wiki:org/meetings/2012SummerDevMeeting/Notes/S1CensorshipCircumvention

Session 2 - Censorship circumvention

Tor just so happens to be good at it.

Context

  • It was an accident. We were going for anonymity. We got circumvention to boot, and then we discovered that we're really good at it.
  • Many politicians have been told to care about it. That makes it important, yo'.
  • Little-t tor wants censorship detection built into BridgeDB.
  • Information analysis

Research Questions

  1. Things not exactly on Tor's radar, but some Tor people know about them:
    • Telex, for example, though it doesn't know about anonymity.
    • Can use tools in combination Tor+PT, Tor+Telex.
  1. New Tor versions could have metrics of anonymity:
    • Can an attacker find out you reside in Iran?
    • Helps us understand why people are using Tor, and in which places for which primary reasons. If we can understand specifically what a certain government/ISP is doing, we can better design pluggable transports for that userbase.
  1. Someone asked: "Does it make sense to loosen the threat model for Tor to improve performance? For example, two instead of three hops, and have a way to do measurements on path selection, and drop low latency paths."

Several people answered simultaneously: "Tor does this already."

Then someone else explained, "Tor is not slow due to geographically disparate relays - it's low-performance relay. Paper at conference that was totally wrong. Suggested local relays for better performance. Based on bad assumptions - assuming what works in some locations for some people works for all.

  1. Does censorship circumvention require anonymity?
    • Tor's stated goal is not necessarily to hide that one is using Tor
    • Could we use pluggable transports to hide that? Is it possible to create the philosopher's stone of pluggable transports, an HTTP PT?
    • Even bridges are shifting to obfuscation.
  1. Would be great if we had threat models to pick from, i.e. writing a paper based on this model or that.
    • Could use TRIKE - threat modeling framework. Crazy twenty page uber-formalized threat model. By Elleanor.

Reputation?

Does the Tor Project name evoke the idea of censorship circumvention?

Tor allows folks to use Facebook where they couldn't before - at that point anonymity becomes a secondary issue to users.

Devs only use "anonymity" in discussions with researchers. [RST] Wait, wut? That's not the only group I talk about anonymity with...

Focus on censorship circumvention started when mail from China started rolling in. Then anti-blocking paper followed, then bridges.

Tor is becoming umbrella company for a number of projects.

Tor Project rushed into censorship detection and circumvention projects like OONI and Obfsproxy.

Precise plan includes making sure Tor works from everywhere. But does that mean Tor needs to address every censorship tech?

Should another researcher have to also do the work to reverse-engineer Skype to create the same transport for another program? Let's instead design an API-like inferface for future versions of Tor such that anyone can include Tor functionality, and make our transports agnostic so anyone can use them without Tor. One of the greatest wrongs is forcing another hacker to reinvent the wheel.

Concerns over PTs

Tor developed Obfsproxy. Others wanted (and tried, in some cases) to use it in their threat models, i.e. using it to hide/encrypt traffic, but not understanding that Obfsproxy is trivially fingerprintable and decryptable. Those projects may not have understood that things often do not work out of context.

That relates to branding issue - some trust Tor because they're a big name.

Tor exercises control over Tor trademark - only allows others to use Tor name after project evaluation.

Internews, for example, didn't understand modularity in software design. Tor then deployed obfsproxy for users in Iran. Then Internews wanted to deploy obfsproxy in all their projects.

  1. The "Pluggable" Half
    1. Preference to have PT that has a TLS layer on top of existing TLS layers, making it's security properties independent of the application-layer it wraps.
    2. There will be a PT-specific discussion tomorrow.
  2. The "Transport" Half
    1. Has anyone looked at PTs in more abstract way?
      • A lot of people are focusing on PT metrics to compare them to each other.
      • Steven Murdoch has written a paper on this topic, but, because it's in the submission phase for conferences, it isn't public yet.

Quis custodiet ipsos custodes?

Ideally we should understand DPI boxes to understand what it is difficult for them to read.

Two groups, Team Cymru and <some person>, are currently evaluating censorship boxes, so what is Tor doing evaluating DPI boxes?

We could establish a "relationship" with devs at companies which produce DPI devices, like that of virus writers and virus scanners. There's not much need for this when people on our side go around owning them and extracting their private RSA keys...but sure, yeah, corporate espionage for gits and shiggles, why not?

Alice: "Someone at Bluecoat likes Tor, but no time to go drinking with this person."

Bob: "Is part of Tor's mandate to spy on box manufacturers?"

Eve: "But Tor could befriend the befrienders."

Bob: "Does Tor need a team of folks who have these conversations?"

Eve: "How much heat does success at cracking censorship bring?"

Alice: "We should have someone handle censorship events in real time to learn more."

Last modified 6 years ago Last modified on Jul 12, 2012, 12:39:16 AM