[Cryptography] CacheBrowser plug-in routes around Chinese Great Firewall
Henry Baker
hbaker1 at pipeline.com
Sat Dec 5 10:57:44 EST 2015
FYI --
Between the nation-state attacks on certificate authorities and DNS servers, the web is barely holding on; I can just hear Scotty saying "Captain, we can't hold out much longer...".
It's interesting that *everything* seems to be moving into the browser: individual browsers now build their own chains of trust, because they can't/don't trust their own OS's to do this; certificate pinning places the browser vendors themselves as the root of trust; TorBrowser incorporates the whole Tor system, and now "CacheBrowser", which handles all of its own DNS lookup to bypass Chinese poisoned DNS servers.
CacheBrowser takes advantage of the Tor-like mixing behavior already present in existing commercial CDN's. All of the content is readily available from thousands of CDN "edge servers"; blocking all of them effectively blocks *most all* traffic, period, since most all traffic comes from CDN's these days, resulting in too-massive collateral damage, while blocking any small number of them achieves nothing, because there are thousands of other edge servers with exactly the same content.
It's interesting that with content providers moving to ubiquitous encrypted HTTPS, bogus certs and poisoned DNS servers are about the only ways left for nation-states to attack web traffic on a wholesale basis.
It's also interesting that CacheBrowser has to utilize a low-bandwidth covert channel to perform its own DNS lookups, and then cache them locally to provide for reasonable performance. This works so long as major content providers--e.g., news organizations--don't change their CDN's very often.
But if you want to build a non-browser application for the web -- e.g., for the Internet-of-Things -- you're going to be out of luck, because you're going to have to develop your own certificate authority workarounds and DNS workarounds, because the browsers have taken on those responsibilities.
http://www.theregister.co.uk/2015/12/03/kazakhstan_to_maninthemiddle_all_internet_traffic/
"Kazakhstan may be about to intercept and decrypt its citizens' internet traffic by ordering them to install rogue security certificates."
http://www.technologyreview.com/news/543711/browser-plug-in-punches-an-unfixable-hole-in-chinas-great-firewall/
Browser Plug-in Punches an Unfixable Hole in Chinas Great Firewall
By exploiting the plumbing of the Web, researchers have created a new way around online censorship that governments could struggle to shut down.
By Tom Simonite on November 20, 2015
It could soon be a lot easier to access blocked news sites and even the social network Facebook from inside China thanks to a simple browser plug-in developed by researchers at the University of Massachusetts, Amherst.
https://people.cs.umass.edu/~amir/papers/CacheBrowser.pdf
The Chinese governments Great Firewall blocks many foreign websites, such as news sources and social networks. The best-established tools to evade that kind of censorship, such as the anonymity network Tor or encrypted VPN connections, can make browsing slow and are actively targeted by the government.
Tests of the new browser plug-in, called CacheBrowser, from inside China show that it provides an effective solution that doesnt slow browsing so much, says Amir Houmansadr, an assistant professor at UMass Amherst.
http://www.cachebrowser.info/#/
https://github.com/CacheBrowser/cachebrowser
For sites that use encryption, censors in China or elsewhere cant easily shut down the tool without also preventing access to thousands of popular websites that arent censored, he says. Theyll have to block thousands or millions of other webpages, says Houmansadr. This advances the arms race in censorship resistance.
Houmansadr built CacheBrowser with John Holowczak, until recently an undergraduate at Umass Amherst. Working versions of the plug-in for the Chrome and Firefox browsers are available but arent straightforward to install. Work is underway to change that and to provide better documentation. Available data suggests that CacheBrowser should work for over 80 percent of the sites that China blocks among the worlds 1,000 most popular, including Facebook and Bloomberg. Houmansadr expects that proportion to grow as the feature of the Webs plumbing it relies on becomes more common.
The most established tools for avoiding Web censorship rely on computers located outside a country that censors the Web. Those computers must access pages on your behalf and relay the data back. Tor does that using a network of computers offered up by volunteers around the globe. Using a VPN connection has a computer pull all its traffic through a particular computer rented out for that purpose.
CacheBrowser instead exploits a mechanism used by companies to make their pages load faster to allow a computer to sidestep the censors and access the pages it wants directly.
Censorship systems like Chinas mostly rely on blocking computers from accessing the Web addresses and IP addresses, which identify specific servers, of blacklisted sites. But when you visit a popular website, your computer is usually directed to download it from the servers of a content delivery network, a company such as Akamai that website operators pay to store copies of their data on many servers around the world so people can access it faster. Use of content delivery networks is very common among major sites and growing; Cisco expects a majority of all Internet traffic to pass through them within a few years.
http://www.cisco.com/c/en/us/solutions/collateral/service-provider/ip-ngn-ip-next-generation-network/white_paper_c11-481360.html
Censors tend to leave content delivery networks alone because their servers host many different sites, most of which they dont want to block, says Houmansadr. CacheBrowser works by going directly to content delivery network servers to download pages when you type in a Web address, using a lookup table of websites and their content delivery networks.
Charlie Smith a pseudonym who works with the nonprofit GreatFire.org, which tracks Chinas censorship, says that using content delivery networks that way is an excellent strategy that could help people resist a recent strengthening of Chinas control of the Web.
We have seen a huge crackdown on circumvention tools, he says. Many Internet users in China are scrambling to find new ways to get around censorship. The more working circumvention solutions there are, the better it is for everybody. GreatFire.org uses the free pass that content delivery networks get from Chinas censors to make censor-proof copies of certain static webpages, in a project called Collateral Freedom. CacheBrowser makes it possible to access a much broader selection of pages, including interactive pages (such as services that require you to log in).
https://en.greatfire.org/blog/2014/jan/collateral-freedom-faq
Houmansadr hopes to see his tool start helping people in China and elsewhere, and also that some publishers will consider making more use of content delivery networks to make their content more difficult to censor.
Houmansadr is also wondering how authorities in China might respond. If they start blocking content delivery networks, China could be cut off from much of the Web. When the countrys censors temporarily blocked a content delivery network owned by Verizon in 2014, it became impossible to access thousands of websites, including that of Hong Kong-based bank HSBC.
https://en.greatfire.org/blog/2014/nov/china-just-blocked-thousands-websites
Smith of GreatFire says he doesnt think that tactic will be used again, suggesting CacheBrowser could be here to stay. Cutting [content delivery networks] off would create severe negative economic consequences for China, he says.
More information about the cryptography
mailing list