Censorship is an increasing problem on the internet. As the technology to manipulate what users see on the web gets cheaper, more countries, ISPs, and service providers are amping up their ability to not only monitor what their users see, but to orchestrate what those users see and experience. We define censorship as anything that prevents a user from experiencing the Internet in all of its glory. This can be directly blocking content, or throttling it to speeds that are so slow that they are effectively blocked. The principles of Net-Neutrality are often talked about in political circles as something that needs to be defended, but little is said about the technological solutions that help break censorship. On the Internet, these are encrypted networks like Tor, I2P, and VPN networks. In the past, these tools could be used to bypass censorship systems. Now, deep packet inspection is used to automatically block these services dynamically using various techniques.
This cat and mouse game has been going on for years. As the anti-censorship organizations deploy technology to bypass censors, the censors immediately work to find new methods to detect and block those tunnels. The pace of development of this tech has also led to a decline in usability. These tools are increasingly hard to deploy for savvy users, making it nearly impossible for average users to get access to censored information.
The OSTIF Anti-Censorship Project
Today we are announcing that we have been working with OpenVPN, The Operator Foundation and Greatfire.org to improve the existing working tools out there. The core aim of the project is to improve ease-of-use for installation and setup, to improve documentation, and to improve the tools themselves to reduce detection rates. This project has multiple parts, as relying on only one anti-censorship method can leave users stranded if their censor improves their methods against a particular tool.
The MeekHeavy Project
The MeekHeavy project is an evolution of the existing Meek project that is headed by Tor. Meek uses a technique called Domain Fronting with SNI. Domain Fronting makes the servers for a network service (like a VPN or Tor) look like a generic server operating at a cloud provider. Current tools are specifically resistant to many types of automated analysis, impersonating real services and fooling many censorship systems. However, there are issues. The technology could be improved to further evade detection, and the usability needs some work, and the documentation could be dramatically improved (it is currently a single article on Tor’s Trac).
MeekHeavy will work as a standalone service as well, which will mean that MeekHeavy can work on WireGuard, Tor, I2P and any other service that wishes to implement MeekHeavy censorship resistance.
We aim to:
Implement Encrypted SNI (ESNI) using CloudFlare’s draft version of ESNI that they currently have implemented. We think that their implementation looks very much like what a final version of ESNI will look like, with minor tweaks that we can adapt to once ESNI becomes a standard. ESNI is crucially important because it encrypts the information about the certificate that is sent between the client and server, and it restricts an interloper’s ability to blacklist specific certificates. This is re-establishes the “Mexican Standoff” approach to domain fronting. In order for a censor to be able to block a service that utilizes domain fronting, they’d have to block the entire cloud provider, which has far more collateral damage than blocking one particular service or website. Maximizing the collateral damage is a crucial step in dissuading censors from taking action against services. A block on all of Amazon Web Services, all of MS Azure, or all of CloudFlare is unthinkable.
Implement DNS-over-HTTPS support. DNS over HTTPS removes the DNS server from the censorship equation by establishing a secure connection between the DNS server and the client. This prevent a common censorship technique called DNS Poisoning, which is a tampering method that sends invalid DNS responses to users and redirects them to censored versions of websites.
Remove hard-coded components (server names) that can be detected. This is to improve resistance to detection.
Add an easier method to switch cloud providers and improve the documentation surrounding this.
Additionally, we want to further improve the UX/UI of MeekHeavy, and to get our changes audited by an outside team. We will need to raise additional funds to get there, so we need as much help as possible getting people to donate!
The OpenVPN Plugin Projects
OpenVPN 2.5.0 will have a plugin API that allows obfuscation transports (censorship evasion tech) to be added directly into OpenVPN. This is to support a project being headed by Google Jigsaw, but this API is open to function with tech developed by anyone in order to easily implement anti-censorship measures.
We aim to:
Build obfs4, shadowsocks and MeekHeavy directly into an OpenVPN build. This will allow users much easier access to these tools and they will be able to implement the technology by following simple guides. This will significantly raise the bar for censors as users will have easy access to effective tools for bypassing most types of censorship.
The primary goal of these plugins is to keep the number of steps to installing and using these tools to a minimum.
We will want to improve the UX/UI of these plugins in a custom version of OpenVPN GUI as well, and to get our custom code audited by a 3rd party. So again, we need the help of our community! Get the word out on social media, blogs, and donate donate donate!
Open Source and Free to All
This project will be open source, but will also provide compiled installers that will allow easy installation for non-savvy users. We haven’t decided where the files be hosted (yet), but we will have an active GitHub once these tools near release quality code.
We need help!
This project will require significant support from the community in order to succeed. Once the tools are created, they will need ongoing maintenance to improve as well as significant security review by outside parties. Get your hosting company involved. Get your cloud provider, and your VPN involved. Get your anti-censorship and news orgs involved. If you know a way that you can assist us in this massive task, get in touch!
Most importantly, talk about this project. Make sure that people know about our work and that what we do is valuable.
We are active on Reddit and Twitter so if you are on those platforms keep tabs on us!
Thank Yous
A special thank you goes out to our sponsors that have helped get us to a position where we can work on important projects like this one. Private Internet Access, Monero Research Lab, NordVPN, Mullvad, and ExpressVPN have all given us critical support to push this project forward. We need more support to keep doing great things and to keep moving this community in a positive direction.