Circumventing Web Censorship Nick Feamster. An Old Problem Many governments/companies trying to limit their citizens access to information –Censorship.

Slides:



Advertisements
Similar presentations
Network Security Problems Nick Feamster
Advertisements

Filtering: Sharpening Both Sides of the Double-Edged Sword Prof. Nick Feamster Georgia Tech feamster cc.gatech.edu.
Accessibility and Trust Nick Feamster Georgia Tech.
Privacy and Anonymity Nick Feamster CS 6262 Spring 2009.
SPATor: Improving Tor Bridges with Single Packet Authorization Paper Presentation by Carlos Salazar.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
Forward Error Correction Demystified Presented by Sunrise Telecom Broadband … a step ahead.
Chipping Away at Censorship with User-Generated Content Sam Burnett, Nick Feamster and Santosh Vempala.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.
Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.
Csc333 Data communication & Networking Credit: 2.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
Presenting: Dafna Shahaf. Infranet: Circumventing Web Censorship and Surveillance Nick Feamster, Magdalena Balazinska, Greg Harfst, Hari Balakrishnan,
1 Caching in HTTP Representation and Management of Data on the Internet.
بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
In the last part of the course we make a review of selected technical problems in multimedia signal processing First problem: CONTENT SECURITY AND WATERMARKING.
Privacy on the Web Gertzman Lora Krakov Lena. Why privacy? Privacy is the number one consumer issue facing the internet. An eavesdropper (server, service.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Anonymization and Privacy Services Infranet: Circumventing Web Censorship and Surveillance, Feamster et al, Usenix Security Symposium 2002.
Web server and web browser It’s a take and give policy in between client and server through HTTP(Hyper Text Transport Protocol) Server takes a request.
J2EE Web Fundamentals Lesson 1 Introduction and Overview
© Copyright 2012 STI INNSBRUCK Tor project: Anonymity online.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Wyatt Pearsall November  HyperText Transfer Protocol.
1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007.
Lecture#1 on Internet. Internet Addressing IP address: pattern of 32 or 128 bits often represented in dotted decimal notation IP address: pattern of 32.
Security in Computing Chapter 12, Cryptography Explained Part 7 Summary created by Kirk Scott 1.
Bandwidth and noise. Bandwidth basically means how fast your signal can change or how fast can you send out symbols. – Symbol is something you send out.
1 Infranet: Submersible Surfing Nick Feamster Magdalena Balazinska Greg Harfst Hari Balakrishnan David Karger.
Anonymity on the Internet Presented by Randy Unger.
POSTER TEMPLATE BY: Whitewater HTTP Vulnerabilities Nick Berry, Joe Joyce, & Kevin Vaccaro. Syntax & Routing Attempt to capture.
NATs and UDP Victor Norman CS322 Spring NAPT Suppose we have a router doing NAT: half is the “public side”, IP address ; other half is.
CS1Q Computer Systems Lecture 17 Simon Gay. Lecture 17CS1Q Computer Systems - Simon Gay2 The Layered Model of Networks It is useful to think of networks.
Covert Channels Thomas Arnold CSCI 5235/Summer /12/2010.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
Information Security By:-H.M.Patel. Information security There are three aspects of information security Security service Security mechanism Security.
Johann A. Briffa Mahesh Theru Manohar Das A Robust Method For Imperceptible High- Capacity Information Hiding in Images. INTRODUCTION  The art of Hidden.
STATE MANAGEMENT.  Web Applications are based on stateless HTTP protocol which does not retain any information about user requests  The concept of state.
Introduction to Quantum Key Distribution
STEGANOGRAPHY AND DIGITAL WATERMARKING KAKATIYA INSTITUTE OF TECHNOLOGY AND SCIENCES,WARANGAL.
Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.
TCP/IP (Transmission Control Protocol / Internet Protocol)
2007cs Servers on the Web. The World-Wide Web 2007 cs CSS JS HTML Server Browser JS CSS HTML Transfer of resources using HTTP.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 22 PHILLIPA GILL - STONY BROOK U.
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
CSCI-235 Micro-Computers in Science Privacy & Security.
ITP 457 Network Security Networking Technologies III IP, Subnets & NAT.
9.2 SECURE CHANNELS JEJI RAMCHAND VEDULLAPALLI. Content Introduction Authentication Message Integrity and Confidentiality Secure Group Communications.
Skype.
Benjamin Knapic Nicholas Johnson.  “Tor is free software and an open network that helps you defend against a form of network surveillance that threatens.
By: Brett Belin. Used to be only tackled by highly trained professionals As the internet grew, more and more people became familiar with securing a network.
DNS-sly: Avoiding Censorship through Network Complexity
Ad-blocker circumvention System
Tor Internals and Hidden Services
Vocabulary Prototype: A preliminary sketch of an idea or model for something new. It’s the original drawing from which something real might be built or.
Practical Censorship Evasion Leveraging Content Delivery Networks
Web Caching? Web Caching:.
Vocabulary Prototype: A preliminary sketch of an idea or model for something new. It’s the original drawing from which something real might be built or.
Using SSL – Secure Socket Layer
0x1A Great Papers in Computer Security
How Our Customers Communicate With Us
Comodo Dome Data Protection
Presentation transcript:

Circumventing Web Censorship Nick Feamster

An Old Problem Many governments/companies trying to limit their citizens access to information –Censorship (prevent access) –Punishment (deter access) –Surveillance (spy on or monitor access) –China, Saudi Arabia, many companies

Renewed Relevance "Your abhorrent actions in China are a disgrace," said Rep. Tom Lantos, the top Democrat on the House International Relations Committee. "I simply don't understand how your corporate leadership sleeps at night."

An Old Problem Many governments/companies trying to limit their citizens access to information –Censorship (prevent access) –Punishment (deter access) –Surveillance (spy on or monitor access) –China, Saudi Arabia, many companies How can we defeat such attempts? –Circumvent censorship –Undetectably

Requirements Client deniability –Detection could be embarrassing or worse Client statistical deniability –Even suspicion could be a problem Server covertness/statistical deniability –If server detected, can be blocked –Behave identically for clients and others Communication robustness –Even without detecting, censor could scramble covert channel Performance (bandwidth, latency) Confidentiality…and covertness.

Bottom Line Easy to hide what you are getting –E.g., just use SSL or some other confidential channel And easy to get through censors –Reflection (e.g., Safeweb) But hard to hide that you are doing it! To be practical, all these problems must be solved Want both confidentiality and covertness

Circumventing Censors Censors allow certain traffic Use to construct a covert channel –Talk to normal servers –Embed requests for censored content in normal- seeming requests –Receive censored content hidden in normal-seeming responses Requester: client asking for hidden content Responder: server covertly providing it

CENSOR Block/Tamper E.g., Great Firewall of China User browser User computer Infranet Architecture Requester Std. HTTP Visible responses Hidden responses Visible requests Hidden requests Infranet comm. tunnel Responder Uncensored Web site Ubiquitously deployed! Censored Web site cnn.com GET cnn.com Tunnel is covert in both directions Tunnel is confidential in both directions

Problems to Be Solved Hiding transmission of downstream content –How does the client transmit requests Upstream –Sending requests covertly to responder

Upstream Requests: More challenging No random content bits that can be fiddled to send messages to responder –Munging HTTP or TCP header fields problematic Solution: let browsing pattern itself be the message Suppose web page has k links. –GET on i th link signifies symbol i to requester –Result: log 2 (k) message bits from link click Can be automated To prevent censor from seeing message, encrypt with responder key

Goals Deniability: requester generates standard http GETs to allowed web sites –Fact of GETs isnt itself proof of wrongdoing –Known rule for translating GETs to message, but message is encrypted, so no evidence Statistical deniability –Encrypting message produces random string –Sent via series of random GETs –Problem: normal user browsing not random Some links rare Conditional dependence of browsing on past browsing

Upstream: Paranoid Mode Settle for one message bit per GET –Odd/even links on page –Or generalize to mod k for some small k User has many link choices for each bit –Can choose one that is reasonable –Incorporate error correcting code in case no reasonable next link sends correct bit Drawback: user must be directly involved in sending each message bit –Very low bandwidth vs time spent

Problems to Be Solved Hiding transmission of downstream content –How does the client transmit requests Upstream –Sending requests covertly to responder

Downstream Communication: Easier Responder is a normal web server, serving images (among other things) Encrypt data using a session key Embed in unimportant, random bits of images –Hide it, e.g., in high-order color bits steganography –Tamper-resistant watermarking Encrypted data looks random---only requester can tell it isnt (and decrypt)

Goals Analysis Client looks innocent Server less so –Any one image seems innocent –Same image with different random bits in each is suspicious –Evasion: webcams, banner ads, etc. Performance: ~1 KB/small image (variable)

Blocking Techniques Answer 1: not our problem –Leave it to watermarking research to figure out non- erasable watermarks Answer 2: semantic embeddings –Use position of objects in document –Prevents erasure because might be ruining content Answer 3: embed data in broadcast signals –Voice of America –Satellite broadcast TV channel What if censor erases high-order bits of the image?

Higher Performance Idea: Arithmetic coding of hidden requests –If request i has probability p i, then entropy of request distribution is – p i log p i –Arithmetic coding encodes request i using log p i bits –Result: expected request size equals entropy –Optimal Problem: Requester doesnt know probability distribution of hidden requests –Doesnt have info needed for encoding

Solution: Range-Mapping Responder serves many requesters –Uses past requests to build C, distribution of hidden requests –Sends to requester on easy downstream path Requester uses C to build arithmetic code and send encoded request Use visible GETs (clicks) as symbols that are sent (not bits) From its own server access logs, responder knows that different clicks have different conditional probabilities

Toy Example Suppose possible hidden requests fewer than links on page Responder sends dictionary: –link 1 means –link 2 means –Assigns common requests to common GETs Requester GETs link matching intended request One GET sends full (possibly huge) request Problem: in general, possible requests –Cant send a dictionary for all

Generalize: Twenty Questions Order all hidden request strings lexicographically Identify split string such that –Strings up to split have total probability 0.5 –Strings after split have total probability 0.5 Responder sends split string Requester sends 0/1 as desired request precedes/follows split string Recurse on half of distribution selected Result: requester sends O(entropy) bits

Range-Mapping in Pictures If each page has k links, each request transmits lg( k ) bits Expected # of visible requests to modulate a hidden request = ceil[H( C ) / lg ( k )] + 2

Problems and Next Steps Responders can be discovered and blocked –The discovery problem: allowing clients to discover responders ahead of censors All clients need not fetch content from the origin. Instead: –Some clients obtain content from origin (e.g., via responder, USB key, etc.) –CDN behind firewall distributes content to rest of clients –General idea: separation of upstream/downstream

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.