The Tor Project is a free network run by volunteers that hides users’ locations and usage from surveillance and traffic analysis. Essentially, it provides online anonymity to anybody who wants it.
Tor users can send email and instant messages, surf websites, and post content online without anyone knowing who or where they are. Consequently, it is widely acknowledged as an important tool for freedom of expression.
That’s clearly a worry for authoritarian regimes that want to control and limit their citizens’ access to the outside world. The biggest and most powerful of these is China, and the government there operates a firewall that denies its citizens online access to the outside world.
It’s no surprise then that the Great Firewall of China, as it is called, actively blocks access to the Tor network. So an interesting question is how this censorship works and how it might be circumvented.
Today, Philipp Winter and Stefan Lindskog at Karlstad University in Sweden provide an answer.
These guys have conducted a comprehensive analysis of the way the Great Firewall of China blocks Tor and how these measures might be sidestepped.
First, a bit of background about Tor. Let’s imagine a fictional user called Alice. To use the Tor network, Alice must first download the free software package, which she runs on her computer.
This software encrypts Alice’s online communication and sends it to a Tor server called an entry relay, which then directs it randomly through a network of Tor relays operated by volunteers around the world. Anybody receiving information from Alice can trace the message back only to the last Tor server.
Also, since the Internet address of the sender and receiver are encrypted while they are in the network, an eavesdropper cannot tell who sent a message or where it is going.
The obvious way for China to prevent access to Tor is to block access from inside the country to the entry relays. That’s easy because the entry relays are publicly listed, and, indeed, the Great Firewall of China does exactly this.
However, in anticipation of this tactic, the Tor network always operates a number of entry relays without publishing their details. These are much harder to block and can easily be changed.
The trouble is that the Great Firewall of China seems to have found a way to detect and block these secret relays as well.
Now Winter and Lindskog think they’ve worked out how this is done. The trick has been to set up their own secret relay and to try to connect to it from inside China (building on previous work by Tim Wilde at Team Cymru).
The Tor software that Alice runs must connect with any Tor relay it contacts using a special handshake protocol. This protocol contains unique sequences of code.
Winter and Lindskog say the firewall uses deep pattern inspection to look for this code in any outgoing communications. If it finds it, it assumes a potential Tor connection. It then attempts to make its own connection. If that works, the firewall then blocks future access to this IP address.
Impressively, Winter and Lindskog have worked out the details of how the deep packet inspection does this.
Even more impressively, these guys have used Google’s reverse DNS lookup service to work out who seems to be behind this censorship. The evidence points strongly to two of China’s largest telecom companies: China Telecom and China Unicom.
Both of these organisations are government-owned and clearly well placed to operate a firewall on this scale.
So what to do? With their newfound knowledge of how the Great Firewall of China works, Winter and Lindskog suggest a number of strategies that Tor users could exploit to beat it.
One idea is packet fragmentation–dividing up the packets to confuse the deep packet inspection system so that it cannot easily find and block secret relays.
However, that relies on all Tor users using packet fragmentation. A single Tor user who connects to a secret relay in the conventional way will give it away, allowing the authorities to block it.
Perhaps the most promising avenue is a tool currently being developed called Obfsproxy. This camouflages Tor traffic, making it look like something else, such as Skype traffic, for example.
China is clearly worried about this approach. The Great Firewall of China currently blocks all published relays designed to use Obfsproxy. However, Winter and Lindskog set up a private Obfsproxy relay in Sweden and successfully connected to it from inside China. “We initiated several connections to it over several hours and could always successfully establish a Tor circuit,” they say.
That seems to prove that the deep packet inspection system cannot spot private Obfsproxy relays and so looks like a promising route forward.
The main reason the Great Firewall is able to detect Tor traffic is that it is easily distinguishable from other types of Internet traffic. “It is crucial that this distinguishability is minimised,” conclude Winter and Lindskog.
There is a broader issue of course. Because Tor is an open and transparent organisation, these kinds of discussions about how best to circumvent the Chinese firewall inevitably take place in public, in full view of the Chinese authorities they are attempting to outwit.
The mere publication of Winter and Lindskog’s paper gives the Chinese authorities full view of the techniques these guys have used to reveal how the firewall works.
Security analysts and the developers behind Tor must be sorely tempted to hide their deliberations and protect their future work behind an impenetrable veil of secrecy. That must be resisted.
These kinds of open discussion may be like fighting with one hand tied behind your back. But surely such is the price of freedom.
Ref: arxiv.org/abs/1204.0447: How China Is Blocking Tor