Przejdź do treści

Pieśni o Bezpieczeństwie Sieci
blog Michała "ryśka" Woźniaka

Proxies! Proxies everywhere!

To jest bardzo stary wpis, opublikowany ponad 4 lata temu.

Możliwe, że nie odzwierciedla dziś poglądów Autora lub zewnetrznych faktów. Jest zachowany jako wpis historyczny.

Niestety, polskie tłumaczenie nie jest dostepne. Wyświetlono w języku: English.

Another follow-up after the RightsCon and OpenITP conferences in Rio – during OpenITP workshop session an interesting idea has been floated as an case-study in the Game Theory and Censorship working group:
if every (or most; or just many) HTTPS-enabled webservers on the Internet were configured as open proxies, this could provide invaluable additional layer of security and resilience for anti-censorship and anti-surveillance tools, like TOR; and would be very useful in and of itself.

As Lucas Dixon of Google Ideas pointed out, this idea was being discussed informally on and off during at least the last year or so.

I love the idea, and I believe it is worth some serious thought. Should this become reality, it would be close to impossibru to selectively censor the Internet, especially by oppressive regimes (like the USA or China), as to accomplish that they would need to effectively censor all HTTPS communication with all such HTTPS-enabled open proxies. I’d like to see the US censoring google.pl

Good reasons

Imagine a world in which you could use any public-facing HTTPS server as an anonymous proxy just by telling your operating system or application to use it so. No need to set-up TOR and the traffic not only looks like valid HTTPS traffic, it actually is valid HTTPS traffic to a valid HTTPS host.

Because it’s end-to-end encrypted, censorship and surveillance tools have no way of distinguishing it from normal traffic to this particular website, save for a MITM attack (this does happen, but adds another layer of complexity and needed effort to the censor’s system). Surveillance is still possible via getting server logs from the proxy operator, but that’s much harder than simply listening-in all the time.

While the TOR project does a stellar job in obscuring their traffic so it’s hard to tell from HTTPS, a simple list of operating TOR nodes is enough to prove problematic – as China’s example shows. In this case it’s a legitimate website doing the proxying, hence a regime would have to actually block the website instead of trying to find TOR traffic and block that.

This would mean that the choice that a regime has is either to block the whole HTTPS Internet; invest in complicated MITM attacks (that either require a compromised CA, or are completely visible to users); or accept the fact that they cannot selectively censor the Internet anymore.

And do keep in mind that selective blocking and filtering is active in many western democracies, including Italy or Great Britain. This could prove an invaluable tool for Internet users from those countries too.

Bad excuses

Now, let’s try to poke holes in the notion, shall we?

Obviously the first and biggest problem that comes to mind is the NIMBY-esque statement of any server admin worth their salt:
I do not want my server’s IP showing up in some child-porn server’s logs, and am not at all interested in partaking in all the law enforcement fun fun fun related to that later.

Or put it a bit differently – there will be abusers, period.

Thankfully, we already have an example of such a situation, and I am talking, of course, about TOR exit nodes. Admins make the decision whether to run a TOR exit node on their servers with this very consideration in their minds, and many do decide to run it. There are two reasons for that:

  • catering to the needs of dissidents and human rights activists in oppressive regimes is a honourable, humane thing to do, and the occasional abuser can be considered a poor excuse not to do it;
  • we have logs to prove that it is not us that initiated the “unlawful” connection, and the more widespread the practice is, the better standing we have to explain that we cannot be held liable for what other people do with our service.

Both of those work for TOR, and I see no reason for them not to work in this case.

I think that this is the biggie, the rest are technicalities – i.e. how much bandwidth and processing power can you provide for the open proxy part of your server is a technical question every admin would have to answer for themselves.

So what about TOR?

In no way am I advocating doing the above instead of operating a TOR exit node or bridge; if you can run TOR, do! If not, HTTPS ubiquitous anonymous proxies is a complementary measure that helps in some scenarios.

It does not provide strong anonymity, so it doesn’t help much against surveillance (the logs are being kept by the proxy operators!) and thus cannot in any way be viewed as TOR replacement. From regular user’s point of view, however, it is easier to set-up and integrate with their browsing habits – it hence can cater to the needs of some of the users that found TOR too complicated to set-up and use, but still need a way to circumvent certain kinds of censorship.