diff --git a/local.bib b/local.bib index 7f8c4b5..f06547b 100644 --- a/local.bib +++ b/local.bib @@ -98,6 +98,15 @@ url = {https://trac.torproject.org/projects/tor/wiki/doc/GoAgent?action=diff&version=2&old_version=1}, } +@misc{kazakhstan-wiki, + author = {David Fifield and {kzblocked}}, + title = {Kazakhstan 2016--2017}, + month = jun, + year = 2017, + howpublished = {OONI Censorship Wiki}, + url = {https://trac.torproject.org/projects/tor/wiki/doc/OONI/censorshipwiki/CensorshipByCountry/Kazakhstan#a20348}, +} + @techreport{FifieldGilEpnerWebRTC, title = {Fingerprintability of {WebRTC}}, author = {David Fifield and Mia Gil Epner}, @@ -224,7 +233,7 @@ } @misc{obfs4, - author = {Yawning Angel and Philipp Winter}, + author = {{Yawning Angel} and Philipp Winter}, title = {{obfs4} (The obfourscator)}, url = {https://gitweb.torproject.org/pluggable-transports/obfs4.git/tree/doc/obfs4-spec.txt}, year = {2014}, @@ -406,6 +415,7 @@ title = {Measuring and circumventing {Internet} censorship}, school = {Karlstad University}, year = {2014}, + url = {https://nymity.ch/papers/pdf/winter2014b.pdf}, } @techreport{LovecruftDeValence2017a, @@ -463,12 +473,20 @@ @misc{tor-trac-17473, author = {David Fifield and Georg Koppen and Klaus Layer}, - title = {Update the meek-amazon fingerprint to B9E7141C594AF25699E0079C1F0146F409495296}, + title = {Update the meek-amazon fingerprint to B9E7{}141C{}594A{}F256{}99E0{}079C{}1F01{}46F4{}0949{}5296}, month = oct, year = 2015, url = {https://bugs.torproject.org/17473}, } +@misc{tor-trac-20495, + author = {David Fifield and Georg Koppen}, + title = {Unexplained drop in meek users, 2016-10-19 to 2016-11-10}, + month = oct, + year = 2016, + url = {https://bugs.torproject.org/20495}, +} + @techreport{tor-tr-2012-10-001, author = {Karsten Loesing}, title = {Counting daily bridge users}, @@ -576,6 +594,7 @@ } @misc{tor-dev-meek-azure-persistent, + author = {David Fifield}, title = {Big performance improvement for meek-azure}, month = apr, year = 2015, @@ -609,6 +628,33 @@ url = {https://lists.torproject.org/pipermail/tor-talk/2015-August/038780.html}, } +@misc{tor-dev-cyberoam, + author = {Justin}, + title = {Pluggable Transports and {DPI}}, + month = may, + year = 2016, + howpublished = {tor-dev mailing list}, + url = {https://lists.torproject.org/pipermail/tor-talk/2016-May/040898.html}, +} + +@misc{tor-dev-gaeuploader, + author = {Katherine Li}, + title = {{GAEuploader}}, + month = jan, + year = 2017, + howpublished = {tor-dev mailing list}, + url = {https://lists.torproject.org/pipermail/tor-dev/2017-January/011812.html}, +} + +@misc{tor-dev-meek-azure-run-out, + author = {David Fifield}, + title = {meek-azure funding has run out}, + month = jan, + year = 2017, + howpublished = {tor-dev mailing list}, + url = {https://lists.torproject.org/pipermail/tor-project/2017-January/000881.html}, +} + @misc{google-cloud-service-terms-20150326000133, author = {{Google Cloud Platform}}, title = {Service Specific Terms}, @@ -625,3 +671,77 @@ howpublished = {FireEye Threat Research Blog}, url = {https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html}, } + +@article{Morin1996Rover, + author = {Rich Morin}, + title = {The Limits of Control}, + journal = {Unix Review Magazine}, + month = jun, + year = 1996, + url = {http://cfcl.com/rdm/Pubs/tin/P/199606.shtml}, +} + +% https://www.youtube.com/watch?v=Ldzr0bfGtHc +@misc{DunwoodyCarrDerbyCon2016, + author = {Matthew Dunwoody and Nick Carr}, + title = {No Easy Breach}, + month = sep, + year = 2016, + howpublished = {DerbyCon}, + url = {https://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016}, +} + +@misc{LiGAEuploader, + author = {Katherine Li}, + title = {{GAEuploader}}, + url = {https://github.com/katherinelitor/GAEuploader}, +} + +@misc{traffic-obf-cyberoam, + author = {David Fifield}, + title = {{Cyberoam} firewall blocks meek by {TLS} signature}, + month = may, + year = 2016, + howpublished = {Network Traffic Obfuscation mailing list}, + url = {https://groups.google.com/d/topic/traffic-obf/BpFSCVgi5rs}, +} + +@misc{traffic-obf-fortiguard, + author = {David Fifield}, + title = {{FortiGuard} firewall blocks meek by {TLS} signature}, + month = jul, + year = 2016, + howpublished = {Network Traffic Obfuscation mailing list}, + url = {https://groups.google.com/d/topic/traffic-obf/fwAN-WWz2Bk}, +} + +@misc{traffic-obf-meek-decrease-orbot, + author = {David Fifield and Adam Fisk and Nathan Freitas and Percy Wegmann}, + title = {meek seems blocked in {China} since 2016-10-19}, + month = oct, + year = 2016, + howpublished = {Network Traffic Obfuscation mailing list}, + url = {https://groups.google.com/d/topic/traffic-obf/CSJLt3t-_OI}, +} + +@misc{traffic-obf-allot, + author = {David Fifield and Vinicius Fortuna and Philipp Winter and Eric Wustrow}, + title = {{Allot Communications}}, + month = jan, + year = 2017, + howpublished = {Network Traffic Obfuscation mailing list}, + url = {https://groups.google.com/d/topic/traffic-obf/yzxlLpFyXLI}, +} + +@misc{xx-net, + title = {{XX-Net}}, + url = {https://github.com/XX-net/XX-Net}, +} + +@misc{tor-metrics-userstats-bridge-combined-br, + author = {{Tor Metrics}}, + title = {Bridge users by transport from {Brazil}}, + month = oct, + year = 2017, + url = {https://metrics.torproject.org/userstats-bridge-combined.html?start=2016-06-01&end=2017-10-01&country=br}, +} diff --git a/thesis.tex b/thesis.tex index 35b6d91..ce2a97a 100644 --- a/thesis.tex +++ b/thesis.tex @@ -215,6 +215,7 @@ Here are some examples of forms of censorship that are in scope: \item blocking keywords in URLs \item dissecting network layers (``deep packet inspection'') \item statistical and probabilistic traffic classification +\item connection speed throttling \item active measures by censors to discover the use of circumvention \end{itemize} Other forms of censorship that are \emph{not} in scope include: @@ -318,6 +319,16 @@ I prefer to think of it in terms of costs. eavesdropper's dilemma~\cite{eavesdroppersdilemma} (as an example of having an empty sphere of visibility?) +reach exceeds grasp +The sphere of influence is a subset of the sphere of visibility. +It is usual, +when evaluating circumvention designs, +to assume (conservatively) +that the sphere of influence and sphere of visibility are equal: +wherever the censor can observe, it can act. +But there are real-world cases where the censor +might observe traffic it would rather block, +and yet lack the ability to stop it. Ignoring the Great Firewall of China~\cite{Clayton2006a}: detection succeeds but not blocking. Flakiness of firewalls, etc. @@ -492,7 +503,7 @@ Freedom House Freedom on the Net anonymizer, dialectizer sites HTML rewriting proxies -(BIFSO article predicting failure of censorship, leading to CGIProxy?) +(BIFSO article predicting failure of censorship, leading to CGIProxy?)~\cite{Morin1996Rover} changing dns servers @@ -1266,7 +1277,8 @@ which I coauthored with Chang Lan, Rod Hynes, Percy Wegmann, and Vern Paxson. \includegraphics{figures/metrics-clients-meek} \caption{ Estimated mean number of concurrent users -of the meek pluggable transport. +of the meek pluggable transport, +with selected events. } \label{fig:metrics-clients-meek} \end{figure} @@ -1286,6 +1298,14 @@ shows the estimated concurrent number of users of meek over its entire existence. The counts come from Tor Metrics~\cite{tor-tr-2012-10-001}. +\begin{itemize} +\item First release of Orbot that had meek? +\item Funding/grant timespans +\item cost table +\end{itemize} + +\subsection*{2013: Precursors; prototypes} + The prehistory of meek begins in 2013 with flash proxy. Flash proxy clients need a secure way to register their address to a central facilitator, in order that flash proxies can connect back to them. @@ -1353,7 +1373,7 @@ I started working on a version that strictly serialized request--response pairs, which architecture meek still uses today. -\subsection{2014} +\subsection*{2014: Development; collaboration; deployment} According to the Git revision history, I started working on the source code of meek proper on January 26, 2014. @@ -1501,7 +1521,7 @@ At that time, the other transports available were obfs3, FTE, ScrambleSuit, and flash proxy. -\subsection{2015} +\subsection*{2015: Growth; restraints; outages} Through the first part of 2015, the estimated number of simultaneous users continued to grow, reaching about 2,000, @@ -1628,7 +1648,7 @@ through the network intermediary in a special HTTP header, which fixed the per-country counts from then on. -\subsection{2016} +\subsection*{2016: Taking off the reins; misuse; blocking efforts} In mid-January 2016 the Tor Project asked me to raise the rate limits on the meek bridges, in anticipation @@ -1657,7 +1677,7 @@ causing it to become unblocked. I am aware of no similar incidents before or since. The next surprise was on May~13, 2016. -meek's App Engine backend stopped working and I got a notice saying: +meek's App Engine backend stopped working and I got a notice: \begin{quote} We've recently detected some activity on your Google Cloud Platform/API Project ID meek-reflect that appears to violate our Terms of Service. Please take a moment to review the Google Cloud Platform Terms of Service or the applicable Terms of Service for the specific Google API you are using. @@ -1691,41 +1711,170 @@ Matthew Dunwoody presented observations to that effect in a FireEye blog post~\cite{fireeye-apt29_domain_frontin} in March 2017. He and Nick Carr had presented those findings at DerbyCon -in September 2016, but I was not aware of them until the blog post. +in September 2016~\cite{DunwoodyCarrDerbyCon2016}, +but I was not aware of them until the blog post. Malware would install a backdoor that operated over a Tor onion service, and used meek for camouflage. -TLS fingerprinting -Cyberoam May 2016 \url{https://groups.google.com/d/topic/traffic-obf/BpFSCVgi5rs} \url{https://lists.torproject.org/pipermail/tor-talk/2016-May/040898.html} -FortiGuard July 2016 \url{https://groups.google.com/d/topic/traffic-obf/fwAN-WWz2Bk} -Kazakhstan < Dec 2016 \url{https://trac.torproject.org/projects/tor/ticket/20348#comment:142} - -Brazil - - -\bigskip - - -Cert reload by Yawning Angel, -Let's Encrypt\index{Let's Encrypt} support based on a patch by George Tankersley. - - -GAEuploader - -Funding sources - -% ||2015-12-25 || || ||meek ||Established an unthrottled bridge [https://atlas.torproject.org/#details/C20658946DD706A7A2181159A1A04CD838570D04 C20658946DD706A7A2181159A1A04CD838570D04] for people who set up their own meek CDN configuration. || || -% ||2016-07-21 ||2017-03-03 ||br ||meek ||Sustained increase in meek users in Brazil. Locals believe that they are not actual users, rather bots or something like that. End date coincides with shutdown of meek-azure before migration. ||[https://metrics.torproject.org/userstats-bridge-combined.html?start=2016-06-01&end=2017-04-01&country=br graph] || -% ||2016-10-19 ||2016-11-10 || ||meek ||Large decrease in meek users, perhaps caused by problems in Orbot 15.0.2 BETA 1 that were fixed in Orbot 15.2.0 RC8. ||[https://bugs.torproject.org/20495 ticket] [https://lists.torproject.org/pipermail/tor-project/2016-October/000764.html initial email] [https://lists.torproject.org/pipermail/tor-project/2016-November/000778.html followup email] [https://groups.google.com/d/msg/traffic-obf/CSJLt3t-_OI/FnAqWqquAwAJ Orbot mail] || -% ||2016-11-22 || || ||meek ||Decreased the rate limit on the meek-amazon bridge to 2.0 MB/s, from 3.0 MB/s. || || -% ||2017-01-09 || || ||meek ||Decreased the rate limit on the meek-azure bridge to 2.0 MB/s, from 3.0 MB/s. || || -% ||2017-03-03 17:32:00 || || ||meek ||Stopped the meek-azure CDN endpoint az668014.vo.msecnd.net. ||[https://lists.torproject.org/pipermail/tor-project/2017-March/000981.html mailing list post] || -% ||2017-03-03 17:34:00 || || ||meek ||Stopped the meek-azure CDN endpoint az786092.vo.msecnd.net. ||[https://lists.torproject.org/pipermail/tor-project/2017-March/000981.html mailing list post] || -% ||2017-03-03 17:36:00 || || ||meek ||Stopped the (unused) meek-azure CDN endpoint meek-reflect.azureedge.net. ||[https://lists.torproject.org/pipermail/tor-project/2017-March/000981.html mailing list post] || -% ||2017-03-07 18:32:11 || || ||meek scramblesuit ||Tor Browser 6.5.1 is released, containing the new meek-azure CDN configuration, and removing the last remaining scramblesuit bridge. ||[https://blog.torproject.org/blog/tor-browser-651-released blog post] [https://bugs.torproject.org/21342 meek ticket] [https://bugs.torproject.org/21536 scramblesuit ticket] || -% ||2017-03-22 || || ||meek ||Orbot 15.4.0 beta-2 multi is released, containing the new meek-azure CDN configuration. ||[https://lists.mayfirst.org/pipermail/guardian-dev/2017-March/005220.html mailing list post] [https://github.com/n8fr8/orbot/commit/6496cb11d61e0e42c48569c9eae303e0cd625e85 commit] || -% ||2017-06-20 00:09:50 ||2017-06-20 00:32:21 || ||meek ||Outage of meek-azure bridge. ||[https://lists.torproject.org/pipermail/tor-project/2017-June/001209.html start] [https://lists.torproject.org/pipermail/tor-project/2017-June/001209.html end] || -% ||2017-07-29 07:19:00 ||2017-08-17 03:32:00 || ||meek ||Outage of meek-amazon bridge, caused by an expired certificate. ||[https://atlas.torproject.org/#details/F4AD82B2032EDEF6C02C5A529C42CFAFE516564D Atlas] [https://crt.sh/?id=130970041 expired certificate] [https://crt.sh/?id=192217077 new certificate] || +The year 2016 brought the first reports of efforts to block meek. +These efforts all had in common that they used TLS fingerprinting +in conjunction with SNI inspection. +In May, a Tor user reported that Cyberoam\index{Cyberoam firewall}, +a firewall company, had released an update that enabled detection and blocking +of meek, among other Tor pluggable transports~\cite{tor-dev-cyberoam}. +Through experiments we determined that the firewall +was detecting meek whenever it saw a combination of two features: +a specific client TLS fingerprint, +and an SNI containing any of our three front domains: +\nolinkurl{www.google.com}, \nolinkurl{a0.awsstatic.com}, +or \nolinkurl{ajax.aspnetcdn.com}~\cite{traffic-obf-cyberoam}. +We verified that changing either the TLS fingerprint +or the front domain was sufficient to escape detection. +Requiring both features to be present was a clever move +by the firewall to limit collateral damage: +it did not block those domains for all clients, +but only the subset having a particular TLS fingerprint. +I admit that I had not considered the possibility +of using TLS and SNI together to make a more precise classifier. +We had known since the beginning of the possibility of TLS fingerprinting, +which is why we spent the time to implement browser-based TLS camouflage. +And there was no error in the camouflage: +even an ordinary Firefox~38 +(the base for Tor Browser, and what meek camouflaged itself as) +was blocked by the firewall when accessing one of the three front domains. +However, Firefox~38 was by that time a year old. +I found a source saying that it made up only 0.38\% +of desktop browsers, compared to 10.69\% for the then-latest Firefox~45~\cite{traffic-obf-cyberoam}. +My guess is that the firewall makers considered the small amount +of collateral blocking of Firefox~38 users to be acceptable. + +In July I received a report of similar behavior +by a FortiGuard firewall\index{FortiGuard firewall}~\cite{traffic-obf-fortiguard} +from Tor user Kanwaljeet Singh Channey. +The situation was virtually the same: +the firewall would block connections having a specific TLS fingerprint +and a specific SNI. +This time, the TLS fingerprint was that of Firefox~45 +(which by then Tor Browser had upgraded to); +and the specific SNIs were only two, omitting \nolinkurl{www.google.com}. +(This meant that meek-google would have worked, +had it not been deactivated back in May.) +As in the Cyberoam case, +changing either the TLS fingerprint or the front domain +was sufficient to get through the firewall. + +For reasons not directly related to domain fronting or meek, +I had been interested in the blocking situation in Kazakhstan, +ever since Tor Metrics reported a sudden drop of Tor users +in that country in June 2016~\cite{kazakhstan-wiki}. +I worked with an anonymous collaborator, who reported +that meek was blocked in the country since October 2016 or earlier. +According to them, changing the front domain would evade the block, +but changing the TLS fingerprint didn't help. +I did not independently confirm these reports. +Kazakhstan remains the only case of country-level meek blocking +that I am aware of. + +Starting in July 2016, there was a months-long increase +in the number of meek users reported from Brazil~\cite{tor-metrics-userstats-bridge-combined-br}. +The estimated count went from around 100 to almost 5,000, +peaking in September 2016 before declining again. +During parts of this time, over half of all reported meek users +were from Brazil. +We never got to the bottom of why there should be so many +users reported from Brazil in particular. +The explanation may be some kind of anomaly; +for instance some third-party software that happened to use meek, +or a malware infection like the one that caused the shutdown +of meek-google. +The count dropped suddenly, from 1,500 almost to zero, +on March~3, 2017, which happened also to be the day +that meek-azure was shut down pending a migration to new infrastructure. +The count would remain low until rising again in June 2017. + +In September 2016, I began mentoring Katherine Li +in making her program GAEuploader~\cite{LiGAEuploader}, +which aims to simplify and automate the process of +setting up domain fronting. +The program automatically uploads the necessary code +to Google App Engine, +then outputs a bridge line ready to be pasted into Tor Browser or Orbot. +We hoped also that the code would be useful to other projects, +like XX-Net~\cite{xx-net}, +that provide documentation on the complicated process of +uploading code to App Engine. +GAEuploader had a beta release in January 2017~\cite{tor-dev-gaeuploader}; +however the effect on the number of users was not substantial. + +Between October~19 and November~10, 2016, +the number of meek users decreased globally by about a third~\cite{tor-trac-20495}. +Initially I suspected a censorship event, +but the other details didn't add up: +the numbers were depressed and later recovered +simultaneously across many countries, +including ones not known for censorship. +Discussion with other developers revealed the likely cause: +a botched release of Orbot that left some users unable to +use the program~\cite{traffic-obf-meek-decrease-orbot}. +Once a fixed release was available, +user numbers recovered. +An unanticipated effect of this occurrence was that +we learned that a majority of meek users +were using Orbot rather than Tor Browser. + + +\subsection*{2017: Long-term support} + +In January 2017, the grant I had been using to pay meek-azure's +bandwidth bills ran out. +Lacking the means to keep it running, I announced my intention to +shut it down~\cite{tor-dev-meek-azure-run-out}. +Shortly thereafter, Team Cymru offered to stand up +their own instances and pay the CDN fees, +and so we made plans to migrate meek-azure +to the new setup in the next releases. +For cost reasons, though, I still had to shut down +the old configuration before the new release +of Tor Browser was ready. +I shut down my configuration on March~3. +The next release of Tor Browser was on March~7, +and the next release of Orbot was on March~22: +so there was a period of days or weeks during which +meek-azure was completely non-functional for users. +It would have been better to allow the two configurations +to run concurrently for a time, +so that users of the old would be able to transparently +upgrade to the new---but in this case it wasn't possible. +Perhaps not coincidentally, the surge of users from Brazil, +which had started in July 2016, +ceased on March~3, the same day I shut down meek-azure before its migration. +Handing over control of the infrastructure was a relief to me. +I had managed to make sure the monthly bills got paid, +but it took more care and attention than I liked. +A negative side effect of the migration was that +I stopped writing monthly summaries of costs, +because I was no longer receiving bills. + +Also in January 2017, I became aware of the firewall company +Allot Communications, thanks to my anonymous collaborator +in the Kazakhstan work. +Allot's marketing materials advertised support for detection +of a wide variety of circumvention protocols, +including Tor pluggable transports, Psiphon, +and various VPN services~\cite{traffic-obf-allot}. +They claimed support for ``Psiphon CDN (Meek mode)'' +going back to January 2015, +and for ``TOR (CDN meek)'' going back to April 2015. +We did not have any Allot devices to experiment with, +and I do not know how (or how well) their detectors worked. + +In June 2017, the estimated user count from Brazil +began to increase again, similarly to how it had +between July 2016 and March 2017. +Just as before, we did not find an explanation for the increase. + +Between July~29 and August~17, +meek-amazon had another outage due to an expired TLS certificate. \chapter{Building circumvention systems}