forked from amiiigh/mbwebsite
-
Notifications
You must be signed in to change notification settings - Fork 0
/
technical.html
83 lines (77 loc) · 8.32 KB
/
technical.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
<!DOCTYPE html>
<html>
<head>
<title>MassBrowser</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<script src="https://kit.fontawesome.com/fe0b14f795.js" crossorigin="anonymous"></script>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<link rel="apple-touch-icon" sizes="180x180" href="https://massbrowser.cs.umass.edu/apple-touch-icon.png">
<link rel="icon" type="image/png" sizes="32x32" href="https://massbrowser.cs.umass.edu/favicon-32x32.png">
<link rel="icon" type="image/png" sizes="16x16" href="https://massbrowser.cs.umass.edu/favicon-16x16.png">
<link href="https://fonts.googleapis.com/css?family=Rajdhani|Roboto&display=swap" rel="stylesheet">
<link rel="manifest" href="https://massbrowser.cs.umass.edu/site.webmanifest">
<link rel="stylesheet" href="./assets/css/styles.css">
</head>
<body>
<div class="des-container">
<div class="section-text">
<h4>TL;DR Technical Description</h4>
<p>
Censorship circumvention tools traditionally work by relaying the user's traffic through proxy servers outside of the censoring region. The proxy servers have open access to the Internet and are able to retrieve the requested pages on behalf of the user. Unfortunately, this simple scheme has two downsides.
</p><ul>
<li> <strong>Proxy servers can be blocked by the censors.</strong> Since proxy servers have defined public IP addresses, censors can block access to the proxies by applying IP filtering at their border gateways. Even if the proxy IP addresses are not publicly announced, censors can gain access to the IP addresses by imitating censored users.</li>
<li> <strong> Maintaining proxy servers.</strong> Circumvention systems must have enough infrastructure to handle the bandwidth of all its users. The number of users using circumvention systems is relatively high, considering entire nations such as China and Iran have censored access to the Internet. This imposes extremely high costs for maintaining proxy servers for the circumvention system providers.</li>
</ul>
<p></p>
<p>
To provide a robust and cost-effective solution, we have designed MassBrowser. MassBrowser uses a number of different techniques to provide censorship circumvention which is hard to block by the censors, not too expensive to maintain and delivers performance comparable to that of traditional circumvention systems.
</p>
<h3 id="volunteer-relays"> Volunteer Relays </h3>
<p>
Instead of relying solely on publicly hosted proxy servers, MassBrowser utilizes <em>volunteers</em> which we call <strong>MassBuddys</strong>. Volunteers are users residing outside the censored regions who are willing to help censored users gain open access to the Internet by allowing them to proxy their traffic through their devices. In concept, volunteer relays are very similar to traditional proxies, however they have two beneficial properties
</p><ol>
<li>No single entity is responsible for providing all the necessary bandwidth needed to support censored users</li>
<li>Volunteers may have changing and non-public IP addresses, making it more difficult for censors to block them using traditional methods</li>
</ol>
Volunteer-based systems are not a new concept. The largest anonymity system in use today, i.e., <a href="https://www.torproject.org/">Tor</a>, is run by volunteers. To answer to possible concerns volunteers may have, the MassBuddy client provides the volunteer with a range of options for limiting the bandwidth usage and even choosing websites they wish to allow.
<p></p>
<p>
Blocking volunteers is more difficult for censors than traditional public proxies, however it is far from perfect and censors may still block volunteer relays. A typical approach against censors used in many circumvention systems is to avoid announcing all available proxies (or volunteer relays) to the users. Similarly, in MassBrowser each client will only have access to a small number of all available relays. This way, even if the censors mimic benign users, they will only every be able to block a small portion of all available relays.
</p>
<p>
</p>
<h3>Backup Proxies and Domain Fronting</h3>
<p>
In the <a href="https://massbrowser.cs.umass.edu/#volunteer-relays">Volunteer Relays</a> section we mentioned that each censored user will only have access to a small subset of all available volunteer relays. However, if the censors manage to block all the relays a particular user has access to, the user will be stuck with blocked relays and will be unable to use the system. The user cannot be assigned another non-blocked relay, since the censors would take advantage and start blocking more relays.
</p>
<p>
To mitigate this problem, the MassBrowser network has a number of public backup proxies which will be assigned to users if all the users available relays have been blocked. Of course, if we simply use a traditional proxy there is nothing keeping the censors from blocking those as well. Instead, we use a recently proposed technique called <strong>Domain Fronting</strong> to keep the proxies from being blocked.
</p>
<p>
<strong>Domain Fronting</strong> is a technique in which the proxy server is hosted behind a Content Delivery Network (CDN) and is accessed through the CDNs IP addresses in a way which avoids any unencrypted mentioning of the desired service (i.e. the proxy server). In order to block this proxy server, the censors would have to block access to any website hosted on that CDN which is a highly undesirable. You can learn more about Domain Fronting through the original paper linked below.
</p><ul>
<li><a href="http://www.icir.org/vern/papers/meek-PETS-2015.pdf">Blocking-resistant communication
through domain fronting, Proceedings on Privacy Enhancing Technologies 2015</a></li>
</ul>
<p></p>
<p>
You might be thinking this seems great, why not make a circumvention system based solely on Domain Fronting? While Domain Fronting does make a very robust system against censors blocking proxies, it still requires a high maintenance cost. In fact, there already is a widely used Domain Fronting based system, named <a href="https://trac.torproject.org/projects/tor/wiki/doc/meek">meek</a>, deployed as a Pluggable Transport for Tor. In its approximately three years of operation, the total cost for operating meek's servers have reached over $50,000.
</p>
<h3>CDNBrowsing</h3>
<p>
<strong>CDNBrowsing</strong> is another recent technique in censorship circumvention which takes advantage of CDNs. Unlike Domain Fronting in which we access a proxy hosted behind a CDN, <strong>CDNBrowsing</strong> is used to directly access website content from CDNs without revealing to the censors what content is being accessed. You can read more about how CDNBrowsing works in the papers linked below.
</p><ul>
<li><a href="https://people.cs.umass.edu/~amir/papers/CacheBrowser.pdf">CacheBrowser: Bypassing Chinese Censorship without Proxies using Cached Content, ACM CCS 2015</a></li>
<li><a href="https://people.cs.umass.edu/~amir/papers/CDNReaper.pdf">Practical Censorship Evasion Leveraging Content Delivery Networks, ACM CCS 2016</a></li>
</ul>
<p></p>
<p>
CDNBrowsing can be used with virtually no extra cost as it accesses content directly without needing any hosted proxies. Similar to Domain Fronting, it is also unblockable by the censors. It's main disadvantage however is that it can only retrieve CDN hosted content. So on its own it is only suitable for websites which are completely hosted on CDNs. Even though many websites do satisfy this requirement, as of now the majority of websites only have their media content (e.g. images, videos,...) hosted on CDNs leaving their HTML pages inaccessible to CDNBrowsing systems.
</p>
<p>
While limited on its own, CDNBrowsing can prove to be hugely beneficial when used in conjunction with the other methods described above. Images, videos and other CDN hosted content are actually the bulk of most websites. Using CDNBrowsing techniques, MassBrowser obtains any CDN hosted content directly from CDN edge servers without going through any proxies or volunteer relays. This reduces the traffic load on volunteer relays, allowing them to serve more censored users with the same amount of used bandwidth, and also reduces the traffic on our backup proxy servers.
</p>
</div>
</div>
</body>
</html>