[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[or-cvs] r21485: {projects} htmlify it (projects/articles)



Author: arma
Date: 2010-01-23 21:23:40 +0000 (Sat, 23 Jan 2010)
New Revision: 21485

Modified:
   projects/articles/circumvention-features.html
Log:
htmlify it


Modified: projects/articles/circumvention-features.html
===================================================================
--- projects/articles/circumvention-features.html	2010-01-23 21:23:12 UTC (rev 21484)
+++ projects/articles/circumvention-features.html	2010-01-23 21:23:40 UTC (rev 21485)
@@ -1,34 +1,44 @@
 
-"Ten things to look for in tools that circumvent Internet censorship"
+<h2>Ten things to look for in tools that circumvent Internet censorship</h2>
 
+<p>
 As more countries crack down on Internet use, people around the world
 are turning to anti-censorship software that lets them reach blocked
 websites. Many types of software, also known as circumvention tools,
 have been created to answer the threat to freedom online. These tools
 provide different features and levels of security, and it's important
 for users to understand the tradeoffs.
+</p>
 
+<p>
 This article lays out ten features you should consider when evaluating
 a circumvention tool. The goal isn't to advocate for any specific tool,
 but to point out what kind of tools are useful for different situations.
+</p>
 
+<p>
 One caveat to start out: I'm an inventor and developer of a tool
-called Tor (torproject.org) that is used both for privacy and for
+called <a href="https://www.torproject.org/";>Tor</a> that is used both
+for privacy and for
 circumvention. While my bias for more secure tools like Tor shows through
 here based on which features I've picked (meaning I raise issues that
 highlight Tor's strengths and that some other tool developers may not care
 about), I have also tried to include features that other tool developers
 consider important.
+</p>
 
-0. Introduction
+<h3>Introduction</h3>
 
+<p>
 Internet-based circumvention software consists of two components: a
 <i>relaying</i> component and a <i>discovery</i> component. The relaying
 component is what establishes a connection to some server or proxy,
 handles encryption, and sends traffic back and forth. The discovery
-component is the step before that -- the process of finding one or more
+component is the step before that &mdash; the process of finding one or more
 reachable addresses.
+</p>
 
+<p>
 Some tools have a simple relaying component. For example,
 if you're using an open proxy, the process of using the proxy is
 straightforward: you configure your web browser or other application
@@ -36,9 +46,11 @@
 open proxy that's reliable and fast. On the other hand, some tools have
 much more sophisticated relaying components, made up of multiple proxies,
 multiple layers of encryption, and so on.
+</p>
 
-1. Diverse set of users
+<h3>1. Diverse set of users</h3>
 
+<p>
 One of the first questions you should ask when looking at a circumvention
 tool is who else uses it. A wide variety of users means that if somebody
 finds out you are using the software, they can't conclude much about
@@ -50,7 +62,9 @@
 the other hand, imagine a group of Iranian bloggers using a circumvention
 tool created just for them. If anybody discovers that one of them is
 using it, they can easily guess why.
+</p>
 
+<p>
 Beyond technical features that make a given tool useful to a few people
 in one country or people all over the world, marketing plays a big role
 in which users show up. A lot of tools spread through word of mouth, so
@@ -58,49 +72,61 @@
 users will tend to be from Vietnam too. Whether a tool is translated
 into some languages but not others can also direct (or hamper) which
 users it will attract.
+</p>
 
-2. Works in your country
+<h3>2. Works in your country</h3>
 
+<p>
 The next question to consider is whether the tool operator artificially
 restricts which countries can use it. For several years, the commercial
 Anonymizer.com made its service free to people in Iran. Thus connections
 coming from Anonymizer's servers were either paying customers (mostly in
 America) or people in Iran trying to get around their country's filters.
+</p>
 
-For more recent examples, Your Freedom (your-freedom.net) restricts
-free usage to a few countries like Burma, while systems like Freegate
-(dit-inc.us) and Ultrasurf (ultrareach.com) outright block connections
+For more recent examples, <a href="http://your-freedom.net/";>Your
+Freedom</a> restricts free usage to a few countries like Burma,
+while systems like <a href="http://dit-inc.us/";>Freegate</a> and <a
+href="http://ultrareach.com/";>Ultrasurf</a> outright block connections
 from all but the few countries that they care to serve (China and, in the
 case of Ultrasurf recently, Iran). On the one hand, this strategy makes
 sense in terms of limiting the bandwidth costs. But on the other hand,
 if you're in Saudi Arabia and need a circumvention tool, some otherwise
 useful tools are not an option for you.
+</p>
 
-3. Sustainable network and software development
+<h3>3. Sustainable network and software development</h3>
 
+<p>
 If you're going to invest the time to figure out how to use a given tool,
 you want to make sure it's going to be around for a while. There are
 several ways that different tools ensure their long-term existence.
 The main three approaches are the use of volunteers, making a profit,
 and getting funds from sponsors.
+</p>
 
+<p>
 Networks like Tor rely on volunteers to provide the relays that make
 up the network. Thousands of people around the world have computers
 with good network connections and want to help make the world a better
 place. By joining them into one big network, Tor ensures that the
 network is independent from the organization writing the software;
 so the network will be around down the road even if The Tor Project
-as an entity ceases to exist. Psiphon (psiphon.ca) takes the second
+as an entity ceases to exist. <a href="http://psiphon.ca/";>Psiphon</a>
+takes the second
 approach: collecting money for service. They reason that if they can
 create a profitable company, then that company will be able to fund the
 network on an ongoing basis. The third approach is to rely on sponsors
-to pay for the bandwidth costs. The Java Anon Proxy or JAP project
-(anon.inf.tu-dresden.de/index_en.html) relied on government grants to
+to pay for the bandwidth costs. The <a
+href="http://anon.inf.tu-dresden.de/index_en.html";>Java Anon Proxy</a>
+or JAP project relied on government grants to
 fund its bandwidth; now that the grant has finished they're investigating
 the for-profit approach. Ultrareach and Freegate use the "sponsor" model
 to good effect, though they are constantly hunting for more sponsors to
 keep their network operational.
+</p>
 
+<p>
 After asking about the long-term survival of the network, the next
 question to ask is about sustainability of the software itself. The same
 three approaches apply here, but the examples change. While Tor's network
@@ -110,13 +136,17 @@
 software updates: they have a team of individuals around the world,
 mostly volunteers, devoted to making sure the tools are one step ahead
 of censors.
+</p>
 
+<p>
 Each of the three approaches can work, but understanding the approach
 a tool uses can help you predict what problems it might encounter in
 the future.
+</p>
 
-4. Open design
+<h3>4. Open design</h3>
 
+<p>
 The first step to transparency and reusability of the tool's software and
 design is to distribute the software (not just the client-side software,
 but also the server-side software) under an open source license. Open
@@ -127,10 +157,12 @@
 likely that the tool will remain safe and useful. Without this option,
 you are forced to trust that a small number of developers have thought
 of and addressed every possible problem.
+</p>
 
+<p>
 Just having an open software license is not enough. Trustworthy
 circumvention tools need to provide clear, complete documentation for
-other security experts -- not just how it's built but what features
+other security experts &mdash; not just how it's built but what features
 and goals its developers aimed for. Do they intend for it to provide
 privacy? What kind and against what attackers? In what way does it
 use encryption? Do they intend for it to stand up to attacks from
@@ -139,7 +171,9 @@
 the developers meant for it to do, it's harder to decide whether there
 are security problems in the tool, or to evaluate whether it will reach
 its goals.
+</p>
 
+<p>
 In the field of cryptography, Kerckhoffs' principle explains that you
 should design your system so the amount you need to keep secret is as
 small and well-understood as possible. That's why crypto algorithms
@@ -150,41 +184,52 @@
 the only groups examining the tool are its original developers and the
 attackers; other developers and users who could help to make it better
 and more sustainable are left out.
+</p>
 
+<p>
 Ideas from one project could be reusable beyond that project's
 lifetime. Too many circumvention tools keep their designs secret, hoping
 that government censors will have a harder time figuring out how the
 system works, but the result is that few projects can learn from other
 projects and the field of circumvention development as a whole moves
 forward too slowly.
+</p>
 
-5. Decentralized architecture
+<h3>5. Decentralized architecture</h3>
 
-[insert diagram: https://www.torproject.org/images/htw2.png]
+<p><img alt="Tor uses multiple hops"
+src="https://www.torproject.org/images/htw2.png"; /></p>
 
+<p>
 Another feature to look for in a circumvention tool is whether its network
 is centralized or decentralized. A centralized tool puts all of its users'
 requests through one or a few servers that the tool operator controls. A
 decentralized design like Tor or JAP sends the traffic through multiple
 different locations, so there is no single location or entity that gets
 to watch what websites each user is accessing.
+</p>
 
+<p>
 Another way to look at this division is based on whether the <i>trust</i>
 is centralized or decentralized. If you have to put all your trust in
-one entity, then the best you can hope for is "privacy by policy" --
+one entity, then the best you can hope for is "privacy by policy" &mdash;
 meaning they have all your data and they promise not to look at it, lose
 it, or sell it. The alternative is what the Ontario Privacy Commissioner
-calls "privacy by design" -- meaning the design of the system itself
+calls "privacy by design" &mdash; meaning the design of the system itself
 ensures that users get their privacy. The openness of the design in turn
 lets everybody evaluate the level of privacy provided.
+</p>
 
+<p>
 This concern isn't just theoretical. In early 2009 Hal Roberts from the
 Berkman Center ran across a FAQ entry for a circumvention tool that
 offered to sell its users' clicklogs. I later talked to a different
 circumvention tool provider who explained that they had all the logs
 of every request ever made through their system "because you never know
 when you might want them."
+</p>
 
+<p>
 I've left out the names of the tools here because the point is not
 that some tool providers may have shared user data; the point is that
 any tool with a centralized trust architecture <i>could</i> share user
@@ -192,17 +237,21 @@
 even if the tool provider means well, the fact that all the data flows
 through one location creates an attractive target for other attackers
 to come snooping.
+</p>
 
+<p>
 Many of these tools see circumvention and user privacy as totally
 unrelated goals. This separation isn't necessarily bad, as long as you
-know what you're getting into -- for example, we hear from many people
+know what you're getting into &mdash; for example, we hear from many people
 in censoring countries that just reading a news website isn't going to
 get you locked up. But as we've been learning in many other contexts
 over the past few years, large databases of personal information tend
 to end up more public than we'd like.
+</p>
 
-6. Keeps you safe from websites too
+<h3>6. Keeps you safe from websites too</h3>
 
+<p>
 Privacy isn't only about whether the tool operator can log your
 requests. It's also about whether the websites you visit can recognize
 or track you. Remember the case of Yahoo turning over information about
@@ -210,7 +259,9 @@
 find out who's posting to a blog, or who added the latest comment, or
 what other websites a particular blogger reads? Using a safer tool to
 reach the website means the website won't have as much to hand over.
+</p>
 
+<p>
 Some circumvention tools are safer than others. At one extreme are open
 proxies. They often pass along the address of
 the client with their web request, so it's easy for the website to learn
@@ -219,14 +270,18 @@
 version, language preference, browser window size, time zone, and so on;
 segregate cookies, history, and cache; and prevent plugins like Flash
 from leaking information about you.
+</p>
 
+<p>
 This level of application-level protection comes at a cost though: some
 websites don't work correctly. As more websites move to the latest "web
 2.0" fads, they require more and more invasive features with respect to
 browser behavior. The safest answer is to disable the dangerous behaviors
--- but if somebody in Turkey is trying to reach Youtube and Tor disables
+&mdash; but if somebody in Turkey is trying to reach Youtube and Tor disables
 his Flash plugin to keep him safe, his videos won't work.
+</p>
 
+<p>
 No tools have solved this tradeoff well yet. Psiphon manually evaluates
 each website and programs its central proxy to rewrite each page. Mostly
 they do this rewriting not for privacy but to make sure all links on the
@@ -237,18 +292,22 @@
 probably safe in practice, because we haven't figured out a good interface
 to let the user decide in an informed way. Still other tools just let
 through any active content, meaning it's trivial to unmask their users.
+</p>
 
-7. Doesn't promise to magically encrypt the entire Internet
+<h3>7. Doesn't promise to magically encrypt the entire Internet</h3>
 
+<p>
 I should draw a distinction here between encryption and privacy. Most
 circumvention tools (all but the really simple ones like open proxies)
 encrypt the traffic between the user and the circumvention provider. They
 need this encryption to avoid the keyword filtering done by such censors
 as China's firewall. But none of the tools can encrypt the traffic
-between the provider and the destination websites -- if a destination
+between the provider and the destination websites &mdash; if a destination
 website doesn't support encryption, there's no magic way to make the
 traffic encrypted.
+</p>
 
+<p>
 The ideal answer would be for everybody to use https (also known as
 SSL) when accessing websites, and for all websites to support https
 connections. When used correctly, https provides encryption between your
@@ -262,25 +321,31 @@
 people to learn, and then 2) use a circumvention tool that doesn't have
 any trust bottlenecks that allow somebody to link you to your destinations
 despite the precautions in step 1.
+</p>
 
+<p>
 Alas, things get messy when you can't avoid sending sensitive info. Some
 people have expressed concern over Tor's volunteer-run network design,
 reasoning that at least with the centralized designs you know who runs
 the infrastructure. But in practice it's going to be strangers reading
-your traffic either way -- the tradeoff is between volunteer strangers
+your traffic either way &mdash; the tradeoff is between volunteer strangers
 who don't know it's you (meaning they can't target you), or dedicated
 strangers who get to see your entire traffic profile (and link you to it).
 Anybody who promises "100% security" is selling something.
+</p>
 
-8. Fast
+<h3>8. Fast</h3>
 
+<p>
 The next feature you might look for in a circumvention tool is speed. Some
 tools tend to be consistently fast, some consistently slow, and some
 provide wildly unpredictable performance. Speed is based on many factors,
 including how many users the system has, what the users are doing,
 how much capacity there is, and whether the load is spread evenly over
 the network.
+</p>
 
+<p>
 The centralized-trust designs have two advantages here. First, they
 can see all their users and what they're doing, meaning they have a
 head start at spreading them out evenly and at discouraging behaviors
@@ -289,7 +354,9 @@
 on the other hand have a harder time tracking their users, and if they
 rely on volunteers to provide capacity, then getting more volunteers is
 a more complex process than just paying for more bandwidth.
+</p>
 
+<p>
 The flip side of the performance question is flexibility. Many systems
 ensure good speed by limiting what their users can do. While Psiphon
 prevents you from reaching sites that they haven't manually vetted yet,
@@ -299,9 +366,11 @@
 meaning for example you can instant message through it too; but the
 downside is that the network is often overwhelmed by users doing bulk
 transfer.
+</p>
 
-9. Easy to get the software and updates
+<h3>9. Easy to get the software and updates</h3>
 
+<p>
 Once a circumvention tool becomes well-known, its website is going to get
 blocked. If it's impossible to get a copy of the tool itself, who cares
 how good it is? The best answer here is to not require any specialized
@@ -313,7 +382,9 @@
 programs like Firefox it's harder to pass around online. In that case
 distribution tends to be done through social networks and USB sticks,
 or using our email autoresponder that lets you download Tor via Gmail.
+</p>
 
+<p>
 Then you need to consider the tradeoffs that come with each approach.
 First, which operating systems are supported? Psiphon wins here too
 by not requiring any extra client software. Ultrareach and Freegate
@@ -322,7 +393,9 @@
 consider that client-side software can automatically handle failover
 from one proxy to the next, so you don't need to manually type in a new
 address if your current address disappears or gets blocked.
+</p>
 
+<p>
 Last, does the tool have a track record
 for responding to blocking? For example, Ultrasurf
 and Freegate have a history of releasing quick updates when the current
@@ -332,20 +405,24 @@
 blocking by streamlining its network communications to look more like
 encrypted web browsing, and introducing unpublished "bridge relays" that
 are harder for an attacker to find and block than Tor's public relays. Tor
-tries to separate software updates from proxy address updates -- if the
+tries to separate software updates from proxy address updates &mdash; if the
 bridge relay you're using gets blocked, you can stick with the same
 software and just configure it to use a new bridge address. Our bridge
 design was put to the test in China in September of 2009, and tens of
 thousands of users seamlessly moved from the public relays to bridges.
+</p>
 
-10. Doesn't promote itself as a circumvention tool
+<h3>10. Doesn't promote itself as a circumvention tool</h3>
 
+<p>
 Many circumvention tools launch with a huge media splash. The media loves
 this approach, and they end up with front page articles like "American
 hackers declare war on China!" But while this attention helps attract
 support (volunteers, profit, sponsors), the publicity also attracts the
 attention of the censors.
+</p>
 
+<p>
 Censors generally block two categories of tools: 1) the ones that are
 working really well, meaning they have hundreds of thousands of users,
 and 2) the ones that make a lot of noise. In many cases censorship is
@@ -353,19 +430,23 @@
 atmosphere of repression so people end up self-censoring. Articles in
 the press threaten the censors' <i>appearance</i> of control, so they
 are forced to respond.
+</p>
 
+<p>
 The lesson here is that we can control the pace of the arms
 race. Counterintuitively, even if a tool has many users, as long as
 nobody talks about it much it tends not to get blocked. But if nobody
 talks about it, how do users learn about it? One way out of the paradox
 is to spread through word of mouth and social networks rather than the
 more traditional media. Another approach is to position the tool in a
-different context -- for example, we present Tor primarily as a privacy
+different context &mdash; for example, we present Tor primarily as a privacy
 and civil liberties tool rather than a circumvention tool. Alas, this
 balancing act is tough to maintain in the face of increasing popularity.
+</p>
 
-Conclusion:
+<h3>Conclusion</h3>
 
+<p>
 This article explains some of the issues you should consider when
 evaluating the strengths and weaknesses of circumvention tools. I've
 intentionally avoided drawing up a table of different tools and scoring
@@ -374,7 +455,9 @@
 to find the "best" tool. Having a diversity of circumvention tools in
 wide use increases robustness for all the tools, since censors have to
 tackle every strategy at once.
+</p>
 
+<p>
 Last, we should keep in mind that technology won't solve the whole
 problem. After all, firewalls are <i>socially</i> very successful in these
 countries. As long as many people in censored countries are saying "I'm so
@@ -382,9 +465,10 @@
 are at least as important. But at the same time, there are people in
 all of these countries who want to learn and spread information online,
 and a strong technical solution remains a critical piece of the puzzle.
+</p>
 
-About Roger:
-
+<hr />
+<p>
 Roger Dingledine is project leader for The Tor Project, a US non-profit
 working on anonymity research and development for such diverse
 organizations as the US Navy, the Electronic Frontier Foundation, and
@@ -392,4 +476,8 @@
 organizes academic conferences on anonymity, speaks at a wide variety
 of industry and hacker conferences, and also does tutorials on anonymity
 for national and foreign law enforcement.
+</p>
 
+<p><tt>[Last updated 23 Jan 2010]
+</tt></p>
+