 Blossom-like~\cite{blossom-thesis} system to build circuits through them
1190 to each bridge and see if it can establish the connection. But how do
1191 we pick the users? If we ask random users to do the testing (or if we
1192 solicit volunteers from the users), the adversary should sign up so he
1193 can enumerate the bridges we test. Indeed, even if we hand-select our
1194 testers, the adversary might still discover their location and monitor
1195 their network activity to learn bridge addresses.
1197 Another answer is not to measure directly, but rather let the bridges
1198 report whether they're being used.
1199 %If they periodically report to their
1200 %bridge directory authority how much use they're seeing, perhaps the
1201 %authority can make smart decisions from there.
1202 Specifically, bridges should install a GeoIP database such as the public
1203 IP-To-Country list~\cite{ip-to-country}, and then periodically report to the
1204 bridge authorities which countries they're seeing use from. This data
1205 would help us track which countries are making use of the bridge design,
1206 and can also let us learn about new steps the adversary has taken in
1207 the arms race. (The compressed GeoIP database is only several hundred
1208 kilobytes, and we could even automate the update process by serving it
1209 from the bridge authorities.)
1210 More analysis of this passive reachability
1211 testing design is needed to resolve its many edge cases: for example,
1212 if a bridge stops seeing use from a certain area, does that mean the
1213 bridge is blocked or does that mean those users are asleep?
1215 There are many more problems with the general concept of detecting whether
1216 bridges are blocked. First, different zones of the Internet are blocked
1217 in different ways, and the actual firewall jurisdictions do not match
1218 country borders. Our bridge scheme could help us map out the topology
1219 of the censored Internet, but this is a huge task. More generally,
1220 if a bridge relay isn't reachable, is that because of a network block
1221 somewhere, because of a problem at the bridge relay, or just a temporary
1222 outage somewhere in between? And last, an attacker could poison our
1223 bridge database by signing up already-blocked bridges. In this case,
1224 if we're stingy giving out bridge addresses, users in that country won't
1225 learn working bridges.
1227 All of these issues are made more complex when we try to integrate this
1228 testing into our social network reputation system above.
1229 Since in that case we punish or reward users based on whether bridges
1230 get blocked, the adversary has new attacks to trick or bog down the
1231 reputation tracking. Indeed, the bridge authority doesn't even know
1232 what zone the blocked user is in, so do we blame him for any possible
1233 censored zone, or what?
1235 Clearly more analysis is required. The eventual solution will probably
1236 involve a combination of passive measurement via GeoIP and active
1237 measurement from trusted testers. More generally, we can use the passive
1238 feedback mechanism to track usage of the bridge network as a whole---which
1239 would let us respond to attacks and adapt the design, and it would also
1240 let the general public track the progress of the project.
1242 %Worry: the adversary could choose not to block bridges but just record
1243 %connections to them. So be it, I guess.
1245 \subsection{Advantages of deploying all solutions at once}
1247 For once, we're not in the position of the defender: we don't have to
1248 defend against every possible filtering scheme; we just have to defend
1249 against at least one. On the flip side, the attacker is forced to guess
1250 how to allocate his resources to defend against each of these discovery
1251 strategies. So by deploying all of our strategies at once, we not only
1252 increase our chances of finding one that the adversary has difficulty
1253 blocking, but we actually make \emph{all} of the strategies more robust
1254 in the face of an adversary with limited resources.
1256 %\subsection{Remaining unsorted notes}
1258 %In the first subsection we describe how to find a first bridge.
1260 %Going to be an arms race. Need a bag of tricks. Hard to say
1261 %which ones will work. Don't spend them all at once.
1263 %Some techniques are sufficient to get us an IP address and a port,
1264 %and others can get us IP:port:key. Lay out some plausible options
1265 %for how users can bootstrap into learning their first bridge.
1267 %\section{The account / reputation system}
1268 %\section{Social networks with directory-side support}
1269 %\label{sec:accounts}
1271 %One answer is to measure based on whether the bridge addresses
1272 %we give it end up blocked. But how do we decide if they get blocked?
1274 %Perhaps each bridge should be known by a single bridge directory
1275 %authority. This makes it easier to trace which users have learned about
1276 %it, so easier to blame or reward. It also makes things more brittle,
1277 %since loss of that authority means its bridges aren't advertised until
1278 %they switch, and means its bridge users are sad too.
1279 %(Need a slick hash algorithm that will map our identity key to a
1280 %bridge authority, in a way that's sticky even when we add bridge
1281 %directory authorities, but isn't sticky when our authority goes
1282 %away. Does this exist?)
1284 %\subsection{Discovery based on social networks}
1286 %A token that can be exchanged at the bridge authority (assuming you
1287 %can reach it) for a new bridge address.
1289 %The account server runs as a Tor controller for the bridge authority.
1291 %Users can establish reputations, perhaps based on social network
1292 %connectivity, perhaps based on not getting their bridge relays blocked,
1294 %Probably the most critical lesson learned in past work on reputation
1295 %systems in privacy-oriented environments~\cite{rep-anon} is the need for
1296 %verifiable transactions. That is, the entity computing and advertising
1297 %reputations for participants needs to actually learn in a convincing
1298 %way that a given transaction was successful or unsuccessful.
1300 %(Lesson from designing reputation systems~\cite{rep-anon}: easy to
1301 %reward good behavior, hard to punish bad behavior.
1303 \section{Security considerations}
1304 \label{sec:security}
1306 \subsection{Possession of Tor in oppressed areas}
1308 Many people speculate that installing and using a Tor client in areas with
1309 particularly extreme firewalls is a high risk---and the risk increases
1310 as the firewall gets more restrictive. This notion certain has merit, but
1311 there's
1312 a counter pressure as well: as the firewall gets more restrictive, more
1313 ordinary people behind it end up using Tor for more mainstream activities,
1314 such as learning
1315 about Wall Street prices or looking at pictures of women's ankles. So
1316 as the restrictive firewall pushes up the number of Tor users, the
1317 ``typical'' Tor user becomes more mainstream, and therefore mere
1318 use or possession of the Tor software is not so surprising.
1320 It's hard to say which of these pressures will ultimately win out,
1321 but we should keep both sides of the issue in mind.
1323 %Nick, want to rewrite/elaborate on this section?
1325 \subsection{Observers can tell who is publishing and who is reading}
1326 \label{subsec:upload-padding}
1328 Tor encrypts traffic on the local network, and it obscures the eventual
1329 destination of the communication, but it doesn't do much to obscure the
1330 traffic volume. In particular, a user publishing a home video will have a
1331 different network fingerprint than a user reading an online news article.
1332 Based on our assumption in Section~\ref{sec:adversary} that users who
1333 publish material are in more danger, should we work to improve Tor's
1334 security in this situation?
1336 In the general case this is an extremely challenging task:
1337 effective \emph{end-to-end traffic confirmation attacks}
1338 are known where the adversary observes the origin and the
1339 destination of traffic and confirms that they are part of the
1340 same communication~\cite{danezis:pet2004,e2e-traffic}. Related are
1341 \emph{website fingerprinting attacks}, where the adversary downloads
1342 a few hundred popular websites, makes a set of "fingerprints" for each
1343 site, and then observes the target Tor client's traffic to look for
1344 a match~\cite{pet05-bissias,defensive-dropping}. But can we do better
1345 against a limited adversary who just does coarse-grained sweeps looking
1346 for unusually prolific publishers?
1348 One answer is for bridge users to automatically send bursts of padding
1349 traffic periodically. (This traffic can be implemented in terms of
1350 long-range drop cells, which are already part of the Tor specification.)
1351 Of course, convincingly simulating an actual human publishing interesting
1352 content is a difficult arms race, but it may be worthwhile to at least
1353 start the race. More research remains.
1355 \subsection{Anonymity effects from acting as a bridge relay}
1357 Against some attacks, relaying traffic for others can improve
1358 anonymity. The simplest example is an attacker who owns a small number
1359 of Tor servers. He will see a connection from the bridge, but he won't
1360 be able to know whether the connection originated there or was relayed
1361 from somebody else. More generally, the mere uncertainty of whether the
1362 traffic originated from that user may be helpful.
1364 There are some cases where it doesn't seem to help: if an attacker can
1365 watch all of the bridge's incoming and outgoing traffic, then it's easy
1366 to learn which connections were relayed and which started there. (In this
1367 case he still doesn't know the final destinations unless he is watching
1368 them too, but in this case bridges are no better off than if they were
1369 an ordinary client.)
1371 There are also some potential downsides to running a bridge. First, while
1372 we try to make it hard to enumerate all bridges, it's still possible to
1373 learn about some of them, and for some people just the fact that they're
1374 running one might signal to an attacker that they place a higher value
1375 on their anonymity. Second, there are some more esoteric attacks on Tor
1376 relays that are not as well-understood or well-tested---for example, an
1377 attacker may be able to ``observe'' whether the bridge is sending traffic
1378 even if he can't actually watch its network, by relaying traffic through
1379 it and noticing changes in traffic timing~\cite{attack-tor-oak05}. On
1380 the other hand, it may be that limiting the bandwidth the bridge is
1381 willing to relay will allow this sort of attacker to determine if it's
1382 being used as a bridge but not easily learn whether it is adding traffic
1383 of its own.
1385 We also need to examine how entry guards fit in. Entry guards
1386 (a small set of nodes that are always used for the first
1387 step in a circuit) help protect against certain attacks
1388 where the attacker runs a few Tor servers and waits for
1389 the user to choose these servers as the beginning and end of her
1390 circuit\footnote{\url{http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ\#EntryGuards}}.
1391 If the blocked user doesn't use the bridge's entry guards, then the bridge
1392 doesn't gain as much cover benefit. On the other hand, what design changes
1393 are needed for the blocked user to use the bridge's entry guards without
1394 learning what they are (this seems hard), and even if we solve that,
1395 do they then need to use the guards' guards and so on down the line?
1397 It is an open research question whether the benefits of running a bridge
1398 outweigh the risks. A lot of the decision rests on which attacks the
1399 users are most worried about. For most users, we don't think running a
1400 bridge relay will be that damaging, and it could help quite a bit.
1402 \subsection{Trusting local hardware: Internet cafes and LiveCDs}
1403 \label{subsec:cafes-and-livecds}
1405 Assuming that users have their own trusted hardware is not
1406 always reasonable.
1408 For Internet cafe Windows computers that let you attach your own USB key,
1409 a USB-based Tor image would be smart. There's Torpark, and hopefully
1410 there will be more thoroughly analyzed and trustworthy options down the
1411 road. Worries remain about hardware or software keyloggers and other
1412 spyware, as well as and physical surveillance.
1414 If the system lets you boot from a CD or from a USB key, you can gain
1415 a bit more security by bringing a privacy LiveCD with you. (This
1416 approach isn't foolproof either of course, since hardware
1417 keyloggers and physical surveillance are still a worry).
1419 In fact, LiveCDs are also useful if it's your own hardware, since it's
1420 easier to avoid leaving private data and logs scattered around the
1421 system.
1423 %\subsection{Forward compatibility and retiring bridge authorities}
1425 %Eventually we'll want to change the identity key and/or location
1426 %of a bridge authority. How do we do this mostly cleanly?
1428 \subsection{The trust chain}
1429 \label{subsec:trust-chain}
1431 Tor's ``public key infrastructure'' provides a chain of trust to
1432 let users verify that they're actually talking to the right servers.
1433 There are four pieces to this trust chain.
1435 First, when Tor clients are establishing circuits, at each step
1436 they demand that the next Tor server in the path prove knowledge of
1437 its private key~\cite{tor-design}. This step prevents the first node
1438 in the path from just spoofing the rest of the path. Second, the
1439 Tor directory authorities provide a signed list of servers along with
1440 their public keys---so unless the adversary can control a threshold
1441 of directory authorities, he can't trick the Tor client into using other
1442 Tor servers. Third, the location and keys of the directory authorities,
1443 in turn, is hard-coded in the Tor source code---so as long as the user
1444 got a genuine version of Tor, he can know that he is using the genuine
1445 Tor network. And last, the source code and other packages are signed
1446 with the GPG keys of the Tor developers, so users can confirm that they
1447 did in fact download a genuine version of Tor.
1449 In the case of blocked users contacting bridges and bridge directory
1450 authorities, the same logic applies in parallel: the blocked users fetch
1451 information from both the bridge authorities and the directory authorities
1452 for the `main' Tor network, and they combine this information locally.
1454 How can a user in an oppressed country know that he has the correct
1455 key fingerprints for the developers? As with other security systems, it
1456 ultimately comes down to human interaction. The keys are signed by dozens
1457 of people around the world, and we have to hope that our users have met
1458 enough people in the PGP web of trust
1459 %~\cite{pgp-wot}
1460 that they can learn
1461 the correct keys. For users that aren't connected to the global security
1462 community, though, this question remains a critical weakness.
1464 %\subsection{Security through obscurity: publishing our design}
1466 %Many other schemes like dynaweb use the typical arms race strategy of
1467 %not publishing their plans. Our goal here is to produce a design---a
1468 %framework---that can be public and still secure. Where's the tradeoff?
1470 %\section{Performance improvements}
1471 %\label{sec:performance}
1473 %\subsection{Fetch server descriptors just-in-time}
1475 %I guess we should encourage most places to do this, so blocked
1476 %users don't stand out.
1479 %network-status and directory optimizations. caching better. partitioning
1480 %issues?
1482 \section{Maintaining reachability}
1483 \label{sec:reachability}
1485 \subsection{How many bridge relays should you know about?}
1487 The strategies described in Section~\ref{sec:discovery} talked about
1488 learning one bridge address at a time. But if most bridges are ordinary
1489 Tor users on cable modem or DSL connection, many of them will disappear
1490 and/or move periodically. How many bridge relays should a blocked user
1491 know about so that she is likely to have at least one reachable at any
1492 given point? This is already a challenging problem if we only consider
1493 natural churn: the best approach is to see what bridges we attract in
1494 reality and measure their churn. We may also need to factor in a parameter
1495 for how quickly bridges get discovered and blocked by the attacker;
1496 we leave this for future work after we have more deployment experience.
1498 A related question is: if the bridge relays change IP addresses
1499 periodically, how often does the blocked user need to fetch updates in
1500 order to keep from being cut out of the loop?
1502 Once we have more experience and intuition, we should explore technical
1503 solutions to this problem too. For example, if the discovery strategies
1504 give out $k$ bridge addresses rather than a single bridge address, perhaps
1505 we can improve robustness from the user perspective without significantly
1506 aiding the adversary. Rather than giving out a new random subset of $k$
1507 addresses at each point, we could bind them together into \emph{bridge
1508 families}, so all users that learn about one member of the bridge family
1509 are told about the rest as well.
1511 This scheme may also help defend against attacks to map the set of
1512 bridges. That is, if all blocked users learn a random subset of bridges,
1513 the attacker should learn about a few bridges, monitor the country-level
1514 firewall for connections to them, then watch those users to see what
1515 other bridges they use, and repeat. By segmenting the bridge address
1516 space, we can limit the exposure of other users.
1518 \subsection{Cablemodem users don't usually provide important websites}
1519 \label{subsec:block-cable}
1521 Another attacker we might be concerned about is that the attacker could
1522 just block all DSL and cablemodem network addresses, on the theory that
1523 they don't run any important services anyway. If most of our bridges
1524 are on these networks, this attack could really hurt.
1526 The first answer is to aim to get volunteers both from traditionally
1527 ``consumer'' networks and also from traditionally ``producer'' networks.
1528 Since bridges don't need to be Tor exit nodes, as we improve our usability
1529 it seems quite feasible to get a lot of websites helping out.
1531 The second answer (not as practical) would be to encourage more use of
1532 consumer networks for popular and useful Internet services.
1533 %(But P2P exists;
1534 %minor websites exist; gaming exists; IM exists; ...)
1536 A related attack we might worry about is based on large countries putting
1537 economic pressure on companies that want to expand their business. For
1538 example, what happens if Verizon wants to sell services in China, and
1539 China pressures Verizon to discourage its users in the free world from
1540 running bridges?
1542 \subsection{Scanning resistance: making bridges more subtle}
1544 If it's trivial to verify that a given address is operating as a bridge,
1545 and most bridges run on a predictable port, then it's conceivable our
1546 attacker could scan the whole Internet looking for bridges. (In fact,
1547 he can just concentrate on scanning likely networks like cablemodem
1548 and DSL services---see Section~\ref{subsec:block-cable} above for
1549 related attacks.) It would be nice to slow down this attack. It would
1550 be even nicer to make it hard to learn whether we're a bridge without
1551 first knowing some secret. We call this general property \emph{scanning
1552 resistance}, and it goes along with normalizing Tor's TLS handshake and
1553 network fingerprint.
1555 We could provide a password to the blocked user, and she (or her Tor
1556 client) provides a nonced hash of this password when she connects. We'd
1557 need to give her an ID key for the bridge too (in addition to the IP
1558 address and port---see Section~\ref{subsec:id-address}), and wait to
1559 present the password until we've finished the TLS handshake, else it
1560 would look unusual. If Alice can authenticate the bridge before she
1561 tries to send her password, we can resist an adversary who pretends
1562 to be the bridge and launches a man-in-the-middle attack to learn the
1563 password. But even if she can't, we still resist against widespread
1564 scanning.
1566 How should the bridge behave if accessed without the correct
1567 authorization? Perhaps it should act like an unconfigured HTTPS server
1568 (``welcome to the default Apache page''), or maybe it should mirror
1569 and act like common websites, or websites randomly chosen from Google.
1571 We might assume that the attacker can recognize HTTPS connections that
1572 use self-signed certificates. (This process would be resource-intensive
1573 but not out of the realm of possibility.) But even in this case, many
1574 popular websites around the Internet use self-signed or just plain broken
1575 SSL certificates.
1577 %to unknown servers. It can then attempt to connect to them and block
1578 %connections to servers that seem suspicious. It may be that password
1579 %protected web sites will not be suspicious in general, in which case
1580 %that may be the easiest way to give controlled access to the bridge.
1581 %If such sites that have no other overt features are automatically
1582 %blocked when detected, then we may need to be more subtle.
1583 %Possibilities include serving an innocuous web page if a TLS encrypted
1584 %request is received without the authorization needed to access the Tor
1585 %network and only responding to a requested access to the Tor network
1586 %of proper authentication is given. If an unauthenticated request to
1587 %access the Tor network is sent, the bridge should respond as if
1588 %it has received a message it does not understand (as would be the
1589 %case were it not a bridge).
1591 \subsection{How to motivate people to run bridge relays}
1592 \label{subsec:incentives}
1594 One of the traditional ways to get people to run software that benefits
1595 others is to give them motivation to install it themselves. An often
1596 suggested approach is to install it as a stunning screensaver so everybody
1597 will be pleased to run it. We take a similar approach here, by leveraging
1598 the fact that these users are already interested in protecting their
1599 own Internet traffic, so they will install and run the software.
1601 Eventually, we may be able to make all Tor users become bridges if they
1602 pass their self-reachability tests---the software and installers need
1603 more work on usability first, but we're making progress.
1605 In the mean time, we can make a snazzy network graph with
1606 Vidalia\footnote{\url{http://vidalia-project.net/}} that
1607 emphasizes the connections the bridge user is currently relaying.
1608 %(Minor
1609 %anonymity implications, but hey.) (In many cases there won't be much
1610 %activity, so this may backfire. Or it may be better suited to full-fledged
1611 %Tor servers.)
1613 % Also consider everybody-a-server. Many of the scalability questions
1614 % are easier when you're talking about making everybody a bridge.
1616 %\subsection{What if the clients can't install software?}
1618 %[this section should probably move to the related work section,
1619 %or just disappear entirely.]
1621 %Bridge users without Tor software
1623 %Bridge relays could always open their socks proxy. This is bad though,
1624 %first
1625 %because bridges learn the bridge users' destinations, and second because
1626 %we've learned that open socks proxies tend to attract abusive users who
1627 %have no idea they're using Tor.
1629 %Bridges could require passwords in the socks handshake (not supported
1630 %by most software including Firefox). Or they could run web proxies
1631 %that require authentication and then pass the requests into Tor. This
1632 %approach is probably a good way to help bootstrap the Psiphon network,
1633 %if one of its barriers to deployment is a lack of volunteers willing
1634 %to exit directly to websites. But it clearly drops some of the nice
1635 %anonymity and security features Tor provides.
1637 %A hybrid approach where the user gets his anonymity from Tor but his
1638 %software-less use from a web proxy running on a trusted machine on the
1639 %free side.
1641 \subsection{Publicity attracts attention}
1642 \label{subsec:publicity}
1644 Many people working on this field want to publicize the existence
1645 and extent of censorship concurrently with the deployment of their
1646 circumvention software. The easy reason for this two-pronged push is
1647 to attract volunteers for running proxies in their systems; but in many
1648 cases their main goal is not to focus on actually allowing individuals
1649 to circumvent the firewall, but rather to educate the world about the
1650 censorship. The media also tries to do its part by broadcasting the
1651 existence of each new circumvention system.
1653 But at the same time, this publicity attracts the attention of the
1654 censors. We can slow down the arms race by not attracting as much
1655 attention, and just spreading by word of mouth. If our goal is to
1656 establish a solid social network of bridges and bridge users before
1657 the adversary gets involved, does this extra attention work to our
1658 disadvantage?
1660 \subsection{The Tor website: how to get the software}
1662 One of the first censoring attacks against a system like ours is to
1663 block the website and make the software itself hard to find. Our system
1664 should work well once the user is running an authentic
1665 copy of Tor and has found a working bridge, but to get to that point
1666 we rely on their individual skills and ingenuity.
1668 Right now, most countries that block access to Tor block only the main
1669 website and leave mirrors and the network itself untouched.
1670 Falling back on word-of-mouth is always a good last resort, but we should
1671 also take steps to make sure it's relatively easy for users to get a copy,
1672 such as publicizing the mirrors more and making copies available through
1673 other media. We might also mirror the latest version of the software on
1674 each bridge, so users who hear about an honest bridge can get a good
1675 copy.
1676 See Section~\ref{subsec:first-bridge} for more discussion.
1678 \section{Future designs}
1679 \label{sec:future}
1681 \subsection{Bridges inside the blocked network too}
1683 Assuming actually crossing the firewall is the risky part of the
1684 operation, can we have some bridge relays inside the blocked area too,
1685 and more established users can use them as relays so they don't need to
1686 communicate over the firewall directly at all? A simple example here is
1687 to make new blocked users into internal bridges also---so they sign up
1688 on the bridge authority as part of doing their query, and we give out
1689 their addresses
1690 rather than (or along with) the external bridge addresses. This design
1691 is a lot trickier because it brings in the complexity of whether the
1692 internal bridges will remain available, can maintain reachability with
1693 the outside world, etc.
1695 More complex future designs involve operating a separate Tor network
1696 inside the blocked area, and using \emph{hidden service bridges}---bridges
1697 that can be accessed by users of the internal Tor network but whose
1698 addresses are not published or findable, even by these users---to get
1699 from inside the firewall to the rest of the Internet. But this design
1700 requires directory authorities to run inside the blocked area too,
1701 and they would be a fine target to take down the network.
1703 % Hidden services as bridge directory authorities.
1705 \section{Next Steps}
1706 \label{sec:conclusion}
1708 Technical solutions won't solve the whole censorship problem. After all,
1709 the firewalls in places like China are \emph{socially} very
1710 successful, even if technologies and tricks exist to get around them.
1711 However, having a strong technical solution is still necessary as one
1712 important piece of the puzzle.
1714 In this paper, we have shown that Tor provides a great set of building
1715 blocks to start from. The next steps are to deploy prototype bridges and
1716 bridge authorities, implement some of the proposed discovery strategies,
1717 and then observe the system in operation and get more intuition about
1718 the actual requirements and adversaries we're up against.
1720 \bibliographystyle{plain} \bibliography{tor-design}
1722 %\appendix
1724 %\section{Counting Tor users by country}
1725 %\label{app:geoip}
1727 \end{document}
1729 ship geoip db to bridges. they look up users who tls to them in the db,
1730 and upload a signed list of countries and number-of-users each day. the
1731 bridge authority aggregates them and publishes stats.
1733 bridge relays have buddies
1734 they ask a user to test the reachability of their buddy.
1735 leaks O(1) bridges, but not O(n).
1737 we should not be blockable by ordinary cisco censorship features.
1738 that is, if they want to block our new design, they will need to
1739 add a feature to block exactly this.
1740 strategically speaking, this may come in handy.
1742 Bridges come in clumps of 4 or 8 or whatever. If you know one bridge
1743 in a clump, the authority will tell you the rest. Now bridges can
1744 ask users to test reachability of their buddies.
1746 Giving out clumps helps with dynamic IP addresses too. Whether it
1747 should be 4 or 8 depends on our churn.
1749 the account server. let's call it a database, it doesn't have to
1750 be a thing that human interacts with.
1752 so how do we reward people for being good?
1754 \subsubsection{Public Bridges with Coordinated Discovery}
1756 ****Pretty much this whole subsubsection will probably need to be
1757 deferred until ``later'' and moved to after end document, but I'm leaving
1758 it here for now in case useful.******
1760 Rather than be entirely centralized, we can have a coordinated
1761 collection of bridge authorities, analogous to how Tor network
1762 directory authorities now work.
1764 Key components
1765 ``Authorities'' will distribute caches of what they know to overlapping
1766 collections of nodes so that no one node is owned by one authority.
1767 Also so that it is impossible to DoS info maintained by one authority
1768 simply by making requests to it.
1770 Where a bridge gets assigned is not predictable by the bridge?
1772 If authorities don't know the IP addresses of the bridges they
1773 are responsible for, they can't abuse that info (or be attacked for
1774 having it). But, they also can't, e.g., control being sent massive
1775 lists of nodes that were never good. This raises another question.
1776 We generally decry use of IP address for location, etc. but we
1777 need to do that to limit the introduction of functional but useless
1778 IP addresses because, e.g., they are in China and the adversary
1779 owns massive chunks of the IP space there.
1781 We don't want an arbitrary someone to be able to contact the
1782 authorities and say an IP address is bad because it would be easy
1783 for an adversary to take down all the suspicious bridges
1784 even if they provide good cover websites, etc. Only the bridge
1785 itself and/or the directory authority can declare a bridge blocked
1786 from somewhere.
1789 9. Bridge directories must not simply be a handful of nodes that
1790 provide the list of bridges. They must flood or otherwise distribute
1791 information out to other Tor nodes as mirrors. That way it becomes
1792 difficult for censors to flood the bridge directory servers with
1793 requests, effectively denying access for others. But, there's lots of
1794 churn and a much larger size than Tor directories. We are forced to
1795 handle the directory scaling problem here much sooner than for the
1796 network in general. Authorities can pass their bridge directories
1797 (and policy info) to some moderate number of unidentified Tor nodes.
1798 Anyone contacting one of those nodes can get bridge info. the nodes
1799 must remain somewhat synched to prevent the adversary from abusing,
1800 e.g., a timed release policy or the distribution to those nodes must
1801 be resilient even if they are not coordinating.
1803 I think some kind of DHT like scheme would work here. A Tor node is
1804 assigned a chunk of the directory. Lookups in the directory should be
1805 via hashes of keys (fingerprints) and that should determine the Tor
1806 nodes responsible. Ordinary directories can publish lists of Tor nodes
1807 responsible for fingerprint ranges. Clients looking to update info on
1808 some bridge will make a Tor connection to one of the nodes responsible
1809 for that address. Instead of shutting down a circuit after getting
1810 info on one address, extend it to another that is responsible for that
1811 address (the node from which you are extending knows you are doing so
1812 anyway). Keep going. This way you can amortize the Tor connection.
1814 10. We need some way to give new identity keys out to those who need
1815 them without letting those get immediately blocked by authorities. One
1816 way is to give a fingerprint that gets you more fingerprints, as
1817 already described. These are meted out/updated periodically but allow
1818 us to keep track of which sources are compromised: if a distribution
1819 fingerprint repeatedly leads to quickly blocked bridges, it should be
1820 suspect, dropped, etc. Since we're using hashes, there shouldn't be a
1821 correlation with bridge directory mirrors, bridges, portions of the
1822 network observed, etc. It should just be that the authorities know
1823 about that key that leads to new addresses.
1825 This last point is very much like the issues in the valet nodes paper,
1826 which is essentially about blocking resistance wrt exiting the Tor network,
1827 while this paper is concerned with blocking the entering to the Tor network.
1828 In fact the tickets used to connect to the IPo (Introduction Point),
1829 could serve as an example, except that instead of authorizing
1830 a connection to the Hidden Service, it's authorizing the downloading
1831 of more fingerprints.
1833 Also, the fingerprints can follow the hash(q + '1' + cookie) scheme of
1834 that paper (where q = hash(PK + salt) gave the q.onion address). This
1835 allows us to control and track which fingerprint was causing problems.
1837 Note that, unlike many settings, the reputation problem should not be
1838 hard here. If a bridge says it is blocked, then it might as well be.
1839 If an adversary can say that the bridge is blocked wrt
1840 $\mathit{censor}_i$, then it might as well be, since
1841 $\mathit{censor}_i$ can presumably then block that bridge if it so
1842 chooses.
1844 11. How much damage can the adversary do by running nodes in the Tor
1845 network and watching for bridge nodes connecting to it? (This is
1846 analogous to an Introduction Point watching for Valet Nodes connecting
1847 to it.) What percentage of the network do you need to own to do how
1848 much damage. Here the entry-guard design comes in helpfully. So we
1849 need to have bridges use entry-guards, but (cf. 3 above) not use
1850 bridges as entry-guards. Here's a serious tradeoff (again akin to the
1851 ratio of valets to IPos) the more bridges/client the worse the
1852 anonymity of that client. The fewer bridges/client the worse the
1853 blocking resistance of that client.