Download feamster:pet2003.pdf

Contents : Thwarting Web Censorship with Untrusted Messenger Discovery Nick Feamster Magdalena Balazinska Winston Wang Hari Balakrishnan and David Karger MIT Laboratory for Computer Science 200 Technology Square Cambridge MA 02139 feamster mbalazin wwww hari karger @lcs.mit.edu Abstract. All existing anti-censorship systems for the Web rely on proxies to grant clients access to censored information. Therefore they face the proxy discovery problem: how can clients discover the proxies without having the censor discover and block these proxies To avoid widespread discovery and blocking proxies must not be widely published and should be discovered in-band. In this paper we present a proxy discovery mechanism called keyspace hopping that meets this goal. Similar in spirit to frequency hopping in wireless networks keyspace hopping ensures that each client discovers only a small fraction of the total number of proxies. However requiring clients to independently discover proxies from a large set makes it practically impossible to verify the trustworthiness of every proxy and creates the possibility of having untrusted proxies. To address this we propose separating the proxy into two distinct components the messenger which the client discovers using keyspace hopping and which simply acts as a gateway to the Internet and the portal whose identity is widely-published and whose responsibility it is to interpret and serve the client s requests for censored content. We show how this separation as well as in-band proxy discovery can be applied to a variety of anti-censorship systems. 1 Introduction Many political regimes and corporations actively restrict or monitor their employees or citizens access to information on the Web. Many systems try to circumvent these censorship e orts by using cooperative proxies. Anonymizer 1 is one of the oldest such systems. Peekabooty 15 Safeweb 11 and Zero Knowledge s WebSecure 13 use an SSL-encrypted channel to communicate requests to proxies outside of the censored domain which then return the censored content over this encrypted channel. In Infranet 3 clients communicate with cooperating proxies by constructing a covert and con dential channel within an HTTP request and response stream without engendering the suspicion that a visibly encrypted channel might raise. These systems require a client within the censored domain to discover and communicate with a cooperating proxy outside of the domain as shown in Figure 1. Each of these systems assumes that a censor blocks access to a Web server 2 Feamster et al. Internet CENSOR Internet CENSOR Client Client Proxy Portal Target Target Messengers Fig. 1. Current censorship circumvention schemes rely on access to trusted proxies that serve clients requests for censored content. Fig. 2. Forwarding a message and decoding that request can be decomposed into two separate operations. based on its identity (i.e. IP address or DNS name) and that the censor allows access to any host that does not appear to be delivering objectionable content. Thus the livelihood of these systems depends on the existence of proxies that the censor does not know about. All proxy-based censorship avoidance systems face the troubling proxy discovery problem. To gain access to censored content clients must have access to cooperating proxies. However if the censor can operate under the guise of a legitimate client it can discover these proxies and block access to them. For example China s rewall previously blocked access to the Safeweb proxy. An e ective proxy discovery technique must allow a client to easily discover a few participating proxies but make it extremely di cult for a censor to discover all of these proxies. Any reasonable solution to the problem must defend against both out-of-band discovery techniques (e.g. actively scanning or watching tra c patterns) and in-band ones (e.g. where the censor itself becomes a client). To achieve these goals a proxy-based censorship avoidance system should have the following characteristics: The system should have a large number of proxies. A system with no more than a few proxies is useless once those proxies are blocked. A system with more proxies makes it more di cult for a censor to block all of them. Clients must discover proxies independently of one another. If every client discovers the same few proxies a censor could block access to these popular proxies and render the system useless. The client must incur some cost to discover a proxy. Because the censor can assume the identity (i.e. IP address) of any client behind its rewall it is relatively easy for a censor to operate a large number of clients solely to discover proxies. As such discovering a proxy should require a non-trivial investment of resources such as solving a client puzzle 6 . Brute-force scanning techniques must not expose proxies. A censor may suspect that a host is a proxy and try to verify this in some fashion (e.g. by acting as a client and seeing if it acts as a proxy etc.). Thus to an arbitrary end-host a proxy should look innocuous. We propose a proxy discovery technique called keyspace hopping that limits in-band discovery of proxies by ensuring that no client knows more than a small Lecture Notes in Computer Science 3 random subset of the total set of proxies. The technique also prevents out-of-band discovery by distributing client requests across the set of proxies and ensuring that each cooperating end-host only assumes the role of a proxy for a small set of clients at any given time. The requirement that clients discover proxies independently implies that clients will utilize arbitrary proxies that they may not trust. This introduces a fundamental tradeo : while having a large number of independently discoverable proxies makes the system more robust to being blocked it also makes it increasingly di cult to ensure that all proxies are trustworthy. An ideal proxy discovery system should be resistant to blocking and ensure that the client only exposes its requests for censored content to trusted parties. We propose a solution that achieves this goal by recognizing that the proxy actually serves two functions: providing access to content outside the rewall and serving requests for that content. Our solution summarized in Figure 2 employs a large number of untrusted messengers which carry information to and from the uncensored Internet without understanding that information and a smaller number of portals which a client trusts to faithfully serve requests for censored content without exposing its identity. 2 Proxy Discovery using Keyspace Hopping Proxy-based anti-censorship systems must enable clients to discover proxies without enabling the censor to discover and block access to all of the proxies. Existing systems assume that there is some way to enable this discovery but the problem has no obvious solution when the censor can become a client. Because of this possibility no single client (or small group of clients) should ever discover all proxies. Proxies must come into existence more quickly than the censor can block them and proxy discovery must be based on some client-speci c property like IP address to raise the cost of impersonating many clients. In this section we explore the design space for proxy discovery and describe our proposed mechanism called keyspace hopping that controls the rate at which any one client can discover proxies. In this section we assume that the censor cannot operate a proxy except for our analysis of in-band discovery in Section 2.3. We discuss how to completely relax this assumption in Section 3. 2.1 Design Considerations for Proxy Discovery Anti-censorship systems should ensure that almost every client can always contact at least one proxy even if the censor is able to block some of these proxies. The set of proxies should be di cult enough to discover that the only reasonable response by the censor would be to block access to the entire Internet. A censor can discover proxies in two ways: in-band by acting as a client of the anti-censorship system itself and discovering proxies in the same manner as any other client and out-of-band by actively scanning Internet hosts to determine whether any of them behaves like a proxy (we have previously explained the 4 Feamster et al. Technique Description Design principles In-band Censor becomes a client and attempts to discover proxies in the same way a Use client-speci c properties for proxy discovery. Ensure no client can discover more than a small set of all client would. proxies at any time. Out-of-band Censor uses tra c anomalies or active scanning techniques to discover proxies. Distribute clients evenly among available proxies. Ensure a host only acts as a proxy for a small subset of clients at any time. Table 1. A censor can discover and block proxies using either in-band or out-of-band discovery. importance of maintaining proxy covertness for this reason 3 ). Additionally a censor can notice tra c anomalies that expose a proxy or a client such as a sudden increase in tra c to a particular Web site or a group of clients that have very similar browsing patterns. Table 1 summarizes these discovery techniques and the corresponding design considerations. Limiting In-Band Discovery If we assume that a censor can become a client the censor can use the same discovery mechanisms that a client uses to discover proxies. Thus the set of proxies that any one client can discover should be small and relatively independent from the sets that other clients discover. This clientspeci city implies that clients should discover proxies through some in-band mechanism (note that this is a departure from our previous thoughts about proxy discovery 3 ). To slow in-band discovery we impose the following constraints: the proxies that any client discovers should be a function of some characteristic that is 1) reasonably speci c to that client 2) not easily modi ed and 3) requires significant resources to compute. Two obvious characteristics of a client that satisfy the rst two constraints are the client s IP address and subnet. Unfortunately a censor that operates a rewall can easily assume an IP address or subnet behind that rewall. Hence we must also require some signi cant investment of resources per-client such as client puzzles 6 that makes it reasonably expensive for one entity to assume many di erent identities. Limiting Out-of-Band Discovery A censor might try to discover proxies using out-of-band discovery techniques. For example all Web servers that run an Infranet responder might behave in a similar fashion (e.g. providing slower than normal Web response times etc.). Alternatively if many clients send requests to a single proxy within a small time period a censor might notice a large increase in the number of connections to a host that does not ordinarily receive much tra c. It should be reasonably di cult for a censor to discover all proxies using these types of out-of-band discovery techniques. Lecture Notes in Computer Science Clients Internet Target Host #$ ccc ! !" c %&%& ProxyID My ID i t GHCCD gggg E EF Si % )'( ( ' )0 CD UUVVVU UV UV UVUUVV WXWXXW X W WX WWXXWX Client j S j ISTIPIP hihihihi Q QR 7AB7878 efefeeff 9@ 1121256 dddd 3 @ 9 34 i aabb Y YY ab ab b aab YY abab Y Y Y Client Censor 5 ProxyID My ID j t Fig. 3. In keyspace hopping clients and proxies agree on which proxy forwards which client s request. Each client discovers a unique set of proxies. To make out-of-band discovery more di cult a host should only act as a proxy for a certain subset of clients at any time. This prevents one proxy from attracting tra c from an abnormally large number of clients. More importantly it prevents a host from always appearing as a proxy to all clients thus making it less likely that an out-of-band probe from an arbitrary host will expose the proxy. Furthermore the set of clients that a proxy serves should change over time. This makes proxy discovery more di cult for the censor because the censor does not know which hosts are acting as proxies for which clients. 2.2 Keyspace Hopping We apply the design principles from Section 2.1 to our proxy discovery system called keyspace hopping because of its similarities to frequency hopping 9 . Frequency hopping is used in wireless communication the basic idea is to modulate a signal on a carrier frequency that changes pseudorandomly over time. Wireless communication uses frequency hopping to resist jamming since an adversary must either saturate the entire frequency band with noise or track the frequency hopper s choice of carriers. We propose a similar idea with the exception that the censor is attempting to jam communication channels by preventing a client from reaching any proxies. At any given time a certain proxy (or set of proxies) agrees to serve requests for a client and the client forwards its requests to that proxy as shown in Figure 3. To block a client s communication with its proxies the censor must block communication with all of the client s proxies. Keyspace hopping must solve several problems. The rst problem is proxy assignment: what is the appropriate mechanism for assigning clients to proxies Next clients must perform lookup: how do clients discover the IP addresses of their proxies while preventing the censor from performing arbitrary lookups to discover all proxies Finally the system must have a bootstrapping phase: how

INFO HASH : 68d9291847bee2b0ef7e50d0b99bb4978aaa4805

Download now

File Size: 204 kb