Practical Censorship Evasion Leveraging Content Delivery Networks

CDNBrowsing is a promising approach recently proposed for censorship circumvention. CDNBrowsing relies on the fact that blocking content hosted on public CDNs can potentially cause the censors collateral damage due to disrupting benign content publishers. In this work, we identify various low-cost attacks against CDNBrowsing, demonstrating that the design of practically unobservable CDNBrowsing systems is significantly more challenging than what thought previously. We particularly devise unique website fingerprinting attacks against CDNBrowsing traffic, and discover various forms of information leakage in HTTPS that can be used to block the previously proposed CDNBrowsing system. Motivated by the attacks, we design and implement a new CDNBrowsing system called CDNReaper, which defeats the discovered attacks. By design, a CDNBrowsing system can browse only particular types of webpages due to its proxy-less design. We perform a comprehensive measurement to classify popular Internet websites based on their browsability by CDNBrowsing systems. To further increase the reach of CDNBrowsing, we devise several mechanisms that enable CDNBrowsing systems to browse a larger extent of Internet webpages, particularly partial-CDN webpages.

[1]  Santosh S. Vempala,et al.  Chipping Away at Censorship Firewalls with User-Generated Content , 2010, USENIX Security Symposium.

[2]  Ian Goldberg,et al.  SkypeMorph: protocol obfuscation for Tor bridges , 2012, CCS.

[3]  Tao Wang,et al.  Effective Attacks and Provable Defenses for Website Fingerprinting , 2014, USENIX Security Symposium.

[4]  Nikita Borisov,et al.  I want my voice to be heard: IP over Voice-over-IP for unobservable censorship circumvention , 2013, NDSS.

[5]  Vern Paxson,et al.  Blocking-resistant communication through domain fronting , 2015, Proc. Priv. Enhancing Technol..

[6]  Ian Goldberg,et al.  Telex: Anticensorship in the Network Infrastructure , 2011, USENIX Security Symposium.

[7]  Vitaly Shmatikov,et al.  The Parrot Is Dead: Observing Unobservable Network Communications , 2013, 2013 IEEE Symposium on Security and Privacy.

[8]  Nikita Borisov,et al.  Cirripede: circumvention infrastructure using router redirection with plausible deniability , 2011, CCS '11.

[9]  Nicholas Hopper,et al.  Cover your ACKs: pitfalls of covert channel censorship circumvention , 2013, CCS.

[10]  Tim Wright,et al.  Transport Layer Security (TLS) Extensions , 2003, RFC.

[11]  Zubair Nabi The Anatomy of Web Censorship in Pakistan , 2013, FOCI.

[12]  Donald E. Eastlake,et al.  Transport Layer Security (TLS) Extensions: Extension Definitions , 2011, RFC.

[13]  David E. Culler,et al.  PlanetLab: an overlay testbed for broad-coverage services , 2003, CCRV.

[14]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2002, RFC.

[15]  Thomas Ristenpart,et al.  Protocol misidentification made easy with format-transforming encryption , 2013, CCS.

[16]  Vitaly Shmatikov,et al.  CloudTransport: Using Cloud Storage for Censorship-Resistant Networking , 2014, Privacy Enhancing Technologies.

[17]  C. Leberknight A Taxonomy of Internet Censorship and Anti-Censorship Draft Version December 31 , 2010 , 2011 .

[18]  R. Dingledine,et al.  Design of a blocking-resistant anonymity system , 2006 .

[19]  Amir Houmansadr,et al.  CacheBrowser: Bypassing Chinese Censorship without Proxies Using Cached Content , 2015, CCS.

[20]  Stefan Lindskog,et al.  How the Great Firewall of China is Blocking Tor , 2012, FOCI.

[21]  Vinod Yegneswaran,et al.  StegoTorus: a camouflage proxy for the Tor anonymity system , 2012, CCS.

[22]  Jianping Wu,et al.  When HTTPS Meets CDN: A Case of Authentication in Delegated Service , 2014, 2014 IEEE Symposium on Security and Privacy.

[23]  Aditya Akella,et al.  Seeing through Network-Protocol Obfuscation , 2015, CCS.

[24]  Nick Feamster,et al.  Infranet: Circumventing Web Censorship and Surveillance , 2002, USENIX Security Symposium.

[25]  Vitaly Shmatikov,et al.  CovertCast: Using Live Streaming to Evade Internet Censorship , 2016, Proc. Priv. Enhancing Technol..

[26]  Leonard Richardson,et al.  RESTful Web APIs , 2013 .

[27]  Xun Gong,et al.  CensorSpoofer: asymmetric communication using IP spoofing for censorship-resistant web browsing , 2012, CCS.

[28]  J. Alex Halderman,et al.  Internet Censorship in Iran: A First Look , 2013, FOCI.

[29]  References , 1971 .

[30]  Donald Eastlake rd,et al.  Transport Layer Security (TLS) Extensions: Extension Definitions , 2011 .