A closer look at the Great Firewall of China
Over the last years, we learned a lot about how the Great Firewall of China is blocking Tor. Some questions remained unanswered, however. Roya, Mueen, Jed, and I just published a project which seeks to answer some of these open questions. Being curious as we are, we tried to find answers to the following questions:
- Is the filtering decentralised (i.e., happening in provinces) or centralised (i.e., happening in Internet exchange points (IXP))?
- Are there any temporal patterns in the filtering? Or in other words, are there certain times when people are more likely to be able to connect to Tor?
- Similarly, are there any spatial patterns? Are folks in some special regions of China able to connect to Tor while others cannot?
- When a computer in China tries to connect to a Tor relay, what part of the TCP handshake is blocked?
It turns out that some of these questions are quite tricky to answer. For example, to find spatial patterns, we need to be able to measure the connectivity between many Tor relays and many clients in China. However, we are not able to control even a single one of these machines. So how do we proceed from here? As so often, side channels come to the rescue! In particular, we made use of two neat network measurement side channels which are the hybrid idle scan and the SYN backlog scan. The backlog scan is a new side channel we discovered and discuss in our paper. Equipped with these two powerful techniques, we were able to infer if there is packet loss between relay A and client B even though we cannot control A and B.
You might notice that our measurement techniques are quite different from most other Internet censorship studies which rely on machines inside the censoring country. While our techniques give us a lot more geographical coverage, they come at a price which is flexibility; we are limited to measuring Internet filtering on the IP layer. More sophisticated filtering techniques such as deep packet inspection remain outside our scope.
Now what we did was to measure the connectivity between several dozen Tor relays and computers in China over four weeks which means that we collected plenty of data points, each of which telling us "was A able to talk to B at time T?". These data points reveal a number of interesting things:
- It appears that many IP addresses inside the China Education and Research Network (CERNET) are able to connect to at least our Tor relay.
- Apart from the CERNET netblock, the filtering seems to be quite effective despite occasional country-wide downtimes.
- It seems like the filtering is centralised at the IXP level instead of being decentralised at the provincial level. That makes sense from the censor's point of view because it is cheap, effective, and easy to control.
Now what does all of this mean for Tor users? Our results show that China still has a tight grip on its communication infrastructure, especially on the IP and TCP layer. That is why our circumvention efforts mostly focus on the application layer (with meek being an exception) and pluggable transport protocols such as ScrambleSuit (which is now part of the experimental version of TorBrowser) and obfs4 are specifically designed to thwart the firewall's active probing attacks.
ScrambleSuit and obfs4 should be able to. In general, meek also should but the Google infrastructure isn't accessible at the moment, as far as I know.
The current experimental version of TorBrowser already contains ScrambleSuit and meek but obfs4 is still missing.
does orbot support scramblesuit?
I'm a Chinese student, I want to use OrBot but it's not working in Hong Kong, and there's no data surrounding it, not even on the official GuardianProject website, and they don't answer when you chat with on #guadianproject, and sending an email is not an option. I have no thoughts on what to do.
Tor for mobile is now more important than ever, even more than desktop,but until the guardian project get their shit together and start focusing on the important things, one project at a time,before distributig their resources on numerous but barely-working projects (reading orbot's official page is like reading the "one weird trick to make your arbs grow faster" nothing but marketing with no actual info), you could easily set up a tor hotspot on a desktop for mobile users, but you'd probably need tails to do that if you want a fully torrified system, but as far as I know, unfortuntely tails only supports obfs3 (I'm not sure, I tried asking on #tails and searching the official tails website, and found no info, apparently not even the devs know what pt is supported by tails) which as I understand is blocked in China.
Tails only supports obfs3. it doesn't support any other pluggable transport. I'm not sure why the tails devs are way behind concerning tails' core "engine" which is tor. but they're not exactly known to be your no-nonsense top developer either, tails experienced so much ip leaks disasters even in stable releases, which most were actually reported by third parties instead of being discovered by tails' people...