We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

How Russia is trying to block Tor

00:00

Formale Metadaten

Titel
How Russia is trying to block Tor
Serientitel
Anzahl der Teile
85
Autor
Lizenz
CC-Namensnennung 3.0 Unported:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
Identifikatoren
Herausgeber
Erscheinungsjahr
Sprache

Inhaltliche Metadaten

Fachgebiet
Genre
Abstract
In December 2021, some ISPs in Russia started blocking Tor's website, along with protocol-level (DPI) and network-level (IP address) blocking to try to make it harder for people in Russia to reach the Tor network. Some months later, we're now at a steady-state where they are trying to find new IP addresses to block and we're rotating IP addresses to keep up. In this talk I'll walk through what steps the Russian censors have taken, and how we reverse engineered their attempts and changed our strategies and our software. Then we'll discuss where the arms race goes from here, what new techniques the anti-censorship world needs if we're going to stay ahead of future attacks, and what it means for the world that more and more countries are turning to network-level blocking as the solution to their political problems.
Kontextbezogenes SystemExogene VariableSoftwareRechnernetzOpen SourceNichtlinearer OperatorStabSelbst organisierendes SystemInternetworkingMereologieDatenmodellNonstandard-AnalysisAnalysisLuenberger-BeobachterGraphChiffrierungKryptologieBenutzerbeteiligungLastQuick-SortBridge <Kommunikationstechnik>SoftwareentwicklerBitSelbst organisierendes SystemPunktFreewareZellulares neuronales NetzZentralisatorSoftwareTransportproblemMetadatenBandmatrixInternetworkingVirtuelles privates NetzwerkStörungstheorieProxy ServerKanalkapazitätStellenringIn-System-ProgrammierungMultiplikationsoperatorBrowserDifferenteEinfach zusammenhängender RaumEinfache GenauigkeitMereologieEndliche ModelltheorieBefehl <Informatik>Nichtlinearer OperatorSpezifisches VolumenLOLA <Programm>LeckNonstandard-AnalysisComputeranimation
Open SourceSoftwareentwicklerRechnernetzp-BlockAdressraumBridge <Kommunikationstechnik>SpieltheorieDatenmissbrauchProtokoll <Datenverarbeitungssystem>Modul <Datentyp>TLSVerschlingungE-MailChiffrierungVarietät <Mathematik>VolumenMereologieBrowserMaßerweiterungKonfiguration <Informatik>Innerer Punktp-V-DiagrammServerDomain-NamePunktwolkeWeb SiteBandmatrixCaptchaDistributionenraumDivisionÄhnlichkeitsgeometrieServiceorientierte ArchitekturExogene VariableKontextbezogenes SystemDefaultInklusion <Mathematik>ClientMessage-PassingCachingBrowserMAPQuick-SortSoftwareKartesische KoordinatenNetzadresseFlash-SpeicherCookie <Internet>Elektronische PublikationSystemaufrufZehnServerVideokonferenzOffene MengeE-MailEinfach zusammenhängender RaumComputersicherheitWindkanalFirewallProtokoll <Datenverarbeitungssystem>ImplementierungCASE <Informatik>NichtunterscheidbarkeitMaßerweiterungSummengleichungUmwandlungsenthalpieCaptchaInternetworkingÄhnlichkeitsgeometrieDistributionenraumDatenmissbrauchDomain-NameBridge <Kommunikationstechnik>Cloud ComputingStrategisches SpielSchnittmengeSchlüsselverwaltungKontextbezogenes SystemRechter WinkelARM <Computerarchitektur>AlgorithmusIn-System-ProgrammierungPunktEinsMailing-Listep-BlockMultiplikationsoperatorWeb SiteGüte der AnpassungFreewareOrdnung <Mathematik>AuswahlaxiomGraphChiffrierungZahlenbereichRandomisierungBitSystemzusammenbruchMusterspracheTransportproblemZweiIndexberechnungEin-AusgabeSchlussregelDatenstrukturService providerParallele SchnittstelleDatenflussProxy ServerVideoportalTLSPhysikalischer EffektComputeranimation
Inklusion <Mathematik>ClientMaßerweiterungTLSMessage-PassingTexteditorCachingAdressraumOffene MengeDomain-NameVarietät <Mathematik>Kategorie <Mathematik>E-MailService providerBrowserDoS-AttackeFehlermeldungRechnernetzSichtenkonzeptVerschlingungBridge <Kommunikationstechnik>Metrisches SystemGrößenordnungInternetworkingGeradeWeb SiteMultigraphModemMinkowski-MetrikStrom <Mathematik>SchätzungBandmatrixZahlenbereichFormale SpracheViewerZahlenbereichHyperbelverfahrenp-BlockGraphSkalierbarkeitMetrisches SystemMultiplikationsoperatorSpannweite <Stochastik>BrowserWechselsprungEinsBridge <Kommunikationstechnik>Domain-NameSichtenkonzeptGeradeQuick-SortZweiFließgleichgewichtTermSchnittmengeMereologieHilfesystemNetzadresseDistributionenraumPunktGruppenoperationInternetworkingVersionsverwaltungEinfach zusammenhängender RaumMaßerweiterungClientProxy ServerNichtunterscheidbarkeitDifferenteSelbst organisierendes SystemProgrammbibliothekPhysikalischer EffektRechenschieberFontWeb SiteMultigraphServerRechter WinkelCookie <Internet>Elektronisches ForumGrößenordnungBenutzerbeteiligungVirtuelle MaschineGrundsätze ordnungsmäßiger DatenverarbeitungGewicht <Ausgleichsrechnung>Message-PassingDirekte numerische SimulationProtokoll <Datenverarbeitungssystem>AdressraumGanze FunktionCASE <Informatik>Computeranimation
Bridge <Kommunikationstechnik>DistributionenraumFrequenzCaptchaInverser LimesSoftwaretestProzess <Informatik>BrowserFreier LadungsträgerNebenbedingungMobiles InternetInformationKontextbezogenes SystemCOMInhalt <Mathematik>EntscheidungstheorieMailing-ListeLesen <Datenverarbeitung>Web SiteSelbst organisierendes SystemKanal <Bildverarbeitung>KnotenmengeProxy ServerRechnernetzOffice-PaketGruppenkeimp-BlockGoogolAdditionHackerVerschlingungWeb-SeiteVersionsverwaltungFAQDienst <Informatik>DatentypElektronische PublikationCMM <Software Engineering>GruppenoperationSoundverarbeitungEinfach zusammenhängender RaumInformationsspeicherungWeb SiteSystem FRückkopplungUniformer RaumInternetworkingBenutzerbeteiligungMereologieTermOffene MengeBootstrap-AggregationRichtungNeuroinformatikSpeicherabzugMultiplikationsoperatorSelbst organisierendes SystemQuick-SortSchreib-Lese-KopfNetzadresseProzess <Informatik>GraphMathematikRechter WinkelMAPExogene VariableGruppenoperationGesetz <Physik>Bridge <Kommunikationstechnik>FreewareGoogolSoftwareTabellenkalkulationVersionsverwaltungAsymmetrieApp <Programm>Komponente <Software>Humanoider RoboterElektronische PublikationAdressraumBrowserMaßerweiterungZentrische StreckungEinflussgrößeClientARM <Computerarchitektur>LastSchnitt <Mathematik>ErwartungswertSoftwaretestE-MailStochastische MatrixComputeranimation
MittelwertTwitter <Softwareplattform>FacebookMechanismus-Design-TheorieBridge <Kommunikationstechnik>ServerIndexberechnungGleichheitszeichenStatistikPunktPartielle DifferentiationSoftwaretestGruppenkeimFramework <Informatik>AdressraumPunktwolkeSpezialrechnerBandmatrixCachingE-Mailp-BlockProxy ServerGoogolDomain-NameBrowserDistributionenraumDatentypOpen SourceWeb logSichtenkonzeptFehlermeldungDatenmodellGasströmungPay-TVFokalpunktAsymmetrieParametersystemMAPDatenmissbrauchGraphDatenverwaltungElektronischer FingerabdruckElektronische PublikationMAPARM <Computerarchitektur>Quick-SortParametersystemFacebookBridge <Kommunikationstechnik>ÄhnlichkeitsgeometrieTwitter <Softwareplattform>Physikalisches SystemPay-TVDistributionenraumFlächentheorieDomain-NameEinsMultiplikationsoperatorFunktion <Mathematik>BeweistheorieGebäude <Mathematik>CaptchaAnalysisTermEndliche ModelltheorieDirekte numerische SimulationFlächeninhaltFrequenzp-BlockBootstrap-AggregationBrowserDigitalisierungGeradePunktwolkeHecke-OperatorKryptologieCloud ComputingDynamisches SystemGüte der AnpassungPunktMechanismus-Design-TheorieBenutzerfreundlichkeitDatenmissbrauchTransportproblemElementargeometrieFirewallProtokoll <Datenverarbeitungssystem>Metrisches SystemIdentitätsverwaltungMinkowski-MetrikNetzadresseE-MailOrdnung <Mathematik>Framework <Informatik>Zentrische StreckungAdressraumAsymmetrieSchnittmengeBaumechanikWeg <Topologie>HoaxMailing-ListeEinfach zusammenhängender RaumProgrammverifikationHash-AlgorithmusComputeranimation
FokalpunktAsymmetrieParametersystemMAPDatenverwaltungGraphDigitalsignalInternetworkingp-BlockSoundverarbeitungDruckverlaufPaarvergleichLokales MinimumZusammenhängender GraphExogene VariableInformationAggregatzustandGruppenoperationBroadcastingverfahrenComputersicherheitGerichtete MengeMathematische LogikHypermediaGruppoidTexteditorPhysikalisches SystemEreignishorizontPerspektiveZufallszahlenFlächeninhaltBridge <Kommunikationstechnik>InternetworkingQuick-SortWeb SiteEinsAsymmetrieProtokoll <Datenverarbeitungssystem>In-System-ProgrammierungSoftwareRechter WinkelBeobachtungsstudieMereologieGrundraumDatenflussp-BlockSchlussregelGruppenoperationResultantet-TestSchlüsselverwaltungPhysikalisches SystemMultiplikationsoperatorEreignishorizontGesetz <Physik>DruckverlaufÄhnlichkeitsgeometrieTransportproblemParametersystemARM <Computerarchitektur>Green-FunktionGraphische BenutzeroberflächeFacebookZehnEntscheidungstheorieLokales MinimumMailing-ListeWort <Informatik>URLMultiplikationOrdnung <Mathematik>Dienst <Informatik>HypermediaInformationEinfach zusammenhängender RaumFirewallService providerMinkowski-MetrikProgrammDigitalisierungUniformer RaumBitGoogolSoftwaretestMaßerweiterungSprachsynthesePunktFlächeninhaltComputeranimation
Transkript: Englisch(automatisch erzeugt)
Okay, hi, I'm Roger and I'm going to talk today about Russia and censorship and Tor. I've got way too much to say and a lot of different topics, so I'll try to give everybody something interesting and fun that they haven't thought about before. So we earlier asked how many people have heard of Tor, that sounds great. How many people here have heard of Tor bridges
or pluggable transports or the censorship side? Awesome. Okay, I see some hands yes and some hands no. So I'm going to go through a little bit of what Tor is, how Tor works. I'm going to try to go through that quickly and from there the same intro to Tor and censorship and then we'll talk more about the Russia side of things and what that means for the rest of the world. Okay, so Tor is
a non-profit organization. We're a 501c3. We provide Tor browser as software a lot of people use to be safe on the internet. We're also a community of activists and developers and users and relay operators all around the world. How many people here run Tor relays or bridges or snowflakes? I see a few hands but not as many as there should be. So think about while I'm talking
about this, think about running relays to help out other people. So we also have some number of users, maybe two million daily users, maybe eight million daily users and we're part of a much broader ecosystem of internet freedom, anonymity research, censorship resistance, free software. So there's a
broad history of what the Tor organization has done over the years. Happy to talk more about that afterwards. So how do you actually build one of these? What is Tor for? So we've got Alice over here. She wants to browse the web to some website, Bob. Where can the attacker be? What sort of threat model are we worried about? One answer is maybe the attacker's watching Alice, maybe
they're watching the Starbucks connection or they are the local Tunisian ISP or maybe they're watching some pieces of the backbone internet, maybe they're AT&T or Verizon or Deutsch Telecom or the NSA or maybe they're watching Bob, maybe they're watching WikiLeaks to learn what users
are connecting to them and who's trying to learn things. Or maybe the adversary is Bob, maybe it's CNN.com and they want to know who their users are so they can advertise to them better. And one of the other important pieces, anonymity is not encryption. You should use encryption. Encryption is good but even when you're using encryption, somebody watching your network traffic learns
who you're talking to, when you're talking to them, how much you're talking and that traffic metadata is what all the agencies and organizations use to try to attack things these days. So we've got creepy NSA dude. How many people here recognize creepy NSA dude? I'm hoping this is the correct
audience. Okay, quite a few hands. I did this talk like a couple weeks ago to a different crowd and they're like who is that? So we should all remember statements from the NSA like we kill people based on metadata. Okay, so how do you actually build one of these? The easy answer is a single centralized single hot proxy like VPNs and anonymizers so all the users show up to that
single relay. And there are some problems. The first problem is it's a centralized point of trust so what happens if that central point, that VPN decides to go bad? And it's worse than that because it's a central point even if the VPN itself is trying to be honest, you still, there's
one wire in and the same wire out so if you are able to watch that then you can match up timing and volume to understand who's talking to who. So the goal of Tor is to distribute the trust so that there's no single point that gets to learn about this user goes to that destination. So I'll skip over how the crypto works but basically you build a tunnel through three relays so no single
relay knows what's going on. Okay, and we've got a network of about 7,000 volunteer relays around the world. Here's a graph of bandwidth load and bandwidth capacity over the past 10 years or so. The second half of what Tor is, I talked about Tor, the anonymity, the network layer, the hiding
your IP address layer. The second half is the application level side where we have Tor browser based on Firefox that tries to fix all of the application level issues like cookies, used to be flash, fonts, all sorts of stuff in the browser that could be used to recognize you.
Okay, another key point to realize, transparency is critical for Tor as an ecosystem and for people to be able to trust it. So yes, that means it's open source, it's free software, it also means that we give you specifications and design documents to say this is what we meant to build, this is what we're trying to do, this is what the security goals are and also we are publicly
identified people. Hi, I'm Roger, I built Tor, I'm happy to explain that to everybody and that level of transparency is critical for a privacy tool and I always have somebody come up afterwards and they're like, oh ha ha, the anonymity people are talking about transparency, that's so stupid.
No, actually the key is privacy is about choice and we choose to be transparent in order to build a stronger, safer, bigger ecosystem and community. Okay, so that was the crash course on Tor, so far so good. Now let me talk a little bit about the censorship side of things so you've got some
context for what I'm going to talk about later. So the first arms race, the 7,000 public relays I was talking about, there's a list of them, you the censor grab those 7,000 IP addresses and block them and you're done. Now nobody can bootstrap into the Tor network, there's nothing to connect to. So the first step of the arms race is we have unlisted relays called bridges
and the goal is the users who are in some censored situation can get some bridges in order to bridge into the Tor network but the adversary hopefully can't get all of them. Then the second arms race beyond IP addresses is based on deep packet inspection or DPI. So the goal is there are
some protocols that the censor might try to block by looking at packet patterns or bytes in the packets. So the goal originally Tor tried to look like TLS because who would block TLS and then Syria blocked TLS and a bunch of other places started doing that. So we're not trying to
exactly mimic Firefox talking to Apache, instead we have a more modular approach where Tor takes care of the privacy, the anonymity side of things and then you can plug in various transports and the goal of each transport is to transform the Tor traffic into some other protocol appearance that the censor is not willing to block. So there are a couple of popular ones of these that work
well. The most popular is called OBS4, obfuscating proxy. Basically the idea is that it adds a layer of encryption on top of whatever the input is and that means there's no recognizable headers, there's no structure at the beginning that you can put your zik rules on and start recognizing
the protocol. So the idea is there's a long tail of random stuff on the internet and if you have a protocol where the automated classifier says I don't know what that is then the censor has to choose do I block everything that my classifier can't classify because then there's going to be
a long tail of random stuff and a bunch of angry people who call up the the great firewalls help desk to to complain or do I allow through everything that I can't classify and in that case protocols like OBS4 can go through also. There's another transport we've been working on more recently called Snowflake that basically does a WebRTC connection so it looks like you're doing
an online video call, Skype, Zoom, Jitsi, BBB, all of these but the reality is that you're tunneling your Tor traffic through that video call and one of the cool things about it is that you
can install a browser extension to become one of these Snowflake volunteers so you don't have to apt get install Tor and know how to edit a text file and so on you just volunteer your browser as one of the tens of thousands of volunteers that proxy through from their censored situation into your browser extension and from there to the rest of the Tor network so that means we've got a
lot more volunteers and it's easy to have more and more dynamic volunteers and that means we can do more we've got more flexibility about how to use them. Okay and then the third pluggable transport that is important to learn about is called Meek. It's based on domain fronting so the basic
idea for domain fronting is I'm going to make a TLS connection to a popular cloud provider like Amazon or Fastly or Cloudflare if they still allowed it and the idea is from the outside it looks like you're connecting to a popular website that the sensor is not willing to block but once you've done the TLS connection and you've labeled in your server name indicator you've specified
I'm trying to connect to this you know totally ordinary website inside the inside that connection then you provide a host header at the HTTP level to say what I really wanted to go to was this other server so from the outside it looks like a totally ordinary connection to the right IP
address to an acceptable server but on the inside you end up I moved forward okay but on the inside you end up actually connecting to some other cloud provider that for example tunnels you into the Tor network so one big downside of domain fronting is you have to pay the the front domain
whether that's Fastly or Cloudflare or Amazon or Azure or whoever it is so you can use it for signaling but you probably can't use it for actually proxying all of your flows okay and then the last key background thing to think about is we need smart algorithms for what we
call bridge distribution to match up volunteers who are running bridges with people who are in censored areas and need to use them so we have a couple of basically the idea is to take the bridges you've got and divide them into buckets where each bucket requires a different strategy for how you're going to give it out so one of them is you email us from your Gmail account and
we give the same answer to the same Gmail account and the goal there is if you have one Gmail account you can get a set of bridges but you need thousands of Gmail accounts to enumerate all of them in that bucket there's another one that looks at what subnet on the internet you're coming from there's another one that's based on a CAPTCHA so that's the basic idea we've got something similar
in snowflake land to match up volunteers with censored users so they can know who to make what what looks like a phone call to okay sounds good we're uh still on time now let me talk more so that was the background now let me talk more about uh what we're talking about today what
Russia did uh and then how we dealt with it so in our story starts in December the beginning of December last year and at that point some ISPs in Russia it wasn't all of them but it was a third or half or something they blocked the public IPs in the Tor network by IP address they blocked the
meek azure domain fronting pluggable transport and we'll talk later about how they actually did that they grabbed the IP addresses of the obs4 bridges that come with Tor browser the ones that are easy they're they're built in and they blocked those by IP addresses and they blocked the snowflake protocol by what turned out to be DPI so in the same day or so they rolled out a bunch of these
that I guess they'd been working on in parallel and decided that that was the day to to to roll out their Tor block right up right around then a little while later we got an official notice to one of our hosting providers Hetzner in Russian from the Russian censorship ministry saying that
our website is bad and we need to stop having a bad website or they're going to block it and we don't really have a way to stop having a bad website so a few days later they blocked it and and that was the official censorship side of that so here's a graph of roughly the number of people who were using Tor to connect to the direct public relays so you see it starts at
maybe 300,000 and we lost maybe a third of them and similarly a bunch of people switched over to using bridges during that month so in some sense that's this one's sort of a sad graph this one's sort of a happy graph we'll talk more about the balance there so this is the detail of how
they did the snowflake DPI basically we try to look like WebRTC but specific implementations behave in certain ways and we had an extra extension on the server side that the Google Chrome WebRTC implementation doesn't have so that was the distinguisher that they used and we
patched the WebRTC library that we use and put that out a few days later so the snowflake DPI block lasted for maybe 36 hours or something until we'd put out a new version of snowflake that got around the blocking that they did and they haven't really rolled out any other DPI based approaches to block
snowflake since then so that was that was sort of the good news so this is the meek azure detail and all these slides are online I know that the the font is small so you don't have to worry about the details but I was looking at trying to figure out like how do they block the domain fronting thing because we're making a connection to the azure site and the front domain that we're using
is ajax.asp CDN net so it's like it's like a main web server that serves javascript to every other website on the planet so at first I was thinking oh my god they they blocked this javascript server the whole internet's going to be angry because Russia just blocked the
the front domain that they never blocked turns out they blocked it by ip address turns that they blocked azure by ip address so this is my no shit let me tell you that time that we got Russia to block all of Microsoft azure story and that also lasted for a day or so and at some point I guess
somebody at Microsoft noticed that nothing was working and they rotated to a new ip address so at that point you couldn't do skype from Russia you couldn't do like whatever it is that Microsoft hosts on azure because they do geo dns so it isn't that that they blocked there's a
different ip address for where in the world you are and there's one ip address that everybody in Russia mapped to and and they blocked that ip address so I guess the other side of the question is was Russia willing to do that did they did they think it through and they said that collateral damage is acceptable we're gonna do it or was it just somebody who's like I saw them make a
connection to this ip address so I'm gonna block that I don't know what it is and and then they blocked a whole lot of things including skype it's hard to say okay so the the steady state ish that we're in right now is Russia is crawling various bridge addresses and trying to block them
by ip address but it's still not instantaneous you still have days to weeks between when a new bridge shows up and we give it out to a lot of people and it gets blocked and other obs4 bridges are working fine so they're definitely not blocking blocking by protocol they're definitely blocking by ip address and snowflake and meek are still working fine but they're maybe a little less
fun to use than the the main ones okay so what else uh happened around the same time we put up a forum post explaining to people in Russia uh what happened and how they can get around it and it turns out we had just set up the tor forum a couple of months before that and we were using discourse because we want you know a third-party hosted thing and because we had a third-party
hosted thing we set it up on forum.torproject.net because we wanted to isolate the domains I don't want I don't want to know whether discourse is like faking cookies and making gitlab.torproject.org cookies so we gave them a totally separate domain for that Russia never blocked torproject.net
so that means our forum was reachable the entire time nobody's ever thought to block that and that means we've got 177 000 views on this Russian language post explaining what happened and how you can get around it because they never blocked this part of it I guess it's never occurred to
them that that an organization could use more than one domain name so the longer term picture here we start with our 300 000 we lose the first 100 000 in a month and we lose the next 100 000 over the next couple of months so it's sort of a steady state now but uh but there are an
uncomfortable uh uncomfortably large number of of places in Russia that are working hard to to continue to try to block tor and there are quite a few people using bridges but not not quite as many as before so let me take a side note here and so I've got all these graphs with numbers on them but the numbers may or may not be accurate because we've been so one of the challenges we have in
the tor world is how do we do uh safe enough metrics so the tor relays or bridges they don't know what you're doing with tor but they see you making a connection and they can publish an aggregated 24-hour summary of how many users they've seen from various countries the the
challenge there is how do we extrapolate from what from the view of each individual relay how much total how many total users we have how much usage we have so the the numbers that we have here are assuming each of these users is leaving their tor browser on all day and I'm pretty sure that in
some countries where it's an internet cafe and you go in and you use tor browser for an hour and you go away then we're we're we're off by an order of magnitude so uh one way of visualizing this I've been working with the metrics team to try to figure out how to visualize it so the green line up there is if every tor user runs their tor browser for only a couple of hours a day in that
case we've got 20 million 25 million daily users the red line down there is if every tor user uses their tor has their tor running uh all day each day and the graphs that I've been showing you are that blue line right down there by the red line so this is a huge range of lower bound upper
bound on how many tor users there are all day and we'll get back to the metric side of things but I wanted to let you start thinking about how do we actually accurately understand the graphs we're talking about okay and here here's a graph of the number of volunteers we have in snowflake land
over the last couple of months you can see a bump in december of the standalone proxies the the browser extension people but they're they're folks who actually install the go client on their linux machine they know how to do go get and it's a headless browser it's a headless snowflake proxy
and then you see a much bigger jump in march when the actual invasion was happening of people installing the extension side of things and you can see the the growth in the number of users we have in snowflake we've been working on some scalability issues to try to be able to
handle more and more users on the snowflake bridge happy to chat about that one later you can also see as we fix some of the scalability issues the throughput that we're handling gets a lot better so we're handling maybe 10 000 to 50 000 users of snowflake in russia each day at this
point you can also see the the growth in the number of of bridges that we had we did a an advocacy campaign in december that's the first bump that you can see and then we did another advocacy campaign in march to be like hey everybody run a bridge help people in ukraine and russia get around the censorship that they are seeing or will be seeing soon okay so what
are the other things that we did once the initial censorship rolling out one of them was we set up a telegram autoresponder and the idea is if you're a telegram user you can send us a telegram request and we'll send you a couple of bridges and that way there's another avenue for getting bridges
so that you can imagine the sensors would block that pretty quickly because they can get a telegram account so they get one and they send us a request and we get we send them the bridges it turns out that telegram accounts are assigned numerically sequentially so when you send me a
telegram message i can learn how old your account is so our secret sauce there it's not all that secret because i'm about to tell a group of thousands of people at defcon uh our secret sauce there is we look at how old your telegram account is and if you have a pretty established one we give you this set of bridges and if you have a new one we give you this other set of
bridges and so far the sensors make new telegram accounts and then they uh then they get only the second set of bridges so there are a bunch of uh telegram based just distribution bridges that we've been using that end up with hundreds of users for a while until they get rotated out
so that's a that telegram age-based trick is a fun example of another asymmetry that we need to to explore but it's also an example of a of an unstable one because once we explain it enough then the adversary is going to go out and be like yes i i do have a pile of old telegram accounts
because i made them for this totally unrelated reason and i'll use them to try to learn a bunch of the the bridges that those tour people are giving out okay another uh fun thing uh which i didn't put in the slides and i'm not going to present to the thousands of people at defcon we have some nice people inside the russian censorship ministry who work on censoring tour
who reached out and wanted to explain what they do all day and how that works and how the censorship works and what they're focusing on so i uh am not going to read any quotes from them translated or otherwise because i don't know what their situation is but they were explaining that they it's not as
automated as you might imagine their job is to actually download to our browser go through the same steps that users do get an ip address put it in a spreadsheet yes and email it to the sensors who then add that ip address to the censorship infrastructure so that is the the feedback loop
that we're talking about and that explains why a new bridge will continue to work for days to weeks until that feedback loop has succeeded and uh and that particular ip address gets blocked okay so there are a bunch of other lessons i'm gonna skip forward to to make sure we get to a lot of things at the same time uh in march uni the open observatory for network interference they
do censorship measurement stuff they had just rolled out a snowflake test from around the world so the first thing i looked at was the china graph and it's pretty cool that snowflake was working is working in china in march and they there's a more a longer time scale version of this
that shows mostly green so green is successful bootstraps from all around the world of uni clients connecting using snowflake but also at the very bottom of the of the green column you can see maybe five percent or ten percent is yellow so that's not censorship so much as
being on crappy internet connections or being given a snowflake volunteer that doesn't have the throughput to let you uh bootstrap properly so we've got more work to do in terms of engineering to try to make every snowflake connection be fast fun and reliable rather than
most of them which is what we've got going on right now and it would be even better if we could have snowflake uh auto recognize i get through this part of bootstrapping but not that part i'm trying to do the the introduction of the piece of web rtc and this is the one that i got through
and this is the one that failed so that way we could have all of the users or all the uni probes auto diagnosing what's gone wrong and help us understand how the internet works around the world okay so that was the what russia did and responses now let's talk about some other stuff that uh that i either don't understand that happened around the time or that is sort of a
bizarre side effect so one of them was uh when that blocking of our website like the legal request came into hetzner there's a an ngo inside russia that said that's illegal that's unconstitutional
the russian censorship ministry broke their own laws by blocking your website we want to fight them in court and and we were like yeah okay so there's a russian group that wants to go fight the russian judges in the russian court like that's gonna work but on the other hand i want to empower them to you know change their country from the inside i don't know what's going on in
russia and they do and if we can let them fight the fight they want to fight inside then yeah for sure let's do it uh and it turns out uh that they they did go through the fight and they won they actually got a judge in the russian court to be like yes you're right that was unconstitutional
that was illegal the process by which they decided to block your website uh did not involve you and therefore you must unblock tor in russia is what the judge said which was uh did not expect that and then of course the the follow-up question is okay what do you mean unblock and i i don't know
whether that judge knows what they meant by unblock either we haven't seen much change in terms of the behavior of the censorship ministry trying to find bridge addresses and blocking unblocking them by ip address but i think our website has started working in more places in russia so that was a sort of a bizarre side effect that we hadn't been expecting where uh and this
this this last part just came out a couple of weeks ago and there's a follow-up of course where i imagine they're just going to go through the process correctly and then they will have blocked us legally and that'll be that they're also taking the opportunity to pull google in and be like hey google you have to censor your app store you got to take that tor browser thing out of the android
play store so we'll see we'll see where that goes another fun side effect that we were not expecting uh some nice person on the internet broke into the russian censorship ministry and took all their files and stuck them on the internet so if you are interested in reading through 360 000
pdfs that came from the secret agency in russia on censorship the internet has them and it would be great if you could look through them and let us know what you find we have a couple of people who speak russian we haven't found anything tor specific i would caution you that it's conceivable
that the russian misinformation ministry has put something in those pdfs that you might not want to load them on your computer directly so uh consider that as an as the defcon audience that you are and please let me know if you find anything in the in this data dump so thanks
internet other stuff that happened so rt.com is censored in a lot of places in europe i'm going to get back to to what was going on then but i i noticed that first because i heard somebody talking about censoring rt russia today in europe and because the tor network has a lot of exit
relays in germany and france and so on suddenly it became harder for you to read rt.com over tor that's kind of fucked up that's not what i i want a tool that lets people reach whatever they want to reach on the internet the the other side of that is the way that the blocking happens by ip
address is by bi-directional they black hole all traffic in either directions and that means that if you're a tor user trying to go to a russian website you connect out of a tor exit node and then your connection into russia fails because they're censoring the tor network so suddenly they've cut themselves off in a way that we didn't at first expect and another side of that
we got a bunch of new relays in the north in the tor network yay more relays and they've got nicknames like fuck russia or support ukraine but we also have some organizations in russia who've been trying to sneak in some misbehaving relays and now they've got an excellent opportunity to
sneak in a few more and if they name them support ukraine maybe we'll be happy and leave them there so that's a an arms race that we can also chat about more afterwards okay so another surprise that i'm still working my my head around here's a sort of a heat map of where in the world our snowflake volunteers are so we've got a bunch in the us we've got a bunch in germany we've got a
bunch in europe we have a bunch in russia and maybe these are people in the free part of russia who installed the snowflake extension to help people out around the world or maybe these are confused the snowflake helps them get around censorship so they installed snowflake so that's that's bad
that's not what we want so there's a lesson here about messaging or ux in terms of explaining which components you should install and why and how volunteer ecosystems work on the day of the invasion we had a huge spike in users of tor in ukraine what the heck
i have no good explanation here if you have any good ideas of why suddenly a huge spike of people ended up using tor in ukraine maybe a geo ip mistake maybe maybe lots of things we can speculate all day long this is a another bizarre mystery in tor land but the i guess the most
important thing to think about here is the user impact on the censorship arms race so yeah we've got pluggable transports we've got domain fronting we've got all these tricks that we can do but every time the censorship arms race takes another step forward the users who don't care that much
fall off so yeah we we saw a bunch of people switch from connecting to public relays over to using bridges but also we lost a bunch of people so i guess the the most important thing to think about here is we need a way to improve the usability of the arms race or not take so many
steps forward because the sensor is willing to keep taking the steps and some of the users are and some of the users aren't so make sure to think about the the user impact in terms of censorship that's that's something i mean i don't have a good fix but it's something that we all have to keep in mind okay so what's the what do we need to do next what what's going on and i guess the
there are a bunch of building blocks that we have and i'll go through them and then i'll describe some of the the improvements and fixes so the first building block is a dpi resistant point to point channel so that's obs 4 but it's not just obs 4 there's vmes and a bunch of other protocols out there that try to look like nothing so they're unclassifiable so that that's building
block one building block two we need some sort of civil resistant sign-up mechanism we need something that is going to let users get a bridge address and the sensors can't get all of them so the telegram trick is is a fun example to get you thinking about them but we need more situations
where we can exploit that asymmetry and it needs to be something where we can automate the verification side so think like twitter accounts friends on facebook something like that where users have demonstrated social connections that are hard for the sensor to to scale up and imitate
that but that are easy for us to verify like i don't know how to verify in an automated way how many facebook friends you have how many legit facebook friends you have maybe there's an api for that love to chat with you afterwards building block three we need some way to figure out which bridges are actually blocked in each place around the world so the easy answer is you get like a
vantage point somewhere and you scan them but if they learn what that vantage point is then they just watch you scanning so that's a an arms race of itself there's a new tool called bridge strap and the idea is it you feed a pile of bridge lines and it connects to each of them and tells you
whether it failed or whether it succeeded so here's a it's all public data you do it we publish it by the hash of the fingerprint so there's nothing here in this file that you can use to discover where the bridges are and block them but if you already know about the bridge then you can go to the bridge strap output and decide does it work in turkey does it not work in turkey so we've
got vantage points right now in china turkey russia ukraine and we need to scale that up and we need to be smarter about how that works maybe we only test the ones that for metrics reasons it looks like they used to have a lot of users and now they don't because we don't want to have too much surface area exposing too much building block four we need a whole lot of addresses so we've got the
nice volunteers who are setting up bridges one at a time we also have another person who's working on an automated framework for spinning up cloud bridges and that way on hetzner or ovh or digital ocean you basically auto spin up a new bridge and then there's a mechanism for scaling it down and
putting up a new one next so the more automation we can have there the better and so this is actually happening right now where dynamic bridges are going up and down and they're easy to use the the next building block we need is some sort of signaling channel like domain fronting so
there's a reliable way for tor browser to get around the firewall not for all of your traffic necessarily but something that they're unlikely to block so domain fronting is one example maybe we tunnel it through email through dns over hdps there are some examples there okay so milestone
one in terms of what we're doing to fix this long term is we want tor browser to use that signaling so if you fail to bootstrap use domain fronting or something like it to pull down a list of uh audit recommendations for what your tor browser should automatically do depending on what what country you're in so there's a json file that describes if you're in belarus then start with
your built-in obs for bridges because those still work and then from there try other bridges if you're in china go straight to snowflake because the other ones are probably going to be a fail for you so building this map of what works in what country in what order and then the goal is that
your tor browser says hey i feel i failed to bootstrap i think you're in brazil i think this should have worked are you in a different country like what helped me help you bootstrap in an automatic way so the the goal of that is that you can you start off with the automatic approach where while it's doing the domain fronting connection it learns what your ip address is
and turns that into a country doing this in a way that makes users comfortable with the automation is another another piece of that okay so milestone two that we haven't done yet but we need to do in order to to have a more robust system we need some sort of bridge subscription model so right now we have a bunch of volunteers who set up a bridge and then they get bored and they take it
down so it isn't that the bridge got censored but the user found it they were happily using it and then the bridge went away and now the user is no longer has a bridge that works so we need some once we've got this automation we can use the domain fronting the signaling channel to learn i used to have this bridge can you give me a replacement and the trick there is you don't
need the same level of proof of work or captcha or scarce resource proof because you already did that last time so you show up saying here is the bridge that i used to use can you automatically in the background give me the replacement and that subscription model where your tor browser uh
seamlessly switches over to the new bridge is something that uh that we need to have as a building block here okay um and the fun thing about that is the dynamic cloud bridges work really well with that subscription model where you spin up a bridge and then it goes away or it
gets blocked and you spin up another one next door and then you tell all of the users through the signaling channel you used to use that one switch over to that one so if we can keep on ip address hopping like frequency hopping over the cloud provider ip space faster than the sensors can keep up then we've got something going on okay and then the third building block the third
milestone that we need to hit is a reputation based bridge distribution idea so there are a bunch of research papers out there salmon locks hyphae and so on but basically the idea is when users once you've got the subscription model going on so users have some sort of long-term cryptographic identity keep track of when i give you a bridge does it get blocked or not and if it
does get blocked then screw you i'm not going to give you more but if it doesn't get blocked then you're doing great we'll we'll keep on giving you more bridges uh we'll maybe put you own as the only set of users on a bridge that uh that does that will long term not get blocked because the
10 of you have demonstrated that uh that you're not the sensor and you're not trying to learn bridges and block them so uh that's uh there's a lot more going on on that there are a bunch of parameters we need to get right salmon actually has a design where once you have a high enough reputation you can invite your friends in at a similar reputation level and that makes the
system scale a lot better but also there's a bunch of analysis in terms of if the adversary can get one high reputation person and then invite a bunch of fake people that are also high reputation so getting the parameters right is important here but this is where the arms race has to go we need this sort of asymmetry where users have social connections or we keep track
of whether the user has behaved correctly or not and and reward the ones that are that are not ending up blocking their bridges okay uh we've got a little while more i'm going to
talk about some other things that have been bugging me over the past couple of years so one of the big ones is uh when the when russia invaded ukraine a lot of western companies are like haha i'm gonna sanction them we heard about isps that are like i'm deep hearing from russia that'll show them and then we heard about western companies like facebook and google and so on
saying i'm gonna stop allowing russians for to to have like gmail accounts and and that'll show them we'll punish them we'll put pressure on them and the the key to realize a couple of years ago trump was trying to do something similar in iran it was called the maximum pressure sanctions
program and he would call up like netflix and google and facebook and be like i know the law doesn't require this but could you like everybody who speaks farsi could you like turn off all their accounts thanks and the problem with that is uh iran periodically was trying to like isolate
themselves from the internet their goal is they want their own halal internet they want their own like safe religiously okay facebook their own google their own gmail their own whatever and every time iran tried to cut themselves off from the internet everybody in the country is like fuck you you blocked google i don't like this i need you to stop stop the censorship whereas
when trump said hey google can you like turn off all the accounts of all the people from iran now when they block google nobody cares because google has already screwed them google has demonstrated that it has no no interest in having them as users so that means that uh those sanctions cause the government of iran to be able to to block more things without any
collateral because there's there's nobody who's left who's angry because uh the the western companies let them down anyway so we're gonna see the same thing in russia where if like facebook decides to stop providing service to russia then nobody's gonna uh get upset when russia blocks
facebook i think actually russia did block facebook but next it's going to be you know linkedin or or whatever comes next so we're going to see the same uh isolation results from sanctioning something else that is also kind of bizarre the european union decided that they needed to block misinformation especially they needed to block rt so okay they they unlisted
the television channel sounds good uh but they also had an eui mandate that every member country needs to build and deploy a censorship infrastructure in order to block the rt.com website so that is a fucked up thing that that europe has decided to do and i mean sure there's
the slippery the slippery slope of you know once you've built your internet censorship infrastructure then what else are you going to use it for and i guess the other side of that i mean i was actually uh i ended up arguing with a german guy who's part of the brussels
uh group that decided to do this and i was like why why are you censoring the internet what's going on and he's he kept stopping me he's like no sanctions not sensors sanctions and i'm like okay well that that's the word you're using but but the reality is that you're encouraging every country to buy and deploy a censorship infrastructure and while i was having that
argument with him one of the uni people pointed out that romania interpreted that eu requirement as you got to block all misinformation so romania apparently has a multi-megabyte list of URLs that they decided to censor in their country because of this kind of vague poorly worded you better block
rt requirement from the eu and they ended up blocking like software update sites and so on so that's uh yeah and he the the same brussels guy was explaining no this is a temporary six month sanction in six months we're gonna you know revisit it but the problem is these countries are
going to roll out their censorship and they're not going to unroll it out in six months they're going to find something else to do with their censorship infrastructure so i guess the the big question is uh what the fuck europe why you like censoring so much and if you as the audience could keep on asking that question to the european union decision makers that would be awesome because
this is a i mean they start off trying to argue that they need freedom of information and freedom of speech and and then they end up using the same tactics to block more things and this is not where the world should go another kind of interesting lesson to learn here so our story started in
december of last year but from the mainstream media's side the story started in march of this year so tor blocking censorship blocking internet censorship is a an early warning system for
there's about to be some fucked up stuff going on in that part of the world and watching the next political events gives you some early sense of of where important things are going to be and where
where we as the world should put our resources and it's the story is not over there's more going on one of the things that's happening recently from the great firewall in china is they've been rolling out an entropy test where if you're connecting from china to a couple of cheapo providers like digital ocean alibaba hetzner ovh then they look at how many ones there are in your
first couple of packets and how many zeros there are and if it's about even then they they cut that connection so that means that if you're in china trying to do an obspore connection to one of these ip spaces then it fails and maybe they're fine with that collateral damage
i would argue that they they can't afford to roll out that out to the rest of china because there's too much just random protocols on the internet that they'd end up blocking i was talking to a us academic researcher who did a study at his university of if i put this censorship rule in place to my students at my university he ended up concluding that he would block one or two percent
of all the flows going through his university so i don't think china can afford to to make this broader than those destination ip spaces but i don't know so we're going to need better transports that uh that look like nothing in better ways or that look like something in
better ways that's going to be a talk in a bit we have these awesome uh tor onion badges at the tour at the tour booth in the vendor area so after this talk ends i'm going to head over to the vendor area i'm wearing my bright green shirt i'm easy to spot and i will answer all of your
tour questions until you have no more tour questions so uh we are out of time at this point some things for you to think about please run tour bridges if you can apt get install tour then run a an obs4 bridge on your debian or ubuntu or whatever system please run snowflakes we've got
a firefox extension we've got a chrome extension so these are easy to add and you'll be one of the tens of thousands of people who are helping people in russia get around their censorship please run tour relays please make the tour network stronger and also think about the anti-censorship research area we need more academics engaging in workshops like folky
and conferences like pets to to think through how to analyze these things and there will be ongoing tor q and a at the vendor booth and i believe i'm at the end so thank you