aboutsummaryrefslogtreecommitdiff
path: root/doc/design-paper
diff options
context:
space:
mode:
Diffstat (limited to 'doc/design-paper')
-rw-r--r--doc/design-paper/blocking.tex92
1 files changed, 76 insertions, 16 deletions
diff --git a/doc/design-paper/blocking.tex b/doc/design-paper/blocking.tex
index 754b45368..39bd84cd5 100644
--- a/doc/design-paper/blocking.tex
+++ b/doc/design-paper/blocking.tex
@@ -438,28 +438,88 @@ relays is clearly a useful idea for a discovery component. For example,
users might be able to make use of these proxies to bootstrap their
first introduction into the Tor network.
-\subsection{JAP}
-
-Stefan's WPES paper~\cite{koepsell:wpes2004} is probably the closest
-related work, and is
-the starting point for the design in this paper.
-
-\subsection{steganography}
-
-infranet
-
-\subsection{break your sensitive strings into multiple tcp packets;
-ignore RSTs}
+\subsection{Blocking resistance and JAP}
+
+K\"{o}psell's Blocking Resistance design~\cite{koepsell:wpes2004} is probably
+the closest related work, and is the starting point for the design in this
+paper. In this design, the JAP anonymity system is used as a base instead of
+Tor. Volunteers operate a large number of access points to the core JAP
+network, which in turn anonymizes users' traffic. The software to run these
+relays is, as in our design, included in the JAP client software and enabled
+only when the user decides to enable it. Discovery is handled with a
+CAPTCHA-based mechanism; users prove that they aren't an automated process,
+and are given the address of an access point. (The problem of a determined
+attacker with enough manpower to launch many requests and enumerate all the
+access points is not considered in depth.) There is also some suggestion
+that information about access points could spread through existing social
+networks.
+
+\subsection{Infranet}
+
+The Infranet design~\cite{infranet} uses one-hop relays to deliver web
+content, but disguises its communications as ordinary HTTP traffic. Requests
+are split into multiple requests for URLs on the relay, which then encodes
+its responses in the content it returns. The relay needs to be an actual
+website with plausible content and a number of URLs which the user might want
+to access---if the Infranet software produced its own cover content, it would
+be far easier for censors to identify. To keep the censors from noticing
+that cover content changes depending on what data is embedded, Infranet needs
+the cover content to have an innocuous reason for changing frequently: the
+paper recommends watermarked images and webcams.
+
+The attacker and relay operators in Infranet's threat model are significantly
+different than in ours. Unlike our attacker, Infranet's censor can't be
+bypassed with encrypted traffic (presumably because the censor blocks
+encrypted traffic, or at least considers it suspicious), and has more
+computational resources to devote to each connection than ours (so it can
+notice subtle patterns over time). Unlike our bridge operators, Infranet's
+operators (and users) have more bandwidth to spare; the overhead in typical
+steganography schemes is far higher than Tor's.
+
+The Infranet design does not include a discovery element. Discovery,
+however, is a critical point: if whatever mechanism allows users to learn
+about relays also allows the censor to do so, he can trivially discover and
+block their addresses, even if the steganography would prevent mere traffic
+observation from revealing the relays' addresses.
+
+\subsection{RST-evasion}
+In their analysis of China's firewall's content-based blocking, Clayton,
+Murdoch and Watson discovered that rather than blocking all packets in a TCP
+streams once a forbidden word was noticed, the firewall was simply forging
+RST packets to make the communicating parties believe that the connection was
+closed~\cite{clayton:pet2006}. Two mechanisms were proposed: altering
+operating systems to ignore forged RST packets, and ensuring that sensitive
+words are split across multiple TCP packets so that the censors' firewalls
+can't notice them without performing expensive stream reconstruction. The
+later technique relies on the same insight as our weak steganography
+assumption.
\subsection{Internal caching networks}
-Freenet is deployed inside China and caches outside content.
+Freenet~\cite{freenet-pets00} is an anonymous peer-to-peer data store.
+Analyzing Freenet's security can be difficult, as its design is in flux as
+new discovery and routing mechanisms are proposed, and no complete
+specification has (to our knowledge) been written. Freenet servers relay
+requests for specific content (indexed by a digest of the content) to the
+server that hosts it, and then caches the content as it works its way back to
+the requesting user. If Freenet's routing mechanism is successful in
+allowing nodes to learn about each other and route correctly even as some
+node-to-node links are blocked by firewalls, then users inside censored areas
+can ask a local Freenet server for a piece of content, and get an answer
+without having to connect out of the country at all. Of course, operators of
+servers inside the censored area can still be targeted, and the addresses of
+external serves can still be blocked.
\subsection{Skype}
-port-hopping. encryption. voice communications not so susceptible to
-keystroke loggers (even graphical ones).
-
+The popular Skype voice-over-IP software uses multiple techniques to tolerate
+restrictive networks, some of which allow it to continue operating in the
+presence of censorship. By switching ports and using encryption, Skype
+attempts to resist trivial blocking and content filtering. Even if no
+encryption were used, it would still be quite expensive to scan all voice
+traffic for sensitive words. Also, most current keyloggers are unable to
+store voice traffic. Nevertheless, Skype can still be blocked, especially at
+it central directory service.
\subsection{Tor itself}