[Cryptography] CacheBrowser plug-in routes around Chinese Great Firewall

[Henry Baker]

FYI --

Between the nation-state attacks on certificate authorities and DNS servers, the web is barely holding on; I can just hear Scotty saying "Captain, we can't hold out much longer...".

It's interesting that *everything* seems to be moving into the browser: individual browsers now build their own chains of trust, because they can't/don't trust their own OS's to do this; certificate pinning places the browser vendors themselves as the root of trust; TorBrowser incorporates the whole Tor system, and now "CacheBrowser", which handles all of its own DNS lookup to bypass Chinese poisoned DNS servers.

CacheBrowser takes advantage of the Tor-like mixing behavior already present in existing commercial CDN's.  All of the content is readily available from thousands of CDN "edge servers"; blocking all of them effectively blocks *most all* traffic, period, since most all traffic comes from CDN's these days, resulting in too-massive collateral damage, while blocking any small number of them achieves nothing, because there are thousands of other edge servers with exactly the same content.

It's interesting that with content providers moving to ubiquitous encrypted HTTPS, bogus certs and poisoned DNS servers are about the only ways left for nation-states to attack web traffic on a wholesale basis.

It's also interesting that CacheBrowser has to utilize a low-bandwidth covert channel to perform its own DNS lookups, and then cache them locally to provide for reasonable performance.  This works so long as major content providers--e.g., news organizations--don't change their CDN's very often.

But if you want to build a non-browser application for the web -- e.g., for the Internet-of-Things -- you're going to be out of luck, because you're going to have to develop your own certificate authority workarounds and DNS workarounds, because the browsers have taken on those responsibilities.

http://www.theregister.co.uk/2015/12/03/kazakhstan_to_maninthemiddle_all_internet_traffic/

"Kazakhstan may be about to intercept and decrypt its citizens' internet traffic – by ordering them to install rogue security certificates."

http://www.technologyreview.com/news/543711/browser-plug-in-punches-an-unfixable-hole-in-chinas-great-firewall/

Browser Plug-in Punches an Unfixable Hole in China’s Great Firewall

By exploiting the plumbing of the Web, researchers have created a new way around online censorship that governments could struggle to shut down.

By Tom Simonite on November 20, 2015

It could soon be a lot easier to access blocked news sites and even the social network Facebook from inside China thanks to a simple browser plug-in developed by researchers at the University of Massachusetts, Amherst.

https://people.cs.umass.edu/~amir/papers/CacheBrowser.pdf

The Chinese government’s “Great Firewall” blocks many foreign websites, such as news sources and social networks.  The best-established tools to evade that kind of censorship, such as the anonymity network Tor or encrypted VPN connections, can make browsing slow and are actively targeted by the government.

Tests of the new browser plug-in, called CacheBrowser, from inside China show that it provides an effective solution that doesn’t slow browsing so much, says Amir Houmansadr, an assistant professor at UMass Amherst.

http://www.cachebrowser.info/#/

https://github.com/CacheBrowser/cachebrowser

For sites that use encryption, censors in China or elsewhere can’t easily shut down the tool without also preventing access to thousands of popular websites that aren’t censored, he says. “They’ll have to block thousands or millions of other webpages,” says Houmansadr. “This advances the arms race in censorship resistance.”

Houmansadr built CacheBrowser with John Holowczak, until recently an undergraduate at Umass Amherst. Working versions of the plug-in for the Chrome and Firefox browsers are available but aren’t straightforward to install. Work is underway to change that and to provide better documentation. Available data suggests that CacheBrowser should work for over 80 percent of the sites that China blocks among the world’s 1,000 most popular, including Facebook and Bloomberg. Houmansadr expects that proportion to grow as the feature of the Web’s plumbing it relies on becomes more common.

The most established tools for avoiding Web censorship rely on computers located outside a country that censors the Web. Those computers must access pages on your behalf and relay the data back. Tor does that using a network of computers offered up by volunteers around the globe. Using a VPN connection has a computer pull all its traffic through a particular computer rented out for that purpose.

CacheBrowser instead exploits a mechanism used by companies to make their pages load faster to allow a computer to sidestep the censors and access the pages it wants directly.

Censorship systems like China’s mostly rely on blocking computers from accessing the Web addresses and IP addresses, which identify specific servers, of blacklisted sites. But when you visit a popular website, your computer is usually directed to download it from the servers of a content delivery network, a company such as Akamai that website operators pay to store copies of their data on many servers around the world so people can access it faster. Use of content delivery networks is very common among major sites and growing; Cisco expects a majority of all Internet traffic to pass through them within a few years.

http://www.cisco.com/c/en/us/solutions/collateral/service-provider/ip-ngn-ip-next-generation-network/white_paper_c11-481360.html

Censors tend to leave content delivery networks alone because their servers host many different sites, most of which they don’t want to block, says Houmansadr. CacheBrowser works by going directly to content delivery network servers to download pages when you type in a Web address, using a lookup table of websites and their content delivery networks.

Charlie Smith – a pseudonym – who works with the nonprofit GreatFire.org, which tracks China’s censorship, says that using content delivery networks that way is an “excellent strategy” that could help people resist a recent strengthening of China’s control of the Web.

“We have seen a huge crackdown on circumvention tools,” he says. “Many Internet users in China are scrambling to find new ways to get around censorship. The more working circumvention solutions there are, the better it is for everybody.” GreatFire.org uses the free pass that content delivery networks get from China’s censors to make censor-proof copies of certain static webpages, in a project called Collateral Freedom. CacheBrowser makes it possible to access a much broader selection of pages, including interactive pages (such as services that require you to log in).

https://en.greatfire.org/blog/2014/jan/collateral-freedom-faq

Houmansadr hopes to see his tool start helping people in China and elsewhere, and also that some publishers will consider making more use of content delivery networks to make their content more difficult to censor.

Houmansadr is also wondering how authorities in China might respond. If they start blocking content delivery networks, China could be cut off from much of the Web. When the country’s censors temporarily blocked a content delivery network owned by Verizon in 2014, it became impossible to access thousands of websites, including that of Hong Kong-based bank HSBC.

https://en.greatfire.org/blog/2014/nov/china-just-blocked-thousands-websites

Smith of GreatFire says he doesn’t think that tactic will be used again, suggesting CacheBrowser could be here to stay. “Cutting [content delivery networks] off would create severe negative economic consequences for China,” he says.