China vs. Tor - The Arms Race
14 Aug 2018Since the inception of information controls, governments have been working to limit access to the open Internet. This happens through a variety of methods, such as throttling, changing website content, or completely blocking access to a service. So developers reacted by creating novel ways to circumvent these controls, and thus the arms race was born.
One of the most prevalent examples of this race is between China and the Tor network, a network designed to keep users both secure and anonymous. Due to the implementation of Tor, users can circumvent information controls as their traffic is redirected to a more open country. For example, a user in Iran may want to access a local news website in the United States, but the Iran government blocks this news website. If the user hops on the Tor network, he can have his traffic redirected through the United States thus that he then gains access to look at this news site.
This means that users in China can circumvent government blocks to access services such as Twitter and Facebook. This may seem pointless when China has similar clones such as Weibo, but it’s important to note that these Chinese services are heavily monitored and controlled; user posts can be automatically deleted for mentioning the wrong person, or criticizing a government policy. Thus, activists and other citizens can communicate and organize through other services by using the Tor network.
So over time, the Chinese government and the Tor Project have been taking turns making changes to protocols, software, and information controls. Eventually, China implemented deep packet inspection (DPI), in which they “look inside” user traffic to determine if Tor is being used, and appropriately block the server being used. In this way, users lost the ability entirely to access the Tor network.
Then along came pluggable transports: plugins for Tor that allow users to connect to the Tor network by modifying traffic. For example, a pluggable transport can make user traffic look like Skype video chat traffic, which the firewall allows. The most-used in China today is meek, which uses a technique known as domain fronting to route user traffic through another server before connecting to the Tor network.
However, there are some issues with meek. It is expensive to maintain, requiring many resources and presenting bottlenecks for user bandwidth; this can result in meek being very slow for users, and requiring more resources as the number of users increases.
The most important issue at hand is that domain fronting is being collectively blocked by cloud providers. Meek utilized Amazon, Google, and Microsoft cloud services in order to operate. Amazon decided to disable the domain fronting capability, with Google following suit. Microsoft has stated that they will disable the capability, but have not done so yet. However, the threat is still there, and when Microsoft does invetiably disable domain fronting, meek will no longer work. This will leave thousands of users without access to the Tor network; among these are activists, users wanting to connect with foreign families, or ordinary people wanting deserved privacy from their government.
So what is the solution? Right now, there is none. We can develop a new method that is incredibly difficult for China to block, such as through domain fronting, or we can make it harder for China to obtain (and subsequently block) the addresses of machines within the Tor network. Both of these are difficult problems, and not enough resources are being directed towards them. We need to develop a solution to the problem preemptively, before meek stops working, so that the solution can be properly rolled out and be widely available on release.
You can read more about this issue and obtain a more technical overview in my recent FOCI 2018 paper.