Anticensorship in the Network Infrastructure Eric Wustrow University of Michigan
Background | Internet Censorship
Pervasive censorship Substantial censorship Selective censorship Changing situation Little or no censorship 2
Threat Model
Censor … controls client’s network, but not external network … blocks according to a blacklist … allows HTTPS connections to non-blocked sites 3
Telex | Overview
4
Telex | Overview
5
Telex | Overview
6
Telex | Overview
7
Telex | Overview
8
Telex | Overview
9
Prototype | Test Deployment Single Telex Station on lab-scale “ISP” at Michigan Hosted sites NotBlocked.telex.cc
Blocked.telex.cc
Unobjectionable content *
Simulated censored site only reachable via Telex
Inline Blocking Asymmetric flows
10
Telex v2: Passive tap
11
New architecture -- passive ISP tap Client
ISP Proxy
Server
TLS Handshake Plaintext: “ G Ciphertext: “\x ET / HTTP/1.1\r\nX-Ignore : 95\x1f\x6b\x2 7\xe2 … Ta \x81\x28\x66 …” g: \xc8\x3f\x22 …” ack=X] , Y = q e s [ ACK , len=M] X = k c a , Y = OK” [seq Y X O R P “ : t Plaintex
ACK [seq=X ack != Y? , ack=Y+M] Plaintext: “G ET http://bloc ked.com/ …” [seq=X, ack= Y+M] tml> ….” h < … K O /1.1 200 P T T H “ : t x Plainte
New architecture -- passive ISP tap • Pros – No inline blocking required, only passive tap – Works with asymmetric flows (client -> server) • Cons – Censor can use active attacks • (though we can use “active defenses”)
13
Anticensorship in the Network Infrastructure • Future work – Looking for ISPs willing to help • Technical feedback • Prototype deployment
– Strategies for optimal deployment – Improving traffic analysis defense
14
Anticensorship in the
Network Infrastructure
https://telex.cc Eric Wustrow Colleen M. Swanson Scott Wolchok Ian Goldberg J. Alex Halderman