internet censorship is everywhere
play

Internet censorship is everywhere Source: - PowerPoint PPT Presentation

Feb 05, 2023 •157 likes •539 views

Internet censorship is everywhere Source: https://freedomhouse.org/report/freedom-net/freedom-net-2016 Commonly censored content Unapproved news (Fake News!!111) Wikipedia (usually partially) Facebook Google (all services), YouTube

  2. Internet censorship is everywhere Source: https://freedomhouse.org/report/freedom-net/freedom-net-2016

  3. Commonly censored content ● Unapproved news (Fake News!!111) ● Wikipedia (usually partially) ● Facebook ● Google (all services), YouTube ● Twitter ● Content prohibited by state religion

  4. Censorship techniques

  5. Censorship techniques

  6. Censorship techniques

  7. Censorship techniques

  8. Decoy Routing: motivation Censors are sophisticated ● They drop connections by IP and trash Domain Name Service responses ● They (easily) detect and block open proxies ● They heuristically detect TOR traffic and then send out active probes to confirm and block Can we do something better, than cat-and- mouse game with proxies?

  9. Decoy Routing: overview Not Blocked Blocked T apDance Station

  10. Decoy Routing: overview Not Blocked Blocked T apDance Station

  11. Decoy Routing: assumption ● There are uncensored websites. It is economically and politically infeasible to block everything. ● Client can establish connection to the unblocked website and then signal their actual intent to visit another website .

  12. Decoy Routing: techniques Telex DR TapDance Slitheen Cirripede . Steganographic ClientRandom TCP ISN ClientRandom TLS ClientRandom channel Ciphertext No Inline No No No Yes No blocking Asymmetric No Yes Yes Yes No fmows Replay attack Yes No No No* Yes defense Traffjc/latency No No No No* Yes analysis defense *could and will be fixed

  13. Decoy Routing: idea Client initiates connection to Decoy Server and signals his intent to visit Covert Server. Decoy Router, located on partner ISP's premises routes client there. Decoy Decoy Server Client Router (amazon.com) Covert Server (facebook.com)

  14. Decoy Routing: TapDance Main difference of TapDance: it doesn't block the flow. Rationale: ISPs refused to deploy other Decoy Routing schemes with inline blocking. Decoy Server Client (amazon.com) Don't block the flow Duplicate traffic TapDance Covert Server Station (facebook.com)

  15. TapDance: tag In the first application data packet the client sends a hidden tag, which: ● Can only be detected and decrypted by station. ● Contains key to Client↔Decoy connection. Hidden tag Decoy Server Client (amazon.com) Don't block the flow Duplicate traffic TapDance Covert Server Station (facebook.com)

  16. TapDance: tag Problem: flow is not blocked, thus client must somehow remotely “mute” Decoy Server, so it stays quiet while Client and TapDance communicate. Solution: send incomplete HTTP request! Hidden tag Decoy Server Client (amazon.com) Don't block the flow Duplicate traffic TapDance Covert Server Station (facebook.com)

  17. TapDance: Incomplete HTTP request Simplified request: GET /octocat.jpg HTTP/1.1\r\n Host: amazon.com\r\n X-Tag: < tag > Request is incomplete(no 2 newlines in the end), Decoy Server will wait for ending, which won't come.

  18. TapDance: initial message Station uses information from tag to decrypt Client↔Decoy flow and inject messages into it. To censor it looks like Decoy Server sends those messages. Decoy Server Client (amazon.com) Hey, got your hidden message, what's up? TapDance Covert Server Station (facebook.com)

  19. TapDance: initial message Now, when connected to TapDance station, client could request what it wants. TapDance Station simply proxies the connection at this point, like any other common proxy server. Decoy Server Client (amazon.com) Hey, connect me to that Covert server! TapDance Covert Server Station (facebook.com)

  20. TapDance: initial response Station establishes connection to Covert Server and proxies the traffic. Decoy Server Client (amazon.com) TapDance Covert Server Station (facebook.com)

  21. TapDance: recap No inline blocking: all traffic from client goes to Decoy. Client voluntarily gives out encryption key for Client↔Decoy, so station can decrypt the flow and set up tunneling of Client↔Covert. Decoy Server Client (amazon.com) Don't block the flow Duplicate traffic TapDance Covert Server Station (facebook.com)

  22. TapDance: Request Format Tag's representative is then used to decrypt the payload. Payload has TLS session data, needed to decrypt the whole HTTP request and further connection.

  23. TapDance: ciphertext channel 1 0 AES AES … P 1 P 0 00 00 00 00 00 .. 47 45 54 20 2f .. C 1 C 0 64 5e 59 48 d4 .. 26 5e df 61 22 ..

  24. TapDance: ciphertext channel 1 0 AES AES … P 1 P 0 01 00 00 00 00 .. 47 45 54 20 2f .. C 1 C 0 64 5e 59 48 d4 .. 27 5e df 61 22 ..

  25. TapDance: ciphertext channel 1 0 AES AES … P 1 P 0 27 5c dc 65 27 .. 47 45 54 20 2f .. C 1 C 0 64 5e 59 48 d4 .. 01 02 03 04 05 ..

  26. TapDance: ciphertext channel 1 0 AES AES … P 1 P 0 07 0c 0c 05 07 .. 47 45 54 20 2f .. C 1 C 0 64 5e 59 48 d4 .. c1 92 43 64 f5 ..

  27. TapDance: ciphertext channel GET /octocat.jpg HTTP/1.1 \r\n Host: www.amazon.com \r\n X-T: u]DhsYGxVxEvuZE…\r\n Encrypt ...1e 91 b2 ce 94 8a 6b 3c 5e ef 97 34 f1 2e c6 e6 f9 6a 0c ff 38 70 d7 63 3c 5e cf 57 3a f0 6e...

  28. Client ● Logic is written in Golang, thus cross-platform ● Works on Android ● Many interesting challenges ● Fingerprintability ● Lack of root → inability to change tcp state

  29. References See all papers on DecoyRouting.com . To list a few: ● Eric Wustrow, Colleen Swanson, and J. Alex Halderman. " TapDance : End-to-Middle Anticensorship without Flow Blocking." USENIX Security, 2014 ● Ellard, Daniel, Christine Jones, Victoria Manfredi, W. Timothy Strayer, Bishal Thapa, Megan Van Welie, and Alden Jackson. " Rebound : Decoy routing on asymmetric routes via error messages." IEEE, 2015. ● Bocovich, Cecylia, and Ian Goldberg. " Slitheen : Perfectly Imitated Decoy Routing through Traffic Replacement." ACM SIGSAC, 2016 ● Bernstein, Daniel J., Mike Hamburg, Anna Krasnova, and Tanja Lange " Elligator : Elliptic-curve points indistinguishable from uniform random strings." ACM SIGSAC, 2013

  30. Link to slides To download the slides visit my blog: SergeyFrolov.github.io

  31. Questions? Decoy Server Client (not blocked) Don't block the flow Duplicate traffic TapDance Covert Server Station (blocked)

  32. TapDance: Request Format First application data packet, sent by client to Decoy Server, contains hidden tag. Station locates the tag by fixed offset from the end. Tag's representative is then used to decrypt the payload. Payload has TLS session data, needed to decrypt the whole HTTP request and further connection.

  33. TapDance: Incomplete HTTP request Full request is as follows: GET /anything HTTP/1.1 Host: anyhost.tld X-E: <Future extensions> X-T: <Padding><Base64 encoded tag > Request is incomplete(no 2 newlines in the end), leaving Decoy Server waiting for ending, which never comes. Subsequent traffic sent by client will have wrong TCP SEQ number(wrong according to Decoy, as he didn't see TapDance station's response), so Decoy will ignore it. X-E stands for Extensions, X-T stands for Tag.

  34. TapDance: Tag ● Elligator representative, when combined with station's private key, gets a secret, shared between client and station. ● The secret is used to encrypt/decrypt the payload. ● All fields are base64 encoded, thus take 33% more space on the wire. ● Additionally, TCP packet has 16 bytes of AES- GMAC(of TLS encryption of whole Request) in the end. ● As a result, station looks for the tag at (32+129+16)*8/6+16=252 bytes offset from the end.

  35. TapDance: Payload ● Flags are needed for future extensions. ● Master key, Server and Client Random are needed to decrypt the rest of the connection and inject Station and Covert's traffic into conversation between Client and Decoy. ● Remote connection ID allows to resume old connection.

  36. TapDance: Reverse Encryption Find plaintext for target ciphertext In order for station to be able to decrypt the tag, we have to find plaintext, which after being encrypted by user ssl lib, contains the target tag. To do that, client recovers the keystream of the cipher stream, that will be XORd with plaintext by TLS library later, and XORs desired ciphertext with that keystream. base64 encoding We cannot choose arbitrary plaintext, as we have to be in ascii range, and use base64 encoding, therefore first 2 bits of every byte are unusable. As a result, for every 8 bits of plaintext, we can only use 6.

  37. TapDance: Elligator Ultimately, Elligator is a fancy way to hide a client's public key(which is a point on a curve), such that its representation looks random, thus indistinguishable for censor.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Censored Planet Observatory Measuring Internet censorship globally, continuously, and remotely

Censored Planet Observatory Measuring Internet censorship globally, continuously, and remotely

Censored Planet Observatory Measuring Internet censorship globally, continuously, and remotely Internet Measurement Village 2020 Ram Sundara Raman June 26, 2020 Measuring Censorship is a Complex Problem! Internet censorship practices are

644 views • 52 slides
Your State is Not Mine: A Closer Look at Evading Stateful Internet Censorship Zhongjie Wang , Yue

Your State is Not Mine: A Closer Look at Evading Stateful Internet Censorship Zhongjie Wang , Yue

Your State is Not Mine: A Closer Look at Evading Stateful Internet Censorship Zhongjie Wang , Yue Cao, Zhiyun Qian, Chengyu Song, Srikanth V Krishnamurthy University of California, Riverside 1 Internet Censorship Key technology: Deep Packet

528 views • 33 slides
Measuring Internet Censorship Maria Xynou, 10th June 2020 Internet Measurement Village 2020

Measuring Internet Censorship Maria Xynou, 10th June 2020 Internet Measurement Village 2020

Measuring Internet Censorship Maria Xynou, 10th June 2020 Internet Measurement Village 2020 Its harder to notice the blocking of less popular sites &amp; services Internet censorship often differs from network to network within a

602 views • 34 slides
Security and Internet Security Censorship Hacker Viruses Computer Literacy 1 Lecture

Security and Internet Security Censorship Hacker Viruses Computer Literacy 1 Lecture

Topics Security and Internet Security Censorship Hacker Viruses Computer Literacy 1 Lecture 24 Phishing 13/11/2008 Firewall Censorship of the Internet 2 Examples Hacking or Cracking Virus Cracking = Subverting

462 views • 6 slides
Pushback vs Censorship Fighting Internet Shutdowns in Africa BEFORE WE DIVE INTO THE SUBJECT,

Pushback vs Censorship Fighting Internet Shutdowns in Africa BEFORE WE DIVE INTO THE SUBJECT,

JULIE OWONO - JUNE 25, 2020 Pushback vs Censorship Fighting Internet Shutdowns in Africa BEFORE WE DIVE INTO THE SUBJECT, What is Internet Sans Frontires ? Its a French non-pro f it organization, and a network of local organizations in

125 views • 8 slides
Censored Planet: Measuring Internet Censorship Globally and Continuously Roya Ensafi AIMS 2018

Censored Planet: Measuring Internet Censorship Globally and Continuously Roya Ensafi AIMS 2018

Censored Planet: Measuring Internet Censorship Globally and Continuously Roya Ensafi AIMS 2018 1 Measuring Internet Censorship Globally PROBLEM: - How can we detect whether pairs of hosts around the world can talk to each other? user ?

780 views • 49 slides
The Collateral Damage of Internet Censorship by DNS Injection Anonymous

The Collateral Damage of Internet Censorship by DNS Injection Anonymous

The Collateral Damage of Internet Censorship by DNS Injection Anonymous &lt;zion.vlab@gmail.com&gt; presented by Philip Levis 1 Basic Summary Great Firewall of China injects DNS responses to restrict access to domain names This

574 views • 43 slides
Incentivizing Censorship Measurements via Circumvention Ihsan Ayyub Qazi Aqib Nisar* Zartash A.

Incentivizing Censorship Measurements via Circumvention Ihsan Ayyub Qazi Aqib Nisar* Zartash A.

Incentivizing Censorship Measurements via Circumvention Ihsan Ayyub Qazi Aqib Nisar* Zartash A. Uzmi Aqsa Kashaf** * Now at USC ** Now at CMU Internet censorship is pervasive! - Over 70 countries restrict Internet access Often due to

745 views • 39 slides
Andrs E. Azprua #imv2020 Internet Censorship, DNS poisoning and Phishing in Venezuela

Andrs E. Azprua #imv2020 Internet Censorship, DNS poisoning and Phishing in Venezuela

Andrs E. Azprua #imv2020 Internet Censorship, DNS poisoning and Phishing in Venezuela Measuring from censorship to state-sponsored attacks Andrs E. Azprua #imv2020 @VEsinFiltro VEsinFiltro.com VENEZUELAN CONTEXT Critical failure

833 views • 56 slides
Chipping Away at Censorship with User-Generated Content Sam Burnett, Nick Feamster and Santosh

Chipping Away at Censorship with User-Generated Content Sam Burnett, Nick Feamster and Santosh

Chipping Away at Censorship with User-Generated Content Sam Burnett, Nick Feamster and Santosh Vempala Internet Censorship is a Problem 12 censors 11 monitors More on the way Some censors have fastest growth in Internet usage

626 views • 43 slides
How we tried to establish a nationwide internet censorship measurement system in Ukraine

How we tried to establish a nationwide internet censorship measurement system in Ukraine

How we tried to establish a nationwide internet censorship measurement system in Ukraine Methodology Measurements are conducted by monitors using their personal mobile devices (except for Donbas and Crimea) on public WiFi access points

280 views • 12 slides
Uncovering Internet Censorship International Journalism Festival, 6 th April 2017 Arturo Filast

Uncovering Internet Censorship International Journalism Festival, 6 th April 2017 Arturo Filast

Uncovering Internet Censorship International Journalism Festival, 6 th April 2017 Arturo Filast &amp; Maria Xynou Free software project (under the Tor Project) aimed at empowering decentralized efforts in increasing transparency of Internet

452 views • 32 slides
Your state is not mine: a closer look at evading stateful internet censorship Zhongjie Wang, Yue

Your state is not mine: a closer look at evading stateful internet censorship Zhongjie Wang, Yue

Your state is not mine: a closer look at evading stateful internet censorship Zhongjie Wang, Yue Cao, Zhiyun Qian, Chengyu Song, Srikanth V Krishnamurthy University of California, Riverside Background The Great Fire Wall (GFW) A

322 views • 28 slides
Fighting Censorship with TunnelBear Internet Measurement Village - July 2, 2020 Mission driven

Fighting Censorship with TunnelBear Internet Measurement Village - July 2, 2020 Mission driven

Fighting Censorship with TunnelBear Internet Measurement Village - July 2, 2020 Mission driven development We think the Internet is a much better place when everyone can browse privately, and browse the same Internet as everyone else.

234 views • 19 slides
Measuring and Circumventing Internet Censorship and Control Nick Feamster Georgia Tech

Measuring and Circumventing Internet Censorship and Control Nick Feamster Georgia Tech

Measuring and Circumventing Internet Censorship and Control Nick Feamster Georgia Tech http://www.cc.gatech.edu/~feamster/ Joint work with Sam Burnett, Santosh Vempala, Sathya Gunasekaran, Crisitan Lumezanu, Hans Klein, Wenke Lee, Phillipa

570 views • 38 slides
Censorship-Resistant Architectures Henry Tan Micah Sherr Georgetown University Georgetown

Censorship-Resistant Architectures Henry Tan Micah Sherr Georgetown University Georgetown

Censorship-Resistant Architectures Henry Tan Micah Sherr Georgetown University Georgetown University Censorship-Resistant Architectures 1 The Censorship Problem Internet censorship is a problem in certain areas of the world. In some cases,

260 views • 15 slides
Encryption at Scale on AWS Matt Campagna campagna@amazon.com Agenda Describe the AWS Key

Encryption at Scale on AWS Matt Campagna campagna@amazon.com Agenda Describe the AWS Key

Encryption at Scale on AWS Matt Campagna campagna@amazon.com Agenda Describe the AWS Key Management Service Client Side Encryption AWS Encryption SDK Server Side Encryption S3 Object Encryption Amazon Simple Storage Service

387 views • 22 slides
Experience of so-ware engineers using TLA+, PlusCal and TLC

Experience of so-ware engineers using TLA+, PlusCal and TLC

Experience of so-ware engineers using TLA+, PlusCal and TLC Chris Newcombe Principal Engineer, Amazon Web Services 1 Amazon Web Services 30+

588 views • 30 slides
Amazon Elastic Compute Cloud (EC2) vs. in-House HPC Platform a Cost Analysis J. Emeras, S.

Amazon Elastic Compute Cloud (EC2) vs. in-House HPC Platform a Cost Analysis J. Emeras, S.

Amazon Elastic Compute Cloud (EC2) vs. in-House HPC Platform a Cost Analysis J. Emeras, S. Varrette, P. Bouvry Parallel Computing and Optimization Group (PCOG), University of Luxembourg (UL), Luxembourg S. Varrette (PCOG Research unit)

670 views • 38 slides
Amazon AWS Yasser Ganjisaffar http://www.ics.uci.edu/~yganjisa February 2011 What is Hadoop?

Amazon AWS Yasser Ganjisaffar http://www.ics.uci.edu/~yganjisa February 2011 What is Hadoop?

MapReduce, Hadoop and Amazon AWS Yasser Ganjisaffar http://www.ics.uci.edu/~yganjisa February 2011 What is Hadoop? A software framework that supports data-intensive distributed applications. It enables applications to work with

617 views • 33 slides
Securing Serverless and Container Services Marc Schrter AWS DevOps Engineer @ globaldatanet

Securing Serverless and Container Services Marc Schrter AWS DevOps Engineer @ globaldatanet

Securing Serverless and Container Services Marc Schrter AWS DevOps Engineer @ globaldatanet Community Day 2019 Sponsors Serverless DevOps Automation Continuous Delivery Highly scalable and Infrastructure as Code fault-tolerant solutions

410 views • 40 slides
Scalable Gaussian Processes Zhenwen Dai Amazon 9 September 2019 @GPSS 2019 Zhenwen Dai (Amazon)

Scalable Gaussian Processes Zhenwen Dai Amazon 9 September 2019 @GPSS 2019 Zhenwen Dai (Amazon)

Scalable Gaussian Processes Zhenwen Dai Amazon 9 September 2019 @GPSS 2019 Zhenwen Dai (Amazon) Scalable Gaussian Processes 9 September 2019 @GPSS 2019 1 / 46 Gaussian process Input and Output Data: X = ( x 1 , . . . , x N ) y = ( y 1 ,

516 views • 47 slides
Library2Go for Kindle - Instructions Kindle Fire, Smartphone and Tablet users: You must have

Library2Go for Kindle - Instructions Kindle Fire, Smartphone and Tablet users: You must have

Library2Go for Kindle - Instructions Kindle Fire, Smartphone and Tablet users: You must have access to the Library2Go full site (not the mobile site) to access Kindle eBooks directly from your device. Click the link on the E-book help page

384 views • 24 slides
StarCluster - NumPy/SciPy Computing on Amazons Elastic Compute Cloud (EC2) Justin Riley

StarCluster - NumPy/SciPy Computing on Amazons Elastic Compute Cloud (EC2) Justin Riley

Outline Introduction Amazon EC2 Basics StarCluster Overview Conclusions StarCluster - NumPy/SciPy Computing on Amazons Elastic Compute Cloud (EC2) Justin Riley Software Tools for Academics and Researchers Office of Educational Innovation

941 views • 74 slides

More recommend