Practical Censorship Evasion Leveraging Content Delivery Networks Authors: Hadi Zolfaghari, Amir Houmansadr Presented By: Hanzhi Wang

Censorship Background Censorship Methods CDN Browsing Censorship – preventing access to certain websites and content Political reasons Background Censorship Methods CDN Browsing Current Vulnerabilities CDNReaper Criticisms Conclusion

Censorship Methods IP Address blocking DNS Interference Deep-Packet Inspection (DPI) Three methods used to accomplish this Background Censorship Methods CDN Browsing Current Vulnerabilities CDNReaper Criticisms Conclusion

IP Address Blocking ip: 198.35.26.96 host: wikipedia.org A blacklist of IP addresses, all requests with destination matching blacklist are dropped Background Censorship Methods CDN Browsing Current Vulnerabilities CDNReaper Criticisms Conclusion

DNS Interference Blocking query: allowed.com query: allowed.com answer: 93.184.216.34 answer: 93.184.216.34 Interfering with DNS resolution using a MITM Allowed domains are resolved as usual DNS queries for forbidden domains are dropped or have an invalid answer returned This and IP blocking are packet filter firewalls query: blocked.com answer: no Background Censorship Methods CDN Browsing Current Vulnerabilities CDNReaper Criticisms Conclusion

Deep-Packet Inspection (DPI) GET /image.jpg GET /image.jpg Block requests and responses based on content Application layer firewall Can block individual parts of a site Background Censorship Methods CDN Browsing Current Vulnerabilities CDNReaper Criticisms Conclusion

CDN Browsing Technique to circumvent censorship methods Makes use of Content Delivery Network (CDN) hosting providers Host censored content amongst uncensored content Blocking would incur collateral damage A way to get around censorship CDNs host content of multiple tenants at the same location Block all or nothing Background Censorship Methods CDN Browsing Current Vulnerabilities CDNReaper Criticisms Conclusion

Circumventing Censorship Methods IP Blocking Content hosted on CDNs share a set of IP addresses IP based blocking would cause collateral blockage for uncensored content DNS Interference Connect directly using edge server IPs Deep-Packet Inspection (DPI) Use HTTPS IP blocks cause collateral damage CDNs have fixed set of edge server IPs Skip DNS resolution entirely HTTPS prevents inspection of traffic contents Background Censorship Methods CDN Browsing Current Vulnerabilities CDNReaper Criticisms Conclusion

Flaws In Existing CDN Browsing Systems Study of CacheBrowser, the first CDN browsing system Information leakages may compromise circumvention techniques HTTPS destination leakage Domain-based website fingerprinting CDN browsing (as-is) not a perfect solution Authors found vulnerabilities within CacheBrowser Information is leaked which may allow censors to identify source/destination of traffic i.e. can identify that traffic is destined for a certain site Background Censorship Methods CDN Browsing Current Vulnerabilities CDNReaper Criticisms Conclusion

HTTPS Destination Leakage How CDNs deploy HTTPS: CDN Domain Certificates (e.g. *.akamaihd.net) Subject Alternative Name (SAN) Certificates Server Name Indication (SNI) Dedicated IP Addresses 4 different ways CDNs can provide HTTPS SAN certs have domain name in cert SNI used to indicate which tenant’s cert should be returned IP address used to identify associated website Vulnerable to DPI blocking Background Censorship Methods CDN Browsing Current Vulnerabilities CDNReaper Criticisms Conclusion

Domain Based Fingerprinting Websites embed objects from other domains Can fingerprint websites based on how many packets they receive from other domains Authors created fingerprinting tool Tested on top 100 sites blocked in China and Iran 99.1% accuracy 10μs / classification DPI filters may be able to do this fingerprinting Websites have objects (CSS, JS libs) Each site has different objects, different amount of content loaded from each external site E.g. chart Tool created to show viability and potential accuracy Background Censorship Methods CDN Browsing Current Vulnerabilities CDNReaper Criticisms Conclusion

CDNReaper New CDN browsing system Fixes identified vulnerabilities HTTPS destination leakage Domain based fingerprinting Authors created new CDN browser Aims to fix aforementioned vulnerabilities Background Censorship Methods CDN Browsing Current Vulnerabilities CDNReaper Criticisms Conclusion

Preventing HTTPS Destination Leakage CDN-specific solutions Send request to arbitrary edge server, get wildcard certificate Contact dedicated IP of another CDN tenant Remove or replace SNI entry Few ways to prevent HTTPS dest leakage CDNs implement HTTPS in different ways, require different approaches Some CDNs will return a wildcard cert when sending to arbitrary edge (i.e. instead of the edge the CDN would normally direct request to) For dedicated IPs, send to the dedicated IP of another tenant Some CDNs allow empty or mismatched SNI fields Depends on the CDN, CDN specific settings Background Censorship Methods CDN Browsing Current Vulnerabilities CDNReaper Criticisms Conclusion

Preventing Domain Based Fingerprinting Scrambler Inject decoy requests Drop unnecessary requests (e.g. advertisements) Scrambler ‘evens out’ number of requests to each site Also drops requests not vital to the content of the page, similar to adblock Background Censorship Methods CDN Browsing Current Vulnerabilities CDNReaper Criticisms Conclusion

Reach of CDN Browsing Top 10,000 websites analysed to determine CDN browsing readiness Top 10,000 alexa rank Some class 1 and 2 – ready for CDN browsing Majority are class 4 (partial CDN) Background Censorship Methods CDN Browsing Current Vulnerabilities CDNReaper Criticisms Conclusion

Supporting Partial CDN Websites Content Wrappers Lightweight HTML page which embeds CDN hosted content Created manually for each website Dynamic Mirroring Mirrors non-CDN content dynamically as requested Similar to domain fronting Content wrappers used where interesting content is CDN hosted Can only serve static content Dynamic mirroring creates CDN hosted mirrors of content as requested Domain fronting (only for non-CDN content) Background Censorship Methods CDN Browsing Current Vulnerabilities CDNReaper Criticisms Conclusion

Criticisms – Negative Only looked at CacheBrowser Fingerprinting – “99.1% accuracy” Only for top 100 blocked sites False positive / false negative rate? Focused only on China and Iran No discussion on DPI censorship methods used in practice Solution to HTTPS destination leakage relies on current implementations by CDNs Background Censorship Methods CDN Browsing Current Vulnerabilities CDNReaper Criticisms Conclusion

Criticisms – Positive Comprehensive solution to identified CDN browsing weaknesses Provides suggestions for making websites more accessible Analysis of performance and costs – practicality of solution Created tools to assist with CDN browsing Background Censorship Methods CDN Browsing Current Vulnerabilities CDNReaper Criticisms Conclusion

Conclusion CDN browsing circumvents censorship methods CDNReaper created to resolve vulnerabilities in existing CDN browsers Analysis of CDN browsing readiness of websites Tools created to help make sites CDN browsable Background Censorship Methods CDN Browsing Current Vulnerabilities CDNReaper Criticisms Conclusion

Thank you

Questions?