Over half of Internet users globally now live in countries that block political, social, or religious content online. On top of that, the many popular tools and techniques for circumventing this censorship have been made ineffective by new methods used to block them or the infrastructure they rely on.
Refraction Networking, an approach pioneered by Michigan researchers, is one of the most promising new approaches to circumventing these measures. Refraction operates in the network’s core, at cooperating Internet Service Providers (ISPs) outside censoring countries. Users access the circumvention services by connecting to a “decoy site”—any uncensored website traveling over a participating ISP. Once a cryptographic signal from the user is recognized, the ISP routes their connection to the requested censored content. This way, censors cannot easily block access without also blocking legitimate connections to every site at every participating ISP, causing major collateral damage if done at a large scale. A multi-institutional team led by U-M has been working for the last four years to usher Refraction Networking out of the lab and make it widely available to users.
The major challenge to this approach is that Refraction Networking requires ISP participation, but the team has been steadily improving the technology to make it easier and cheaper for ISPs to deploy. A new Refraction protocol co-developed by Prof. J. Alex Halderman makes a major advance in this direction. With Conjure, a team led by U-M alum Prof. Eric Wustrow from the University of Colorado, Boulder present a method that allows ISPs to deploy Refraction Networking in their unused address space.
Conjure works by creating realistic “phantom hosts” at these unoccupied addresses. These “phantom hosts” are difficult for a censor to distinguish from real ones, but can be used by clients as proxies.
Phantom hosts are cheap to connect to, and there are far more of them available than legitimate websites – meaning more that a censor has to look out for. This increases the cost for censors, since they have to detect and block a huge number of addresses in real time. The advantage becomes even greater as more sites and clients migrate to IPv6, which has almost 2^128 possible addresses.
The team implemented Conjure on a 20 Gbps ISP testbed, and found that it has 20% lower latency, 14% faster download bandwidth, and over 1400 times faster upload bandwidth than currently deployed Refraction Networking techniques. On top of this, Conjure is significantly more flexible, allowing maintainers to respond to future censor techniques with greater agility. The team plans to publicly deploy a beta version soon to help users in censored countries.
This system will be presented at ACM CCS 2019 in London in the paper “Conjure: Summoning Proxies from Unused Address Space.”
Find out more at http://refraction.network.