How to read our China usage graphs

Recently somebody asked me why our usage numbers in China are so low. More precisely, his question was "How do I read this graph in any way other than 'Tor is effectively blocked in China'?" After writing up an answer for him, I realized I should share it with the rest of the Tor community too.

The correct interpretation of the graph is "obfs3 bridges have not been deployed enough to keep up with the demand in China". So it isn't that Tor is blocked — it's that we haven't done much of a deployment for obfs3 bridges or ScrambleSuit bridges, which are the latest steps in the arms race.

The short explanation is that the old vanilla SSL Tor transport doesn't work in China anymore due to their active probing infrastructure. The obfs2 transport doesn't work anymore either, for the same reason. The obfs3 transport works great for now, and thousands of people are happily using it — and some of those people aren't reflected in the graphs you see (I'll explain that more below).

The medium-length explanation is that we've been leading and coordinating the international research effort at understanding how to design and analyze transports that resist both DPI and active probing, and approximately none of these approaches have been deployed at a large scale yet. So it doesn't make sense to say that Tor is blocked in China, because it mischaracterizes Tor as a static protocol. "Tor" when it comes to censorship circumvention is a toolbox of options — some of them work in China, some don't. The ones that work (i.e. that should resist both DPI and active probing) haven't been rolled out very widely, in large part because we have funders who care about the research side but we have nobody who funds the operations, deployment, or scale-up side.

The long explanation is that it comes down to three issues:

First, there are some technical steps we haven't finished deploying in terms of collecting statistics about users of bridges + pluggable transports. The reason is that the server side of the pluggable transport needs to inform the Tor bridge what country the user was from, so the Tor bridge can include that in its (aggregated, anonymized) stats that it publishes to the metrics portal. We've now built most of the pieces, but most of the deployed bridges aren't running the new code yet. So the older bridges that are reporting their user statistics aren't seeing very many users from China, while the bridges that *aren't* reporting their user statistics, which are the ones that offer the newer pluggable transports, aren't well-represented in the graph. We have some nice volunteers looking into what fraction of deployed obfs3 bridges don't have this new 'extended ORPort' feature. But (and you might notice the trend here) we don't have any funders currently who care about counting bridge users in China.

Second, we need to get more addresses. One approach is to get them from volunteers who sign up their computer as a bridge. That provides great sustainability in terms of community involvement (we did a similar push for obfs2 bridges back when Iran was messing with SSL, and got enough to make a real difference at the time), but one address per volunteer doesn't scale very well. The intuition is that the primary resource that relays volunteer is bandwidth, whereas the primary resource that bridges volunteer is their address — and while bandwidth is an ongoing contribution, once your IP address gets blocked then your contribution has ended, at least for the country that blocked it, or until you get another address via DHCP, etc. The more scalable approaches to getting bridge addresses involve coordinating with ISPs and network operators, and/or designs like Flashproxy to make it really easy for users to sign up their address. I describe these ideas more in "approach four" and "approach five" of the Strategies for getting more bridge addresses blog post. But broad deployment of those approaches is again an operational thing, and we don't have any funded projects currently for doing it.

Third, we need ways of letting people learn about bridges and use them without getting them noticed. We used to think the arms race here was "how do you give out addresses such that the good guys can learn a few while the bad guys can't learn all of them", a la the bridges.torproject.org question. But it's increasingly clear that scanning resistance will be the name of the game in China: your transport has to not only blend in with many other flows (to drive up the number of scans they have to launch), but also when they connect to that endpoint and speak your protocol, your service needs to look unobjectionable there as well. Some combination of ScrambleSuit and FTE are great starts here, but it sure is a good thing that the research world has been working on so many prototype designs lately.

So where does that leave us? It would be neat to think about a broad deployment and operations plan here. I would want to do it in conjunction with some other groups, like Team Cymru on the technical platform side and some on-the-ground partner groups for distributing bridge addresses more effectively among social networks. We've made some good progress on the underlying technologies that would increase the success chances of such a deployment — though we've mostly been doing it using volunteers in our spare time on the side, so it's slower going than it could be. And several other groups (e.g. torservers.net) have recently gotten funding for deploying Tor bridges, so maybe we could combine well with them.

In any case it won't be a quick and simple job, since all these pieces have to come together. It's increasingly clear that just getting addresses should be the easy part of this. It's how you give them out, and what you run on the server side to defeat China's scanning, that still look like the two tough challenges for somebody trying to scale up their circumvention tool design.

Anonymous

March 17, 2014

Permalink

I'm looking forward for the day where all Tor relays are obfs3 by default. Isn't it a mere software issue,, or am I missing something?

You mean adding a layer of obfs3 over the normal link encryption between and to relays? We could do that, and it wouldn't be that hard (a simple matter of programming, as they say). But the list of relays is public, and it's not easy/simple to keep it secret: https://www.torproject.org/docs/faq#HideExits

So it's not obvious what exactly this would buy us. Sounds like a great topic for a Tor dev proposal:
https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/001-proc…
https://gitweb.torproject.org/torspec.git/tree/HEAD:/proposals

Anonymous

March 17, 2014

Permalink

Tech dummy but I have set up bridges by default inthe past.
Recently around the time you report someone was able to block them and ask we run another 'thing" the usage on mine dropped to nil.

So my question is does it do much/any good to run the bridges by default?
For the less tech savy?

Yes, it does good.

Our bridge distribution strategy involves breaking up the volunteer bridge addresses into different "buckets", where each bucket is given out in a different way. So some buckets will be given out quickly and easily, and probably blocked after a while. Whereas other buckets will be given out slowly and through hard-to-use mechanisms, so they'll have less load but also be less likely to be blocked.

Part of what we need to do a better job on is communicating to the bridge operator which bucket her bridge has been put in, so she can better understand her contribution.

But you're right, running a bridge on a single address is not as useful a contribution, long-term, as some of the more scalable approaches I describe in the post.

Anonymous

March 17, 2014

Permalink

I wholeheartedly agree about the importance of the Tor Project getting more funding for projects like this, but couldn't help but notice that if core devs--as opposed to people working primarily on advocacy--weren't talking about how they want to "burn it [the state] to the ground" on Twitter all day (https://twitter.com/puellavulnerata/status/445517416596922369) instead of writing code, there might be more person-hours available to the organization for projects like this at current resource levels. As someone volunteering patches and documentation for tor, sometimes that's hard not to notice.

Do you really think that tweet was time consuming to the point of taking away from Tor development, or were you merely pointing out something potentially controversial?

Anonymous

March 18, 2014

Permalink

"So it isn't that Tor is blocked — it's that we haven't done much of a deployment for obfs3 bridges or ScrambleSuit bridges, which are the latest steps in the arms race."

In fact, Tor is blocked in China. Tor is not usable for the people who want to circumvent the censorship. Psiphon, Lantern, and other VPNs just work. They do not require extra steps. You download, run it, access the blocked content. You can argue in hundreds of words about technical reasons, we don't care. Tor doesn't work without lots of extra steps and efforts.

Tor requires you download a huge file, run it, find it does not work, waste time looking around for solutions, eventually find bridges, find the bridges don't work, waste more time looking around for solutions, find obfs bridges, hopefully your bridge is online, then maybe you can get tor to work.

Tor in China needs to be: download, run, access the site. I want a tool that works, not an ideology packaged in a multi-step challenge. Xbox and PS4 are more fun at multi-step challenge than tor.

That's a bit stupid for me to say than "Tor in China needs to be: download, run, access the site. I want a tool that works, not an ideology packaged in a multi-step challenge. Xbox and PS4 are more fun at multi-step challenge than tor. ".

Tor isn't an ideology, it's a software. And it's 60% runned by the US, so i think than it's normal for them to try being able to adapt to every situations (US marines in Afghanistan used TOR to reach their online stuff).

Psiphon基本是连不上的。
Lantern第1版死掉后,第2版也是极小范围在试用。
其他VPN,很多是PPTP,鉴于pptp的弱点,就不多说为什么会让它存活了。

tor跟其他的VPN有个显著差别,VPN是为了能跨越gfw,而tor是在跨越的同时力求保证匿名。

为什么tor一直被追杀,原因就在于此。等到被认为不具备匿名作用了,arms race也就停止了。

Psiphon被封杀,但是可以先开启海外的VPN,就能连接成功,等待几分钟就能更新服务器列表。。这样重复几次,就可以断开VPN,用Psiphon3直接连通了。

I wholeheartedly agree. I came here, because I was trying to find a way to set up Tor from within China, but instead of giving a detailed explanation of how to go about that, the Tor guys apparently are more interested in uptalking statistics. Who on earth cares about that???

I just wasted quite some time trying to connect a buddy of mine residing in China to the Tor-network with obfs3, but no cigar. The meek version didn't work either and there's no information of how to do it, only differening hints on other websites of which none actually worked.

To the blog author: Next time you feel you need to justify Tor's usability, please make sure that the system is actually easily and readily usable by the less tech-savvy masses. I don't doubt that there are thousands of Tor users in China that have a high enough pain threshold to actually figure out, how to get a crappy connection through Tor. Yet, that still is nothing compared to the 650 mio online users the country has right now...

The filesize of Tor might seem laughable compared to western standards, but try to download 30 megs with a connection that craps out constantly only to realize that you end up with an outdated version of the Firefox browser of which you already have a newer version installed and a rather tiny Tor loader. Why is there no plugin for FF instead?

Thanks to the comment writer for mentioning all those VPN-services. I have been trying out quite a few and none worked. So far I've been offering my line through Hamachi as a Proxy to my buddy, but I'm not online all day and my bandwidth can't match that of professional VPN services, but at least it works rekiably without problems.

I can't wait to give all these VPN-services a shot.

> Tor in China needs to be: download, run, access the site.

Bingo! I'm stumped that the software doesn't even offer an automatic connection mode where it actually tries to connect and then goes through all possibilities automatically after a certain time out, instead of having the user to switch between protocols manually...

I know you guys hate Ultrasurf, but at least it couldn't be easier to use...

Anonymous

March 19, 2014

Permalink

"Psiphon, Lantern, and other VPNs just work. They do not require extra steps."

You forgot to mention the most popular one: Goagent. For normal users, it's more difficult to use than Tor.

"You can argue in hundreds of words about technical reasons, we don't care."

It's not 'about technical reasons'. It is about 'we've got a plan and Tor is not and will never be blocked in China, but we have no money' :P

"Tor requires you download a huge file, run it, find it does not work, waste time looking around..., waste more time ...hopefully your bridge is online"

I can feel your frustrated-with-Tor roar and sometimes I have the exact same feelings. But like you said, Tor is just one of the free services available online. If it works, great; if not, I'll still appreciate for the help and try other tools.

建议试下最新测试版 Tor Browser 3.6-beta-1,支持 obfs3,感觉设置方便有改进。(下载链接:https://www.torservers.net/mirrors/torproject.org/dist/torbrowser/)。另外,可以直接邮件问 help-zh@rt.torproject.org 发一个可用obfs3网桥。

Anonymous

August 04, 2014

Permalink

Well, I'm another fool who attemped to use Tor in China. Well Tor is not blocked in China, but its not working.... As useful as a car with no wheels. What a joke...

Anonymous

August 08, 2014

Permalink

What if there was some way to get an "allowed" list to people running outside bridges? Then it would be a matter of swapping addresses rather than just giving the address of the bridge. Getting onto a list could require some sort of "catchpa" style thing, which could prevent, or slow down the process of automated scanning.