David Fifield

David Fifield, Lynn Tsai, Qi Zhong

Our goal is to empirically discover how censors react to the introduction of new proxy servers that can be used to circumvent their information controls. We examine a specific case, that of obfuscated Tor bridges, and conduct experiments designed to discover how long it takes censors to block them (if they do block at all). Through a year's worth of active measurements from China, Iran, Kazakhstan, and other countries, we learn when bridges become blocked. In China we found the most interesting behavior, including long and varying delays before blocking, frequent failures during which blocked bridges became reachable, and an advancement in blocking technique midway through the experiment. Throughout, we observed surprising behavior by censors, not in accordance with what we would have predicted, calling into question our assumptions and suggesting potential untapped avenues for circumvention.

David Fifield, Lynn Tsai

Censors of the Internet must continually discover and block new circumvention proxy servers. We seek to understand this process; specifically, the length of the delay between when a proxy first becomes discoverable and when it is actually blocked. We measure this delay in the case of obfuscated Tor bridges, by testing their reachability before and after their introduction into Tor Browser. We test from sites in the U.S., China, and Iran, over a period of five months. China's national firewall blocked new bridges after a varying delay of between 2 and 36 days. Blocking occurred only after end-user software releases, despite bridges being potentially discoverable earlier through other channels. While the firewall eventually discovered the bridges of Tor Browser, those that appeared only in Orbot, a version of Tor for mobile devices, remained unblocked. Our findings highlight the fact that censors can behave in ways that defy intuition, presenting difficulties for threat modeling but also opportunities for evasion.

David Fifield, Mia Gil Epner

We examine WebRTC's suitability as a means of Internet censorship circumvention. WebRTC is a framework and suite of protocols for peer-to-peer communication between web browsers. We analyze the implementation differences in instantiations of WebRTC that make it possible to "fingerprint" implementations--potentially distinguishing circumvention-related uses from ordinary ones. This question is relevant to Snowflake, an upcoming circumvention system that uses WebRTC to turn web browsers into temporary peer-to-peer proxies. We conduct a manual analysis of WebRTC-using applications in order to map the space of distinguishing implementation features. We run a fingerprinting script on a day's worth of network traffic in order to quantify WebRTC's prevalence and diversity. Throughout, we find pitfalls that indicate that resisting fingerprinting in WebRTC is likely to be non-trivial.

David Fifield, Torbjørn Follan, Emil Lunde

We describe a technique for attributing parts of a written text to a set of unknown authors. Nothing is assumed to be known a priori about the writing styles of potential authors. We use multiple independent clusterings of an input text to identify parts that are similar and dissimilar to one another. We describe algorithms necessary to combine the multiple clusterings into a meaningful output. We show results of the application of the technique on texts having multiple writing styles.