Blocking-resistant communication through domain fronting

Open access

Abstract

We describe “domain fronting,” a versatile censorship circumvention technique that hides the remote endpoint of a communication. Domain fronting works at the application layer, using HTTPS, to communicate with a forbidden host while appearing to communicate with some other host, permitted by the censor. The key idea is the use of different domain names at different layers of communication. One domain appears on the “outside” of an HTTPS request—in the DNS request and TLS Server Name Indication—while another domain appears on the “inside”—in the HTTP Host header, invisible to the censor under HTTPS encryption. A censor, unable to distinguish fronted and nonfronted traffic to a domain, must choose between allowing circumvention traffic and blocking the domain entirely, which results in expensive collateral damage. Domain fronting is easy to deploy and use and does not require special cooperation by network intermediaries. We identify a number of hard-to-block web services, such as content delivery networks, that support domain-fronted connections and are useful for censorship circumvention. Domain fronting, in various forms, is now a circumvention workhorse. We describe several months of deployment experience in the Tor, Lantern, and Psiphon circumvention systems, whose domain-fronting transports now connect thousands of users daily and transfer many terabytes per month.

[1] Akamai. http://www.akamai.com/.

[2] P. Alpha. Google disrupted prior to Tiananmen anniversary; mirror sites enable uncensored access to information, June 2014. https://en.greatfire.org/blog/2014/jun/google-disrupted-prior-tiananmen-anniversary-mirror-sites-enable-uncensored-access.

[3] Amazon CloudFront. https://aws.amazon.com/cloudfront/.

[4] Y. Angel and P. Winter. obfs4 (the obfourscator), May 2014. https://gitweb.torproject.org/pluggable-transports/obfs4.git/tree/doc/obfs4-spec.txt.

[5] J. Appelbaum and N. Mathewson. Pluggable transport specification, Oct. 2010. https://gitweb.torproject.org/torspec.git/tree/pt-spec.txt.

[6] ASL19 and Psiphon. Information controls: Iran’s presidential elections. Technical report, 2013. https://asl19.org/cctr/iran-2013election-report/.

[7] D. J. Bernstein, T. Lange, and P. Schwabe. Public-key authenticated encryption: crypto_box, Aug. 2010. http://nacl.cr.yp.to/box.html.

[8] B. Boe. Bypassing Gogo’s inflight Internet authentication, Mar. 2012. http://bryceboe.com/2012/03/12/bypassing-gogos-inflight-internet-authentication/.

[10] C. Brubaker, A. Houmansadr, and V. Shmatikov. Cloud-Transport: Using cloud storage for censorship-resistant networking. In Proceedings of the 14th Privacy Enhancing Technologies Symposium (PETS), July 2014. http://www.cs.utexas.edu/~amir/papers/CloudTransport.pdf.

[11] S. Burnett, N. Feamster, and S. Vempala. Chipping away at censorship firewalls with user-generated content. In USENIX Security Symposium, Washington, DC, USA, Aug. 2010. USENIX. https://www.usenix.org/event/sec10/tech/full_papers/Burnett.pdf.

[12] CloudFlare. https://www.cloudflare.com/.

[13] T. Dierks and E. Rescorla. RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2, Aug. 2008. https://tools.ietf.org/html/rfc5246.

[14] R. Dingledine. Obfsproxy: the next step in the censorship arms race, Feb. 2012. https://blog.torproject.org/blog/obfsproxy-next-step-censorship-arms-race.

[15] R. Dingledine and N. Mathewson. Design of a blocking-resistant anonymity system. Technical Report 2006-11-001, Tor Project, Nov. 2006. https://research.torproject.org/techreports/blocking-2006-11.pdf.

[16] E. Dou and A. Barr. U.S. cloud providers face backlash from China’s censors. Wall Street Journal, Mar. 2015. http://www.wsj.com/articles/u-s-cloud-providers-face-backlash-from-chinas-censors-1426541126.

[17] K. P. Dyer, S. E. Coull, T. Ristenpart, and T. Shrimpton. Protocol misidentification made easy with format-transforming encryption. In Proceedings of the 20th ACM conference on Computer and Communications Security (CCS), Nov. 2013. https://kpdyer.com/publications/ccs2013-fte.pdf.

[18] D. Eastlake. RFC 6066: Transport Layer Security (TLS) extensions: Extension definitions, Jan. 2011. https://tools.ietf.org/html/rfc6066.

[19] Fastly. http://www.fastly.com/.

[20] R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. RFC 2616: Hypertext transfer protocol — HTTP/1.1, June 1999. https://tools.ietf.org/html/rfc2616.

[21] D. Fifield. Summary of meek’s costs, April 2015, May 2015. https://lists.torproject.org/pipermail/tor-dev/2015-May/008767.html.

[22] D. Fifield, N. Hardison, J. Ellithorpe, E. Stark, R. Dingledine, P. Porras, and D. Boneh. Evading censorship with browser-based proxies. In Proceedings of the 12th Privacy Enhancing Technologies Symposium (PETS). Springer, July 2012. https://crypto.stanford.edu/flashproxy/flashproxy.pdf.

[23] J. Geddes, M. Schuchard, and N. Hopper. Cover your ACKs: Pitfalls of covert channel censorship circumvention. In Proceedings of the 20th ACM conference on Computer and Communications Security (CCS), Nov. 2013. http://www-users.cs.umn.edu/~hopper/ccs13-cya.pdf.

[25] Google. Google Transparency Report: China, all products, May 31, 2014–present, July 2014. https://www.google.com/transparencyreport/traffic/disruptions/124/.

[26] Google App Engine. https://cloud.google.com/appengine/.

[27] GreatFire.org. https://a248.e.akamai.net is 100% blocked in China. https://en.greatfire.org/https/a248.e.akamai.net.

[28] A. Houmansadr, C. Brubaker, and V. Shmatikov. The parrot is dead: Observing unobservable network communications. In Proceedings of the 2013 IEEE Symposium on Security and Privacy, May 2013. http://www.cs.utexas.edu/~amir/papers/parrot.pdf.

[29] A. Houmansadr, G. T. K. Nguyen, M. Caesar, and N. Borisov. Cirripede: Circumvention infrastructure using router redirection with plausible deniability. In Proceedings of the 18th ACM conference on Computer and Communications Security (CCS), Oct. 2011. http://hatswitch.org/~nikita/papers/cirripede-ccs11.pdf.

[30] A. Houmansadr, T. Riedl, N. Borisov, and A. Singer. I want my voice to be heard: IP over voice-over-IP for unobservable censorship circumvention. In Proceedings of the 20th Network and Distributed System Security Symposium (NDSS). Internet Society, Feb. 2013. http://www.cs.utexas.edu/~amir/papers/FreeWave.pdf.

[31] A. Houmansadr, E. L. Wong, and V. Shmatikov. No direction home: The true cost of routing around decoys. In Proceedings of the 21st Network and Distributed Security Symposium (NDSS). Internet Society, Feb. 2014. http://www.cs.utexas.edu/~amir/papers/DecoyCosts.pdf.

[32] The ICSI certificate notary. http://notary.icsi.berkeley.edu/.

[33] G. Kadianakis and N. Mathewson. obfs2 (the twobfuscator), Jan. 2011. https://gitweb.torproject.org/pluggabletransports/obfsproxy.git/tree/doc/obfs2/obfs2-protocolspec.txt.

[34] G. Kadianakis and N. Mathewson. obfs3 (the threebfuscator), Jan. 2013. https://gitweb.torproject.org/pluggabletransports/obfsproxy.git/tree/doc/obfs3/obfs3-protocolspec.txt.

[35] J. Karlin, D. Ellard, A. W. Jackson, C. E. Jones, G. Lauer, D. P. Mankins, and W. T. Strayer. Decoy routing: Toward unblockable internet communication. In Proceedings of the USENIX Workshop on Free and Open Communications on the Internet (FOCI), Aug. 2011. https://www.usenix.org/events/foci11/tech/final_files/Karlin.pdf.

[36] Lantern. connpool. https://github.com/getlantern/connpool.

[37] Lantern. enproxy. https://github.com/getlantern/enproxy.

[39] Lantern. fronted. https://github.com/getlantern/fronted.

[40] Lantern. https://getlantern.org/.

[41] B. Leidl. obfuscated-openssh, Apr. 2010. https://github.com/brl/obfuscated-openssh.

[42] Level 3. http://www.level3.com.

[43] K. Loesing. Counting daily bridge users. Technical Report 2012-10-001, Tor Project, Oct. 2012. https://research.torproject.org/techreports/counting-daily-bridge-users-2012-10-24.pdf.

[44] M. Majkowski. SSL fingerprinting for p0f, June 2012. https://idea.popcount.org/2012-06-17-ssl-fingerprinting-for-p0f/.

[45] B. Marczak, N. Weaver, J. Dalek, R. Ensafi, D. Fifield, S. McKune, A. Rey, J. Scott-Railton, R. Deibert, and V. Paxson. China’s Great Cannon. https://citizenlab.org/2015/04/chinas-great-cannon/.

[46] Microsoft Azure. https://azure.microsoft.com/.

[47] H. M. Moghaddam, B. Li, M. Derakhshani, and I. Goldberg. SkypeMorph: Protocol obfuscation for Tor bridges. In Proceedings of the 19th ACM conference on Computer and Communications Security (CCS), Oct. 2012. https://cs.uwaterloo.ca/~iang/pubs/skypemorph-ccs.pdf.

[48] J. Newland. Large scale DDoS attack on github.com. https://github.com/blog/1981-large-scale-ddos-attack-on-githubcom.

[49] E. Nygren, R. K. Sitaraman, and J. Sun. The Akamai network: A platform for high-performance Internet applications. ACM SIGOPS Operating Systems Review, 44(3):2–19, 2010. http://www.akamai.com/dl/technical_publications/network_overview_osr.pdf.

[50] M. Perry. Tor Browser 4.0 is released, Oct. 2014. https://blog.torproject.org/blog/tor-browser-40-released.

[51] M. Perry, E. Clark, and S. Murdoch. The design and implementation of the Tor Browser. Technical report, Tor Project, Mar. 2013. https://www.torproject.org/projects/torbrowser/design/.

[52] Psiphon Team. A technical description of Psiphon, Mar. 2014. https://psiphon.ca/en/blog/psiphon-a-technicaldescription.

[53] D. Robinson, H. Yu, and A. An. Collateral freedom: A snapshot of Chinese users circumventing censorship. Technical report, Open Internet Tools Project, May 2013. https://openitp.org/pdfs/CollateralFreedom.pdf.

[54] M. Schuchard, J. Geddes, C. Thompson, and N. Hopper. Routing around decoys. In Proceedings of the 19th ACM conference on Computer and Communications Security (CCS), Oct. 2012. http://www-users.cs.umn.edu/~hopper/decoy-ccs12.pdf.

[55] C. Smith. We are under attack, Mar. 2015. https://en.greatfire.org/blog/2015/mar/we-are-under-attack.

[56] Y. Sovran, J. Li, and L. Submaranian. Unblocking the Internet: Social networks foil censors. Technical Report TR2008-918, Computer Science Department, New York University, Sept. 2009. http://kscope.news.cs.nyu.edu/pub/TR-2008-918.pdf.

[57] Tor Project. #4744: GFW probes based on Tor’s SSL cipher list, Dec. 2011. https://bugs.torproject.org/4744.

[58] Tor Project. #8860: Registration over App Engine, May 2013. https://bugs.torproject.org/8860.

[59] Tor Project. #12778: Put meek HTTP headers on a diet, Aug. 2014. https://bugs.torproject.org/12778.

[62] Q. Wang, X. Gong, G. T. K. Nguyen, A. Houmansadr, and N. Borisov. CensorSpoofer: Asymmetric communication using IP spoofing for censorship-resistant web browsing. In Proceedings of the 19th ACM conference on Computer and Communications Security (CCS), Oct. 2012. https://netfiles.uiuc.edu/qwang26/www/publications/censorspoofer.pdf.

[63] Z. Weinberg, J. Wang, V. Yegneswaran, L. Briesemeister, S. Cheung, F. Wang, and D. Boneh. StegoTorus: A camouflage proxy for the Tor anonymity system. In Proceedings of the 19th ACM conference on Computer and Communications Security (CCS), Oct. 2012. http://www.owlfolio.org/media/2010/05/stegotorus.pdf.

[64] T. Wilde. Great Firewall Tor probing circa 09 DEC 2011. Technical report, Team Cymru, Jan. 2012. https://gist.github.com/da3c7a9af01d74cd7de7.

[65] B. Wiley. Dust: A blocking-resistant internet transport protocol. Technical report, School of Information, University of Texas at Austin, 2011. http://blanu.net/Dust.pdf https://github.com/blanu/Dust/blob/master/hs/README.

[66] P. Winter and S. Lindskog. How the Great Firewall of China is blocking Tor. In Proceedings of the USENIX Workshop on Free and Open Communications on the Internet (FOCI), Aug. 2012. https://www.usenix.org/system/files/conference/foci12/foci12-final2.pdf.

[67] P. Winter, T. Pulls, and J. Fuss. ScrambleSuit: A polymorphic network protocol to circumvent censorship. In Proceedings of the Workshop on Privacy in the Electronic Society (WPES). ACM, Nov. 2013. http://www.cs.kau.se/philwint/pdf/wpes2013.pdf.

[68] C. Wright, S. Coull, and F. Monrose. Traffic morphing: An efficient defense against statistical traffic analysis. In Proceedings of the 16th Network and Distributed Security Symposium (NDSS). IEEE, Feb. 2009. https://www.internetsociety.org/sites/default/files/wright.pdf.

[69] E. Wustrow, C. M. Swanson, and J. A. Halderman. Tap-Dance: End-to-middle anticensorship without flow blocking. In Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, Aug. 2014. USENIX Association. https://jhalderm.com/pub/papers/tapdance-sec14.pdf.

[70] E. Wustrow, S. Wolchok, I. Goldberg, and J. A. Halderman. Telex: Anticensorship in the network infrastructure. In Proceedings of the 20th USENIX Security Symposium, Aug. 2011. https://www.usenix.org/events/sec/tech/full_papers/Wustrow.pdf.

Journal Information

Cited By

Metrics

All Time Past Year Past 30 Days
Abstract Views 0 0 0
Full Text Views 469 469 100
PDF Downloads 153 153 26