Doctor Who-inspired proxy transmogrifies politically sensitive web to avoid gov censorship
Slitheen tool smuggles browsers into cyber-Tardis
Computer boffins in Canada are working on anti-censorship software called Slitheen that disguises disallowed web content as government-sanctioned pablum. They intend for it to be used in countries where network connections get scrutinized for forbidden thought.
Slitheen – named after Doctor Who aliens capable of mimicking humans to avoid detection – could thus make reading the Universal Declaration of Human Rights look like a lengthy refresher course in North Korean juche ideology or a politically acceptable celebration of cats.
In a presentation last October, Cecylia Bocovich, a University of Waterloo PhD student developing the technology in conjunction with computer science professor Ian Goldberg, said that governments in countries such as China, Iran, and Pakistan have used a variety of techniques to censor internet access, including filtering by IP address, filtering by hostname, protocol-specific throttling, URL keyword filtering, active probing, and application layer deep packet inspection.
In an email to The Register, Goldberg said the software is based on the concept of decoy routing.
"The basic idea behind decoy routing is that the (censored) user's computer makes an Internet connection to some non-censored ('overt') site, such as a site with cute cat videos," said Goldberg. "However, it embeds a hidden cryptographic tag in its connection, which only a particular Internet router somewhere on the path between the user and the cute cat site can see. That router, seeing the tag, then redirects the traffic to a censored ('covert') site, say Wikipedia."
As Bocovich and Goldberg explain in a paper they co-authored, these tags make the web session's master TLS secret available to a cooperating ISP. This allows the ISP to conduct what amounts to a friendly man-in-the-middle attack by having a network relay it controls open a proxy connection to the censored website.
Slitheen, he said, improves on prior decoy routing schemes by eliminating network packet inconsistencies that signal the use of anti-censorship tools. Such discrepancies, he said, can put those seeking to avoid censorship at risk.
"The advance of Slitheen over previous decoy routing proposals is that previous systems cut the connection to the cute cats site completely to perform the redirection, so to the censor observing the user's internet connection, the packets say, 'I am going to the cute cats site,' but the amount of traffic, and timings and sizes of the component packets, will be characteristic of Wikipedia, not cute cats."
Slitheen maintains the connection to the acceptable website, thereby making it resistant to TCP replay attacks, and even downloads pages from it, though the end user only sees desired content, not decoy content.
"The technical advance of Slitheen is that the internet router that spotted the tag then looks for 'leaf resources': web content, such as images or videos, that cannot themselves cause the browser to load other content," Goldberg explained. "The router then replaces those cute cat videos with the desired content from Wikipedia, on a packet-by-packet basis, so that the packet sizes and timings are unchanged from the actual internet traffic the censor would expect to see from someone actually visiting the cute cats site."
The key insight behind Slitheen is that it provides what amounts to a traffic checksum that satisfies diagnostic techniques seeking to detect censorship avoidance.
"Since our replacements match the sizes of requests and responses exactly, the TCP state between the client and the overt site as seen by the censor is the true TCP state," the paper explains. "Furthermore, Slitheen eliminates the ability of the censor to identify its use through TCP/IP protocol fingerprinting."
Goldberg anticipates that Slitheen will be available as open source within a year. ®
Sponsored: Becoming a Pragmatic Security Leader