Blocking-resistant communication through domain fronting

@article{Fifield2015BlockingresistantCT,
  title={Blocking-resistant communication through domain fronting},
  author={David Fifield and Chang Lan and Rod Hynes and Percy Wegmann and Vern Paxson},
  journal={Proceedings on Privacy Enhancing Technologies},
  year={2015},
  volume={2015},
  pages={46 - 64}
}
Abstract We describe “domain fronting,” a versatile censorship circumvention technique that hides the remote endpoint of a communication. Domain fronting works at the application layer, using HTTPS, to communicate with a forbidden host while appearing to communicate with some other host, permitted by the censor. The key idea is the use of different domain names at different layers of communication. One domain appears on the “outside” of an HTTPS request—in the DNS request and TLS Server Name… 
Domain Shadowing: Leveraging Content Delivery Networks for Robust Blocking-Resistant Communications
  • Ming Wei
  • Computer Science
    USENIX Security Symposium
  • 2021
We debut domain shadowing, a novel censorship evasion technique leveraging content delivery networks (CDNs). Domain shadowing exploits the fact that CDNs allow their customers to claim arbitrary
Towards a Scalable Censorship-Resistant Overlay Network based on WebRTC Covert Channels
TLDR
The design of a distributed system named Censorship-Resistant Overlay Network (CRON), which aims at offering to the users located in censored regions a set of services that allow them to locate proxies positioned in the free Internet region, and set up secure covert tunnels for accessing arbitrary sites on the Internet.
The use of TLS in Censorship Circumvention
TLDR
Real-world TLS traffic from over 11.8 billion TLS connections over 9 months is collected to identify a wide range of TLS client implementations actually used on the Internet and develops a library, uTLS, that enables tool maintainers to automatically mimic other popular TLS implementations.
Slitheen: Perfectly Imitated Decoy Routing through Traffic Replacement
TLDR
This work proposes Slitheen, a decoy routing system capable of perfectly mimicking the traffic patterns of overt sites, and shows how recent innovations in traffic-shaping technology for ISPs mitigate previous deployability challenges.
Balboa: Bobbing and Weaving around Network Censorship
TLDR
This work introduces Balboa, a link obfuscation framework for censorship circumvention, and presents two instantiations of Balboa—one for audio streaming and one for web browsing—and demonstrates the difficulty of identifying Balboa by a machine learning classifier.
Poking a Hole in the Wall: Efficient Censorship-Resistant Internet Communications by Parasitizing on WebRTC
TLDR
Protozoa is presented, a censorship-resistant tunneling tool featuring both high-performing covert channels and strong traffic analysis resistance that is able to evade state-level censorship in China, Russia, and India.
Conjure: Summoning Proxies from Unused Address Space
TLDR
Conjure is presented, an improved Refraction Networking approach that overcomes limitations by leveraging unused address space at deploying ISPs and connects to IP addresses where no web server exists leveraging proxy functionality from the core of the network.
Secure asymmetry and deployability for decoy routing systems
TLDR
A technique for supporting route asymmetry in previously symmetric decoy routing systems is proposed, more secure than previous asymmetric proposals and provides an option for tiered deployment, allowing more cautious ASes to deploy a lightweight, non-blocking relay station that aids in defending against routing-capable adversaries.
Turbo Tunnel, a good way to design censorship circumvention protocols
  • D. Fifield
  • Computer Science
    FOCI @ USENIX Security Symposium
  • 2020
TLDR
This work motivates the concept by exploring specific problems that a Turbo Tunnel design can solve, describes the essential components of such a design, and reflects on the experience of implementation in the obfs4, meek, and Snowflake circumvention systems, as well as a new DNS over HTTPS tunnel.
CacheBrowser: Bypassing Chinese Censorship without Proxies Using Cached Content
TLDR
This work designs a client-side circumvention system, CacheBrowser, that leverages the censors' difficulties in blocking CDN content, and implements it and uses it to unblock CDN-hosted content in China with a download latency significantly smaller than traditional proxy-based circumvention systems like Tor.
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 77 REFERENCES
CensorSpoofer: asymmetric communication using IP spoofing for censorship-resistant web browsing
TLDR
A new framework for censorship-resistant web browsing called CensorSpoofer is proposed that addresses this challenge by exploiting the asymmetric nature of web browsing traffic and making use of IP spoofing.
Chipping Away at Censorship Firewalls with User-Generated Content
TLDR
This paper develops Collage, which allows users to exchange messages through hidden channels in sites that host user-generated content, and shows how Collage can be used to build two applications: a direct messaging application, and a Web content delivery system.
Cirripede: circumvention infrastructure using router redirection with plausible deniability
TLDR
Cirripede is a system that can be used for unobservable communication with Internet destinations and is designed to be deployed by ISPs, intercepts connections from clients to innocent-looking destinations and redirects them to the true destination requested by the client.
SkypeMorph: protocol obfuscation for Tor bridges
TLDR
This work proposes a model in which the client obfuscates its messages to the bridge in a widely used protocol over the Internet, to make it difficult for the censoring adversary to distinguish between the obfuscated bridge connections and actual Skype calls using statistical comparisons.
ScrambleSuit: a polymorphic network protocol to circumvent censorship
TLDR
By using morphing techniques and a secret exchanged out-of-band, ScrambleSuit can defend against active probing and other fingerprinting techniques such as protocol classification and regular expressions and enables effective and lightweight obfuscation for application layer protocols.
Protocol misidentification made easy with format-transforming encryption
TLDR
This paper designs an FTE-based record layer that can encrypt arbitrary application-layer traffic, and experimentally shows that this forces misidentification for all of the evaluated DPI systems.
Dust : A Blocking-Resistant Internet Transport Protocol
TLDR
Dust is proposed as a blocking-resistant Internet protocol designed to be used alone or in conjunction with existing systems to resist a number of attacks currently in active use to censor Internet communication.
Routing around decoys
TLDR
It is shown that a routing capable adversary can enumerate the participating routers implementing these protocols; can successfully avoid sending traffic along routes containing these routers with little or no adverse effects; and in some cases can probabilistically identify connections to targeted destinations.
StegoTorus: a camouflage proxy for the Tor anonymity system
TLDR
StegoTorus is presented, a tool that comprehensively disguises Tor from protocol analysis and improves the resilience of Tor to fingerprinting attacks and delivers usable performance.
Telex: Anticensorship in the Network Infrastructure
TLDR
A new cryptographic scheme based on elliptic curves for tagging TLS handshakes such that the tag is visible to a Telex station but not to a censor, which is used to build a protocol that allows clients to connect to Telex stations while resisting both passive and active attacks.
...
1
2
3
4
5
...