Infranet: Circumventing Web Censorship

edsonw writes "In this paper presented at the 11th USENIX Security Symposium, Feamster et alii presented a method that provide access to censored sites while continuing to host normal uncensored content, using covert communication and steganographic techniques." The Infranet webpage has some more information. No public code yet, though.

Transparency

[zmalone]

Interesting idea. It seems to be a standard proxy that attempts to make the encryption seem to be unencrypted data. The trick will be making it transparent to the user, but still having it protect the data (if everyone in China starts requesting just .png files, from just a few servers, it would be awfully suspicious). I'd also imagine that the http requests could get awfully cluttered if they are encrypted into patterns. How will they avoid having the patterns be recognizable to interceptors? It will be interesting to see what the system ends up looking like.

More serious Considerations

[kenp2002]

Concerning the slow death of the internet I am suprised that no major effort has been made to create a new layer and method of communication over the Internet that, through the use of a well written EULA and some pre-emptive patenting create a new tunneled Internet piggy-backing on the old Internet. THrough the use of a distributed network similar to Gnutella one could have, say unlimited space to create a site. Then clients on the network replicate through a protocol (EULA'ed and Patented with Encryption) the site to neighbors based on demand and requirments. I shouldb't be that hard for some of those closet geniuses out there. Then in the EULA prohibit commerical use of the protocol that way we can get back to what the Internet is for, free information exchange. I can even think of an efficent way to replicate the site. Every client on the network (say A---B---C----D) can access the page at it's home address. Then I maintains a cached copy in a PGP'esque format. (Lets say B makes a call to D) B Now contains an encrypted cache of B (Scripts and all, the new format lets assume compiles in scripts). A requests D but B has a copy so A only goes out and gets a key from D to decrypt B's contents. Then A and B could hash their data and split it. (I am using a linear diagram but in a star map you could see the advantage of the hashing). I mean come on it's fool-proof way to eliminate commericals on the net. Create the protocol and throw encryption into it (Gaining the DMCA as a layer of defense) and then patent it BEFORE the public launch) and write a solid EULA to prevent commerical use (unless they pay a 99.9999% royalty rate on the gross revenues!). Do it! you know you want to!

Re:More serious Considerations

[richieb]

Concerning the slow death of the internet I am suprised that no major effort has been made to create a new layer and method of communication over the Internet that, through the use of a well written EULA and some pre-emptive patenting create a new tunneled Internet piggy-backing on the old Internet.

But a wireless grid network that just runs on our own computers, could potentially bypass the current internet infrastructure completely.

We each will turn into a micro-ISP, providing little routing and little storage for our neighbors.

Proxy Avoidance

[irregular_hero]

I have quite a bit of experience with a few of the "censor" systems that exist due to my work in Infosec at the corporate level. I have to say that, based on my reading of the whitepaper, I'm uncertain that this will be a sufficient way to bypass most of the censorware that is widely deployed on (at least) corporate network gateways.

The problem here is that the "Infranet" software must talk to the responder directly in order for its steganographic stream to be understood. In the parlance of at least one censorware product, this type of thing would be classified as a "Proxy Avoidance System" and be blocked accordingly. This might be effective against keyword blocking due to the nature of the information being transmitted, but if used as a straight proxy bypass, most censorware products would only need to know where the responders are.

This method would be more difficult to detect than a straight proxy-through, but it still doesn't account for the fact that the "responders" must be known in some way to the transmitter. If a series of public responders is set up, it would only be a matter of time before those sites would be sewed up tighter than a drum by most "reputable" censorware companies' research teams.

As it is, it's not terribly difficult to bypass censorware if you have the ability to put something up on the outside to bounce off of. Nearly all of the production censorware that I see does absolutely nothing with HTTPS -- and the lax security of most firewall policies doesn't restrict the destination port of a standard HTTP/1.1 CONNECT request. With that available, give me any SSH server on the outside and I can get an encrypted session running to a proxy in a matter of minutes.

Come to think of it, I've never heard the people complaining about censorware's _limitations_, only about the limits that it places on them. The truth is that every one of them is imminently bypassable already. Why bother with steganographic communications unless you live in a place where even initiating encrypted communications would put you in the pokey?

Steganography can be defeated

While it may be difficult to detect steganographic content in an image file, it is not that hard for a content filter to effectivly eliminate all steganographic content. In the case of China, all they need to do is apply their own steganographic data to each inbound image file.

Or, they could hold a copy of each image file the first time it is requested. Then, whenever the image is requested again they could compare the two. If the image files are not identical, then that is a clear sign of steganography, and they could then persue furthor investigation.

Come to think of it, the U.S. could do the same thing. I wonder if they are. It would certainly be an interesting way of feriting out potentuial terrists. Assuming that terrorists actualy use steganography.

ThinkCrime

[oldstrat]

There are some terms that need to be avoided and or discarded if we are to succeed at returning freedom to the Internet (and elsewhere).
First to go is the beloved and maligned 'hacker', we lost on that one, it's gone no matter what effort is used to returned the word to it's productive and wholesome origin. Using hacker is going to throw red flags in too many places to make it worth the risk of losing a fight that is about a lot more than words.
Lets substitute something harmless, instead of hack and hacker, make it repair and repairer.

other words some of the used in the infranet website are;
censor/ed, change to impair/ed
circumvention, to repair (don't used 'fix')
covert, to reliable.
Maybe some of you can see where I am headed.
The title for the Talks would change from:
Infranet:Circumventing Web Censorship and Surveillance to,
Infranet:Repairing Web Impairment and Data Leakage

For those who didn't get it yet, here is the point.
Our inside terms have spilled to the outside and been manipulated to the darkest of interpretations.
The inside terms have then been used to propagandise the public into accepting them, and then it gets codified into law.
Lets get out of our terms and sic the thought police on themselves by being more descriptive, and not letting them play us with our own words.