Slashdot Mirror

← Back to Stories (view on slashdot.org)

Infranet: Circumventing Web Censorship

Posted by michael on from the best-efforts dept.

edsonw writes "In this paper presented at the 11th USENIX Security Symposium, Feamster et alii presented a method that provide access to censored sites while continuing to host normal uncensored content, using covert communication and steganographic techniques." The Infranet webpage has some more information. No public code yet, though.

1 of 103 comments (clear)

  1. Proxy Avoidance by irregular_hero · · Score: 5, Interesting

    I have quite a bit of experience with a few of the "censor" systems that exist due to my work in Infosec at the corporate level. I have to say that, based on my reading of the whitepaper, I'm uncertain that this will be a sufficient way to bypass most of the censorware that is widely deployed on (at least) corporate network gateways.

    The problem here is that the "Infranet" software must talk to the responder directly in order for its steganographic stream to be understood. In the parlance of at least one censorware product, this type of thing would be classified as a "Proxy Avoidance System" and be blocked accordingly. This might be effective against keyword blocking due to the nature of the information being transmitted, but if used as a straight proxy bypass, most censorware products would only need to know where the responders are.

    This method would be more difficult to detect than a straight proxy-through, but it still doesn't account for the fact that the "responders" must be known in some way to the transmitter. If a series of public responders is set up, it would only be a matter of time before those sites would be sewed up tighter than a drum by most "reputable" censorware companies' research teams.

    As it is, it's not terribly difficult to bypass censorware if you have the ability to put something up on the outside to bounce off of. Nearly all of the production censorware that I see does absolutely nothing with HTTPS -- and the lax security of most firewall policies doesn't restrict the destination port of a standard HTTP/1.1 CONNECT request. With that available, give me any SSH server on the outside and I can get an encrypted session running to a proxy in a matter of minutes.

    Come to think of it, I've never heard the people complaining about censorware's _limitations_, only about the limits that it places on them. The truth is that every one of them is imminently bypassable already. Why bother with steganographic communications unless you live in a place where even initiating encrypted communications would put you in the pokey?