Censorship workarounds

dd395-net-s-SOURCE-Dees-Illustrations-300x266Censorship is the suppression of speech or other public communication which may be considered objectionable, harmful, sensitive, politically incorrect or inconvenient as determined by a government, media outlet or other controlling body, whether that be enforced or co-erced.

And more and more, surveillance and censorship go hand in hand.

Censorship

[linkview show_cat_name=”0″ cat_name=”Censorship”]

Overview of blocking types

Table made from How to effectively argue against Internet Censorship ideas

blocking type over-blocking probability under-blocking probability required resources list handling cost circumvention employs DPI
DNS-based blocking high medium small medium very easy no
IP address-based blocking high medium small medium medium no
URL-based blocking low high medium high medium yes
Dynamic blocking high high very high low medium yes
Hash-based blocking low high very high high medium yes
Hybrid solutions low high medium high medium yes

Censorship circumvention

[linkview show_cat_name=”0″ cat_name=”Censorship Workarounds”]

Descriptions of circumvention methods below are from How to effectively argue against Internet Censorship ideas

DNS swapping

Custom DNS server settings can be used to easily circumvent DNS-based blocking. It does not require almost any technical prowess and can be used by anybody. There is a number of publicly available DNS servers, possible to use for this purpose. There is no way to easily block the use of this method without deploying censorship methods other than pure DNS-blocking.

[linkview show_cat_name=”0″ cat_name=”DNS Swapping”]

Proxy Servers

Proxy servers, especially anonymous ones, located outside the area where a censorship solution is deployed can be used quite easily to circumvent any blocking method; users can modify their operating system or browser settings, or install browser additions that make using this circumvention method trivial. It is possible to block the proxy servers themselves (via IP-blocking, keyword blocking, etc.), however it is infeasible to block them all, as they are easy to set-up.

[linkview show_cat_name=”0″ cat_name=”Free Proxies”]

VPN

Virtual Private Networks (including “poor man’s VPNs” like SSH tunnels) require more technical skills and a (usually commercial) VPN service (or SSH server) outside the area with blocking deployed. Blocking all VPN/SSH traffic is possible, but requires deep packet inspection. More on VPN, DNS leaks and Chaining VPN’s here.

Tor and Darknets

TOR, or The Onion Router, is a very effective (if a bit slow) circumvention method. It is quite easy to set-up — users can simply download the TOR Browser Bundle and use it to access the Internet. Due to the way it works it is nigh-impossible to block TOR traffic (as it looks just like vanilla HTTPS traffic), to the point that it is known to allow access to the uncensored Internet to those living in areas with most aggressive Internet censorship policies — namely China, North Korea and Iran.

None of the censorship solutions is able to block content on darknets — virtual networks accessible anonymously only via specialised software (for instance TOR, I2P, FreeNet), and guaranteeing high resilience to censorship through technical composition of the networks themselves. Because darknets are both practically impossible to block entirely and not allowing for any content blocking within them, they are effectively the ultimate circumvention methods. The main downside to using darknets is their lower bandwidth, but that is rapidly improving. More on the mage arena guide.

Update Nov 2014: All circumvention ways always attract the attention from “authorities”, and there seems to be some sort of spying-armsrace, hence at some point become a target for mass surveillance, as tor seems to be.

TLS/SSL

While not necessarily a circumvention tool, TLS/SSL defeats any censorship method that relies on deep packet inspection, as the contents of data-streams are encrypted and readable only to the client machine and the host it is communicating with — and hence unavailable to the filtering equipment.

TLS/SSL provides end-to-end encrypted, secure communication; initially used mainly by banking and e-commerce sites, now being employed by ever-rising number of websites, including social networks. Accessing websites with `https://’ instead of `http://’ is making use of TLS/SSL; it is however used to provide secure layer of communication also for many other tools and protocols (for instance, e-mail clients or some VoIP solutions).

Once a DPI-based censorship solution is deployed, affected users and services will gradually and naturally gravitate to this simple yet very effective solution. This means that any DPI-based censorship scheme must handle TLS/SSL communication. This can only be done in two ways:

  • block it altogether;
  • perform a man-in-the-middle (or MITM) attack on encrypted data-streams.

Blocking is not hard (TLS/SSL communication streams are quite easy to filter out). However, as TLS/SSL is a valid, legal and oft-used way of providing security for users by legitimate businesses, especially banks, this is not a viable solution, as it will cause outrage of users, security researchers and financial companies (or, indeed, all companies relying on TLS/SSL for their security needs).

[linkview show_cat_name=”0″ cat_name=”TLSSSL”]

Leave a Reply

Your email address will not be published. Required fields are marked *