[or-cvs] r21437: {} draft of my "things to look for in a circumvention tool" art (projects/articles)
Roger Dingledine
arma at torproject.org
Mon Jan 18 22:57:21 UTC 2010
Author: arma
Date: 2010-01-18 22:57:21 +0000 (Mon, 18 Jan 2010)
New Revision: 21437
Added:
projects/articles/circumvention-features.txt
Log:
draft of my "things to look for in a circumvention tool" article
Added: projects/articles/circumvention-features.txt
===================================================================
--- projects/articles/circumvention-features.txt (rev 0)
+++ projects/articles/circumvention-features.txt 2010-01-18 22:57:21 UTC (rev 21437)
@@ -0,0 +1,396 @@
+
+"Ten things to look for in tools that circumvent Internet censorship"
+
+As more countries crack down on Internet use by filtering connections
+to sensitive websites, people around the world are increasingly turning
+to anti-censorship software, also known as circumvention tools. A wide
+variety of tools have been built to answer this threat by letting people
+get to websites they otherwise can't reach. But different tools provide
+different features and different levels of security, and it's hard for
+users to understand the tradeoffs.
+
+This article lays out ten features or characteristics you should consider
+when evaluating a circumvention tool. The goal is not to advocate for
+any specific tool, but rather to point out what kind of tools are useful
+for what situations.
+
+One caveat to start out: I'm an inventor and developer of a tool
+called Tor (torproject.org) that is used both for privacy and for
+circumvention. While my bias for more secure tools like Tor shows through
+here based on which features I've picked (meaning I raise issues that
+highlight Tor's strengths and that some other tool developers may not care
+about), I have also tried to include features that other tool developers
+consider important.
+
+0. Introduction
+
+Internet-based circumvention software consists of two components: a
+<i>relaying</i> component and a <i>discovery</i> component. The relaying
+component is what establishes a connection to some server or proxy,
+handles encryption, and sends traffic back and forth. The discovery
+component is the step before that -- the process of finding one or more
+reachable addresses.
+
+Some tools have a simple relaying component. For example,
+if you're using an open proxy, the process of using the proxy is
+straightforward: you configure your web browser or other application
+to use the proxy. The big challenge for open proxy users is finding an
+open proxy that's reliable and fast. On the other hand, other tools have
+much more sophisticated relaying components, made up of multiple proxies,
+multiple layers of encryption, and so on.
+
+1. Diverse set of users
+
+One of the first questions you should ask when looking at a circumvention
+tool is who else uses it. A wide variety of users means that if somebody
+finds out you're one of the users, they can't conclude much about why
+you're using it, or what sort of person you are.
+
+At one extreme, imagine a hypothetical circumvention tool given out only
+to a select group of Iranian bloggers. If anybody discovers that you're
+using it, they can guess who are you and what you're doing with it. At
+the other extreme, a privacy tool like Tor has many different classes
+of users around the world (ranging from ordinary people, civil rights
+enthusiasts, and human rights activists to corporations, law enforcement,
+and militaries) so the fact that you have Tor installed doesn't give
+people much additional information about who you are or what sorts of
+sites you might visit.
+
+Beyond technical features that make a given tool useful to a narrow
+audience or a more broad audience, marketing plays a big role in which
+users show up. A lot of tools spread through word of mouth, so if the
+first few users are in Vietnam and they find it useful, the next set of
+users will tend to be from Vietnam too. Whether a tool is translated
+into some languages but not others can also direct (or hamper) which
+users it will attract.
+
+2. Works in your country
+
+The next question to consider is whether the tool operator artificially
+restricts which countries can use it. Several years ago, the commercial
+Anonymizer.com made its service free to people in Iran. Thus connections
+coming from Anonymizer's servers were either paying customers (mostly in
+America) or people in Iran trying to get around their country's filters.
+
+For more recent examples, Your Freedom (your-freedom.net) restricts
+free usage to a few countries like Burma, while systems like Freegate
+(dit-inc.us) and Ultrasurf (ultrareach.com) outright block connections
+from all but the few countries that they care to serve (China and, in the
+case of Ultrasurf recently, Iran). On the one hand, this strategy makes
+sense in terms of limiting the bandwidth costs. But on the other hand,
+if you're in Saudi Arabia and need a circumvention tool, some otherwise
+useful tools are simply not an option for you.
+
+3. Sustainable network and software development
+
+If you're going to invest the time to figure out how to use a given tool,
+you want to make sure it's going to be around for a while. Different
+tools take different approaches to ensuring their long-term existence.
+The main three approaches are through volunteers, through profit, and
+through sponsors.
+
+Networks like Tor rely on volunteers to provide the relays that make
+up the network. Thousands of people around the world have computers
+with good network connections and want to help make the world a better
+place. By joining them into one big network, Tor ensures that the network
+is independent from the entity writing the software; so the network will
+be around down the road even if the Tor Project as an entity ceases
+to exist. Psiphon (psiphon.ca), by contrast, is taking the for-profit
+approach of collecting money for service. They reason that if they can
+create a profitable company, then that company will be able to fund all
+of their costs (including the network) on an ongoing basis. The third
+approach is to rely on sponsors to pay for the bandwidth costs. The
+Java Anon Proxy or JAP project (anon.inf.tu-dresden.de/index_en.html)
+relied on government grants to fund its bandwidth; now that the grant
+has finished they're investigating the for-profit approach. Ultrareach
+and Freegate use the "sponsor" model to good effect, though they are
+constantly hunting for further sponsors to keep their network operational.
+
+After asking about the sustainability of their network, the next question
+is to ask about sustainability of the software itself. The same three
+approaches apply here, but the examples change. While Tor's network is
+operated by volunteers, Tor relies on sponsors (governments and NGOs)
+to fund new features and software maintenance. Ultrareach and Freegate,
+on the other hand, are in a more sustainable position with respect to
+software updates: they have a team of individuals around the world,
+mostly volunteers, devoted to making sure the tools are one step ahead
+of censors.
+
+Each of the three approaches can work. The key when evaluating a tool
+is to understand which approaches that tool uses, so you can predict
+what problems it might encounter in the future.
+
+4. Open design
+
+The first step to transparency and reusability of the tool's software and
+design is to distribute the software (not just the client-side software,
+but also the server-side software) under an open source license. Open
+source licenses make sure you can examine the software to see how it
+really operates, and they also mean that you have the right to modify
+the program. Even if not every user takes advantage of this opportunity
+(many people just want to use the tool as-is after all), the fact that
+some users can makes it much more likely that the tool will remain safe
+and useful. Without this option, you are forced to trust that a small
+number of developers have thought of and addressed every possible problem.
+
+Just having an open software license is not enough, though. Trustworthy
+circumvention tools need to provide clear complete documentation for other
+security experts -- not just how it's built but what features and goals
+its developers aimed for. Do they intend for it to provide privacy? What
+kind and against what attackers? In what way does it use encryption? Do
+they intend for it to stand up to attacks from censors? What kind
+of attacks do they expect to resist and why will their tool resist
+them? Without both seeing the source code <i>and</i> knowing what the
+developers meant for it to do, it's harder to decide whether there are
+security problems in the tool, or to evaluate how successful it should
+be at its goals.
+
+In the field of cryptography, Kerckhoffs' principle explains that you
+should design your system so the amount you need to keep secret is as
+small and well-understood as possible. That's why crypto algorithms
+have keys (the secret part) and the rest can be explained in public
+to anybody. Historically, any crypto design that has a lot of secret
+parts has turned out to be broken. Similarly, in the case of secret
+designs for circumvention tools, the only groups examining the tool are
+its original developers and the attackers; the wider user and developer
+community is left out of the loop.
+
+This question gets at another form of sustainability: whether the ideas
+from that project are reusable beyond that project's lifetime. Too many
+circumvention tools these days keep many parts of their design secret,
+in hopes that government censors are hampered from figuring out how the
+system works, but the result is that few projects can learn from other
+projects and the field of circumvention development as a whole moves
+forward too slowly.
+
+5. Decentralized architecture
+
+[insert diagram: https://www.torproject.org/images/htw2.png]
+
+Another feature to look for in a circumvention tool is whether its network
+is centralized or decentralized. A centralized tool puts all of its users'
+requests through one or a few servers that the tool operator controls. A
+decentralized design like Tor or JAP sends the traffic through multiple
+different locations, so there is no single location or entity that gets
+to watch what websites each user is accessing.
+
+Another way to look at this division is based on whether the <i>trust</i>
+is centralized or decentralized. If you have to put all your trust in
+one entity, then the best you can hope for is "privacy by policy" --
+meaning they have all your data and they promise not to look at it, lose
+it, sell it, or so on. The alternative is "privacy by design", a phrase
+popularized by the Ontario Privacy Commissioner -- meaning the design of
+the system itself ensures that users get their privacy. The openness of
+the design in turn lets everybody evaluate the level of privacy provided.
+
+This concern isn't just theoretical. In early 2009 Hal Roberts from the
+Berkman Center ran across a FAQ entry for a circumvention tool that
+offered to sell its users' clicklogs. I later talked to a different
+circumvention tool provider who explained that they had all the logs
+of every request ever made through their system "because you never know
+when you might want them."
+
+I've left out the names of the tools here because the point is not that
+some tool providers may have shared user data; the point is that any
+tool with a centralized trust architecture <i>could</i> share user data,
+now or in the future, and its users have no way to tell whether it's
+happening. Worse, even if the tool provider means well, the fact that
+all the data flows through a few servers creates an attractive target
+for other attackers to come snooping.
+
+The next conclusion is that many of these tools see circumvention and user
+privacy as totally unrelated goals. This separation isn't necessarily
+bad, as long as you know what you're getting into -- for example, we
+hear from many people in censoring countries that just reading a news
+website isn't going to get you locked up. But as we've been learning in
+many other contexts over the past few years, large databases of personal
+information tend to end up more public than we'd like.
+
+6. Keeps you safe from websites too
+
+Privacy isn't only about whether the tool operator can log your
+requests. It's also about whether the websites you visit can recognize or
+track you. Circumvention tools have some level of built-in protection
+here, since using a proxy means the website doesn't see the user's
+connection directly. But remember the case of Yahoo turning over
+information about one of its Chinese webmail users. What if a blog
+aggregator wants to find out who's posting to a blog, or who added the
+latest comment, or what other websites a particular blogger reads?
+
+At one extreme are open proxies. They often pass along the address of
+the client with their web request, so it's easy for the website to learn
+exactly where the request is coming from. At the other extreme are tools
+like Tor that include client-side browser extensions to hide your browser
+version, language preference, browser window size, time zone, and so on;
+segregate cookies, history, and cache; and prevent plugins like Flash
+from leaking information about you.
+
+This level of application-level protection comes at a cost though: some
+websites don't work correctly. As more websites move to the latest "web
+2.0" fads, they require more and more invasive features with respect to
+browser behavior. The safest answer is to disable the dangerous behaviors
+-- but if somebody in Turkey is trying to reach Youtube and Tor disables
+his Flash plugin to keep him safe, his videos won't work.
+
+No tools have solved this tradeoff well yet. Psiphon manually evaluates
+each website and programs its central proxy to rewrite each page. Mostly
+they do this rewriting not for privacy but to make sure all links on the
+page lead back to their proxy service, but the result is that if they
+haven't manually vetted your destination site yet, it won't work for
+you. As an example, they seem to be in a constant battle to keep up with
+Facebook's changing frontpage. Tor currently disables many sites that are
+probably safe in practice, because we haven't figured out a good interface
+to let the user decide in an informed way. Still other tools just let
+through any active content, meaning it's trivial to unmask their users.
+
+7. Doesn't promise to magically encrypt the entire Internet
+
+I should draw a distinction here between privacy and encryption. Most
+circumvention tools (all but the really simple ones like open proxies)
+encrypt the traffic between the user and the circumvention provider. They
+need this encryption to avoid the keyword filtering done by such censors
+as China's firewall. But none of the tools can encrypt the traffic
+between the provider and the destination websites -- if a destination
+website doesn't support encryption, there's no magic way to make the
+traffic encrypted.
+
+The ideal answer would be for everybody to use https (also known as
+SSL) when accessing websites, and for all websites to support https
+connections. But for a wide variety of reasons, pervasive encryption
+hasn't taken off. If the destination website doesn't support encryption,
+the best you can do is 1) not send identifying or sensitive information,
+such as a real name in a blog post or a password you don't want other
+people to learn, and then 2) use a circumvention tool that doesn't have
+any trust bottlenecks that allow somebody to link you to your destinations
+despite the precautions in step 1.
+
+Alas, things get messy when you can't avoid sending sensitive info. Some
+people have expressed concern over Tor's volunteer-run network design,
+reasoning that at least with the centralized designs you know who runs
+the infrastructure. But in practice it's going to be strangers reading
+your traffic either way -- the tradeoff is between volunteer strangers
+who don't know it's you (meaning they can't target you), or dedicated
+strangers who get to see your entire traffic profile (and link you to it).
+Anybody who promises "100% security" is selling something.
+
+8. Fast
+
+The next feature you might look for in a circumvention tool is speed. Some
+tools tend to be consistently fast, some consistently slow, and some
+provide wildly unpredictable performance. Speed is based on many factors,
+including how many users the system has, what the users are doing,
+how much capacity there is, and whether the load is spread evenly over
+the network.
+
+The centralized-trust designs have two advantages here. First, they
+can see all their users and what they're doing, meaning they have a
+head start at spreading them out evenly and at discouraging behaviors
+that tax the system. Second, they can buy more capacity as needed, so
+the more they pay the faster the tool is. The distributed-trust designs
+on the other hand have a harder time tracking their users, and if they
+rely on volunteers to provide capacity, then getting more volunteers is
+a more complex process than just paying for more bandwidth.
+
+The flip side of the performance question is flexibility. Many systems
+ensure good speed by limiting what their users can do. While Psiphon
+prevents you from reaching sites that they haven't manually vetted yet,
+Ultrareach and Freegate actually actively censor which destination
+websites you're allowed to reach so they can keep their bandwidth costs
+down. Tor, by contrast, lets you access any protocol and destination,
+meaning for example you can instant message through it too; but the
+downside is that the network is often overwhelmed by users doing bulk
+transfer.
+
+9. Easy to get the software and updates
+
+Once a circumvention tool becomes well-known, its website is going to get
+blocked. If it's impossible to get a copy of the tool itself, who cares
+how good it is? The best answer here is to not require any specialized
+client software. Psiphon, for example, relies on a normal web browser, so
+it doesn't matter if the censors block their website. Another approach is
+a tiny program like Ultrareach or Freegate that you can instant message
+to your friends. Option three is Tor's Browser Bundle: it comes with
+all the software you need preconfigured, but since it includes large
+programs like Firefox it's harder to pass around online. In that case
+distribution tends to be done through social networks and USB sticks,
+or using our email autoresponder that lets you download Tor via Gmail.
+
+Then you need to consider the tradeoffs that come with each approach.
+First, which operating systems are supported? Psiphon wins here too
+by not requiring any extra client software. Ultrareach and Freegate
+are so specialized that they only work on Windows, whereas Tor and its
+accompanying software will build and run pretty much everywhere. Next,
+consider that client-side software can automatically handle failover
+from one proxy to the next, so you don't need to manually type in a new
+address if your current address disappears or gets blocked.
+
+The final question is whether the tool has a track record, or at least
+a convincing plan, for responding to blocking. For example, Ultrasurf
+and Freegate have a history of releasing quick updates when the current
+version of their tool stops working. They have a lot of experience at
+this particular cat-and-mouse game, so it's reasonable to assume they're
+ready for the next round. Along these lines, Tor prepared for its eventual
+blocking by streamlining its network communications to look more like
+encrypted web browsing, and introducing unpublished "bridge relays" that
+are harder for an attacker to find and block than Tor's public relays. Tor
+tries to separate software updates from proxy address updates -- if the
+bridge relay you're using gets blocked, you can stick with the same
+software and just configure it to use a new bridge address. Our bridge
+design was put to the test in China in September of 2009, and tens of
+thousands of users seamlessly moved from the public relays to bridges.
+
+10. Doesn't promote itself as a circumvention tool
+
+Many circumvention tools launch with a huge media splash. The media loves
+this approach, and they end up with frontpage articles like "American
+hackers declare war on China!" But while this attention helps attract
+support (volunteers, profit, sponsors), the publicity also attracts the
+attention of the censors.
+
+Censors generally block two categories of tools: 1) the ones that are
+working really well, meaning they have hundreds of thousands of users,
+and 2) the ones that make a lot of noise. In many cases censorship is
+less about blocking all sensitive content and more about creating an
+atmosphere of repression so people end up self-censoring. Articles in
+the press threaten the censors' <i>appearance</i> of control, so they
+are forced to respond.
+
+The lesson here is that we can control the pace of the arms
+race. Counterintuitively, even if a tool has many users, as long as
+nobody talks about it much it tends not to get blocked. But if nobody
+talks about it, how do users learn about it? One way out of the paradox
+is to spread through word of mouth and social networks rather than the
+more traditional media. Another approach is to position the tool in a
+different context -- for example, we present Tor primarily as a privacy
+and civil liberties tool rather than a circumvention tool. Alas, this
+balancing act is tough to maintain in the face of increasing popularity.
+
+Conclusion
+
+This article explains some of the issues you should consider when
+evaluating the strengths and weaknesses of circumvention tools. I've
+intentionally avoided drawing up a table of different tools and scoring
+them on each category. No doubt somebody will do that eventually and
+sum up how many checkmarks each tool gets, but the point here is not to
+find the "best" tool. No tool is suitable for every situation. In fact,
+having a diversity of circumvention tools in wide use increases robustness
+for all the tools, since censors have to tackle every strategy at once.
+
+Last, we should keep in mind that technology won't solve the whole
+problem. After all, firewalls are <i>socially</i> very successful in these
+countries. As long as many people in censored countries are saying "I'm so
+glad my government keeps me safe on the Internet," the social challenges
+are at least as important. But at the same time, there are people in
+all of these countries that want to learn and spread information online,
+and a strong technical solution remains a critical piece of the puzzle.
+
+About Roger:
+
+Roger Dingledine is project leader for The Tor Project, a US non-profit
+working on anonymity research and development for such diverse
+organizations as the US Navy, the Electronic Frontier Foundation, and
+Voice of America. In addition to all the hats he wears for Tor, Roger
+organizes academic conferences on anonymity, speaks at a wide variety
+of industry and hacker conferences, and also does tutorials on anonymity
+for national and foreign law enforcement.
+
More information about the tor-commits
mailing list