Internet censorship circumvention is the use of various methods and tools to bypass internet censorship .
63-483: UltraSurf is a closed-source freeware Internet censorship circumvention product created by UltraReach Internet Corporation. The software bypasses Internet censorship and firewalls using an HTTP proxy server , and employs encryption protocols for privacy. The software was developed by two different groups of Falun Gong practitioners at the same time, one starting in the US in 2002 by expatriate Chinese. The software
126-437: A proxy HTTP server, allowing Squid to retain copies of the documents returned, which, on repeated requests for the same documents, can reduce access time as well as bandwidth consumption. This is often useful for Internet service providers to increase speed to their customers, and LANs that share an Internet connection. Because the caching servers are controlled by the web service operator, caching proxies do not anonymize
189-453: A different policy: Some platforms relying on the Cloud may have more lax TOS . However nothing by design keeps it so. See: Darknets Web proxies : Proxy websites are configured to allow users to load external web pages through the proxy server , permitting the user to load the page as if it is coming from the proxy server and not the (blocked) source. However, depending on how the proxy
252-434: A free account to use a Cloudflare domain for fronting. SSH tunneling: By establishing an SSH tunnel , a user can forward all their traffic over an encrypted channel, so both outgoing requests for blocked sites and the response from those sites are hidden from the censors, for whom it appears as unreadable SSH traffic. Virtual private network (VPN) : Using a VPN , a user who experiences internet censorship can create
315-543: A group of people sharing network resources, and aiding security by filtering traffic. Although used for mainly HTTP and File Transfer Protocol (FTP), Squid includes limited support for several other protocols including Internet Gopher , Secure Sockets Layer (SSL), Transport Layer Security (TLS), and Hypertext Transfer Protocol Secure ( HTTPS ). Squid does not support the SOCKS protocol, unlike Privoxy , with which Squid can be used in order to provide SOCKS support. Squid
378-474: A limited number of—or just one—web servers. As an example, if slow.example.com is a "real" web server, and www.example.com is the Squid cache server that "accelerates" it, the first time any page is requested from www.example.com , the cache server would get the actual page from slow.example.com , but later requests would get the stored copy directly from the accelerator (for a configurable period, after which
441-517: A moderate-budget adversary" to defeat. Internet censorship circumvention There are many different techniques to bypass such censorship, each with unique challenges regarding ease of use, speed, and security risks. Examples of commonly used tools include Lantern and Psiphon , which combine various approaches to bypass multiple types of safeguards. Some methods, such as the use of alternate DNS servers , use false addresses or address lookup systems to evade less sophisticated blocking tools while
504-491: A secure connection to a more permissive country, and browse the internet as if they were situated in that country. Some services are offered for a monthly fee; others are ad-supported. According to GlobalWebIndex in 2014 there were over 400 million people using virtual private networks to circumvent censorship or for increased level of privacy, although this number is not verifiable. Tor : More advanced tools such as Tor route encrypted traffic through multiple servers to make
567-724: A short period of time, and uses them only for the purpose of analyzing traffic for signs of interference or to monitor overall performance and efficacy; the company says it does not disclose user logs to third parties. According to Jacob Appelbaum with the Tor Project , this essentially amounts to an example of "privacy by policy". In an April 2012 report, Appelbaum further criticized UltraSurf for its use of internal content filtering (including blocking pornographic websites), and for its willingness to comply with subpoenas from U.S. law enforcement officials. Appelbaum's report also noted that UltraSurf pages employed Google Analytics , which had
630-571: A special Chinese version of the browser. Domain fronting: Circumvention software can implement a technique called domain fronting , where the destination of a connection is hidden by passing the initial requests through a content delivery network or other popular site which censors may be unwilling to block. This technique was used by messaging applications including Signal and Telegram. Tor's meek uses Microsoft's Azure cloud. However, large cloud providers such as Amazon Web Services and Google Cloud no longer permit its use. Website owners can use
693-462: A user's identity, and while they can contribute to circumvention, that is not their primary function. Open public proxy sites do not provide anonymity and can view and record the location of computers making requests as well as the websites accessed. In many jurisdictions accessing blocked content is a serious crime , particularly content that is considered to be child pornography , a threat to national security , or an incitement of violence. Thus it
SECTION 10
#1732786537547756-588: A variety of perceived threats, some more abstract and others more concrete based on personal experiences. In response to the 2014 blocking of Twitter in Turkey , information about alternate DNS servers was widely shared, as using another DNS server such as Google Public DNS allowed users to access Twitter. The day after the block, the total number of posts made in Turkey was up 138%, according to Brandwatch , an internet measurement firm. After an April 2018 ban on
819-568: A whitelisted site by using techniques including domain fronting or Meek. Tor and other circumvention tools have adopted multiple obfuscation techniques that users can use depending on the nature of their connection, which are sometimes called "Pluggable Transports". Functionality that people may be after might overlap with non-internet services, such as traditional mail , Bluetooth, or walkie-talkies . The following are some detailed examples: Datacasting allows transmission of Web pages and other information via satellite broadcast channels bypassing
882-431: A wider range of online applications. Peer-to-peer systems store content across a range of participating volunteer servers combined with technical techniques such as re-routing to reduce the amount of trust placed on volunteer servers or on social networks to establish trust relationships between server and client users. Peer-to-peer system can be trusted as far as the operators of the various servers can be trusted or to
945-459: Is an attempt to decentralize namespaces outside the control of a single entity. Decentralized namespaces enable censorship resistant domains. The BitDNS discussion began in 2010 with a desire to achieve names that are decentralized, secure and human readable. Cached pages: Some search engines keep copies of previously indexed webpages, or cached pages , which are often hosted by search engines and may not be blocked. For example, Google allows
1008-483: Is being logged. Within UK organisations at least, users should be informed if computers or internet connections are being monitored. The above setup, caching the contents of an unlimited number of webservers for a limited number of clients, is the classical one. Another setup is " reverse proxy " or "webserver acceleration" (using http_port 80 accel vhost ). In this mode, the cache serves an unlimited number of clients for
1071-419: Is configured, a censor may be able to determine the pages loaded and/or determine that the user is using a proxy server. For example, the mobile Opera Mini browser uses a proxy-based approach employing encryption and compression in order to speed up downloads. This has the side effect of allowing it to circumvent several approaches to Internet censorship. In 2009 this led the government of China to ban all but
1134-513: Is going to, but not both. This decreases the amount of trust required of the individual proxy hosts. Below is a list of different Internet censorship circumvention software: Squid (software) Squid is a caching and forwarding HTTP web proxy . It has a wide variety of uses, including speeding up a web server by caching repeated requests, caching World Wide Web (WWW), Domain Name System (DNS), and other network lookups for
1197-531: Is important to understand the circumvention technologies and the protections they do or do not provide and to use only tools that are appropriate in a particular context. Great care must be taken to install, configure, and use circumvention tools properly. Individuals associated with high-profile rights organizations, dissident , protest, or reform groups should take extra precautions to protect their online identities. Circumvention sites and tools should be provided and operated by trusted third parties located outside
1260-703: Is particularly high in certain communities, such as universities, and a survey by Freedom House found that users generally did not find circumvention tools to be difficult to use. Market research firm GlobalWebIndex has reported that there are over 35 million Twitter users and 63 million Facebook users in China (both services are blocked). However, these estimates have been disputed; Facebook's advertising platform estimates 1 million users in China, and other reports of Twitter adoption estimate 10 million users. Other studies have pointed out that efforts to block circumvention tools in China have reduced adoption of those tools;
1323-498: Is the leading distributed search. Anonymity Networks: The anonymity Tor network and I2P provides leads to more willingness to host content that would otherwise be censored. However hosting implementation and location may bring issues, and the content is still hosted by a single entity which can be controlled. Federated: Being semi-decentralized, federated platforms such as Nextcloud and IRC make it easier for users to find an instance where they are welcomed. Providers with
SECTION 20
#17327865375471386-445: Is used extensively by video streaming websites such as YouTube , so that if a user clicks to the middle of the video progress bar, the server can begin to send data from the middle of the file, rather than sending the entire file from the beginning and the user waiting for the preceding data to finish loading. Partial downloads are also extensively used by Microsoft Windows Update so that extremely large update packages can download in
1449-457: Is willing to host ones content. Napster was the first peer to peer platform but was closed due to centralized bootstrapping vulnerabilities. Gnutella was the first sustainable platform hosting by decentralization. Freenet's model is that "true freedom requires true anonymity." Later, BitTorrent was developed to allocate resources with high performance and fairness. ZeroNet was the first DHT to support dynamic and updateable webpages. YaCy
1512-555: The 2013 global surveillance disclosures dismisses this response by UltraSurf as "all talk and no show". A 2021 review of UltraSurf by TechRadar described UltraSurf as "capable yet slow", and cautioned that the software "cannot increase your online privacy, and should not be considered or used as an online security tool". A 2021 audit by the United States Department of State found that UltraSurf relies on outdated technologies from 2013, which would be "trivial for
1575-786: The Telegram messaging app in Iran, web searches for VPN and other circumvention software increased as much as 48x for some search terms, but there was evidence that users were downloading unsafe software. As many as a third of Iranian internet users used the Psiphon tool in the days immediately following the block, and in June 2018 as many as 3.5 million Iranian users continued to use the tool. Circumvention and anonymity are different. Circumvention systems are designed to bypass blocking, but they do not usually protect identities. Anonymous systems protect
1638-503: The United States Department of State found a very low level of usage of the software as of 2021, partially due to the software only being available on Windows. UltraSurf has received significant funding from the U.S. government. Originally, funding was provided through the U.S. State Department as well as the Broadcasting Board of Governors , which administered Voice of America and Radio Free Asia . However, this funding
1701-475: The "IP addresses of their proxy servers up to 10,000 times an hour." On the server-side, a 2011 analysis found that the UltraReach network employed squid and ziproxy software, as well as ISC BIND servers bootstrapping for a wider network of open recursive DNS servers, the latter not under UltraReach control. UltraSurf is designed primarily as an anti-censorship tool but also offers privacy protections in
1764-756: The Falun Gong criticism website facts.org.cn, alleged to be operated by the Chinese government, is also unreachable through UltraSurf. Some technologists have expressed reservations about the UltraReach model, however. In particular, its developers have been criticized by proponents of open-source software for not allowing peer review of the tool's design, except at the discretion of its creators. Moreover, because UltraReach operates all its own servers, their developers have access to user logs. This architecture means that users are required to trust UltraReach not to reveal user data. UltraReach maintains that it keeps logs for
1827-558: The Internet entirely. This requires a satellite dish and suitable receiver hardware but provides a powerful means of avoiding censorship. Because the system is entirely receive-only for the end user, a suitably air-gapped computer can be impossible to detect. A sneakernet is the transfer of electronic information, especially computer files, by physically carrying data on storage media from one place to another. A sneakernet can move data regardless of network restrictions simply by not using
1890-491: The Internet, but could be compelled by law to make their records and users' personal information available to law enforcement. There are five general types of Internet censorship circumvention software: CGI proxies use a script running on a web server to perform the proxying function. A CGI proxy client sends the requested url embedded within the data portion of an HTTP request to the CGI proxy server. The CGI proxy server pulls
1953-692: The Tor network previously had over 30,000 users connecting from China but as of 2014 had only approximately 3,000 Chinese users. In Thailand , internet censorship has existed since 2002, and there is sporadic and inconsistent filtering. In a small-scale survey of 229 Thai internet users, a research group at the University of Washington found that 63% of surveyed users attempted to use circumvention tools, and 90% were successful in using those tools. Users often made on-the-spot decisions about use of circumvention tools based on limited or unreliable information, and had
Ultrasurf - Misplaced Pages Continue
2016-682: The UltraSurf client uses anti-debugging techniques and also employs executable compression . The client acts as a local proxy which communicates with the UltraReach network through what appears to be an obfuscated form of TLS /SSL. The software works by creating an encrypted HTTP tunnel between the user's computer and a central pool of proxy servers , enabling users to bypass firewalls and censorship. UltraReach hosts all of its own servers. The software makes use of sophisticated, proprietary anti-blocking technology to overcome filtering and censorship online. According to Wired magazine, UltraSurf changes
2079-425: The background and pause halfway through the download, if the user turns off their computer or disconnects from the Internet. The Metalink download format enables clients to do segmented downloads by issuing partial requests and spreading these over a number of mirrors. Squid can relay partial requests to the origin web server. In order for a partial request to be satisfied at a fast speed from cache, Squid requires
2142-458: The business) and the web server. The same Squid server could act as a classical web cache, caching HTTP requests from clients within the business (i.e., employees accessing the internet from their workstations), so accelerating web access and reducing bandwidth demands. For example, a feature of the HTTP protocol is to limit a request to the range of data in the resource being referenced. This feature
2205-456: The censoring jurisdiction that do not collect identities and other personal information. Trusted family and friends personally known to the circumventor are best, but when family and friends are not available, sites and tools provided by individuals or organizations that are only known by their reputations or through the recommendations and endorsement of others may need to be used. Commercial circumvention services may provide anonymity while surfing
2268-419: The extent that the architecture of the peer-to-peer system limits the amount of information available to any single server and the server operators can be trusted not to cooperate to combine the information they hold. Re-routing systems send requests and responses through a series of proxying servers, encrypting the data again at each proxy, so that a given proxy knows at most either where the data came from or
2331-556: The filtering is implemented, it may be possible to use different forms of the IP address, such as by specifying the address in a different base. For example, the following URLs all access the same site, although not all browsers will recognize all forms: http://1.1.1.1/ (dotted decimal), http://16843009/ (decimal), http://0001.0001.0001.0001/ (dotted octal), http://1.1.1.1/ (hexadecimal), and http://0x01.0x01.0x01.0x01/ (dotted hexadecimal). Blockchain technology
2394-403: The form of industry standard encryption, with an added layer of obfuscation built in. UltraReach uses an internal content filter which blocks some sites, such as those deemed pornographic or otherwise offensive. According to Wired magazine: "That's partly because their network lacks the bandwidth to accommodate so much data-heavy traffic, but also because Falun Gong frowns on erotica." Additionally,
2457-576: The multinational upload and download scenario. Decentralized Docker Registry avoids this centralization drawback. DDR uses a network-structured P2P network to store and query mirror manifest file and blob routing, while each node serves as an independent mirror repository to provide mirror upload and download for the entire network. RSS aggregators: RSS aggregators such as Feedly may be able to receive and pass on RSS feeds that are blocked when accessed directly. Decentralized Hosting: Content creators may publish to an alternative platform which
2520-862: The network at all. One example of a widely adopted sneakernet network is El Paquete Semanal in Cuba. Circumvention tools have seen spikes in adoption in response to high-profile blocking attempts, however, studies measuring adoption of circumvention tools in countries with persistent and widespread censorship report mixed results. Measures and estimates of circumvention tool adoption have reported widely divergent results. A 2010 study by Harvard University researchers estimated that very few users use censorship circumvention tools—likely less than 3% of users even in countries that consistently implement widespread censorship. Other studies have reported substantially larger estimates, but have been disputed. In China, anecdotal reports suggest that adoption of circumvention tools
2583-556: The objections of several high-ranking officials who were subsequently fired. Pack's actions were later referred to the Inspector General of the Department of State as part of a criminal conspiracy. UltraSurf is free to download and requires no installation. UltraSurf does not install any files on the user's computer and leaves no registry edits after it exits. In other words, it leaves no trace of its use. To fully remove
Ultrasurf - Misplaced Pages Continue
2646-415: The potential to leak user data, and that its systems were not all up to date with the latest security patches and did not make use of forward security mechanisms . Furthermore, Appelbaum claims that "The UltraSurf client uses Open and Free Software including Putty and zlib . The use of both Putty and zlib is not disclosed. This use and lack of disclosure is a violation of the licenses." In a response posted
2709-598: The program was completed at the University of California, San Diego and funded via two grants from the National Science Foundation . Duane Wessels forked the "last pre-commercial version of Harvest" and renamed it to Squid to avoid confusion with the commercial fork called Cached 2.0, which became NetCache . Squid version 1.0.0 was released in July 1996. SquidNT , a port of the Squid proxy server
2772-447: The response back to the proxy client. An HTTP proxy tool's security can be trusted as far as the operator of the proxy server can be trusted. HTTP proxy tools require either manual configuration of the browser or client side software that can configure the browser for the user. Once configured, an HTTP proxy tool allows the user transparently to use his normal browser interface. Application proxies are similar to HTTP proxies, but support
2835-491: The retrieval of cached pages by entering "cache: some-url " as a search request. Mirror and archive sites: Copies of web sites or pages may be available at mirror or archive sites such as the Internet Archive's Wayback Machine or Archive.today . The Docker Registry Image Repository is a centralized storage, application stateless, and node scalable HTTP public service and has a performance bottleneck in
2898-445: The same LAN) and often introduces the privacy concerns mentioned above. Squid has some features that can help anonymize connections, such as disabling or changing specific header fields in a client's HTTP requests. Whether these are set, and what they are set to do, is up to the person who controls the computer running Squid. People requesting pages through a network which transparently uses Squid may not know whether this information
2961-709: The same content at multiple pages or domain names. For example, the English Misplaced Pages is available at Main Page , and there is also a mobile-formatted version at Misplaced Pages, the 💕 . If DNS resolution is disrupted but the site is not blocked in other ways, it may be possible to access a site directly through its IP address or modifying the host file . Using alternative DNS servers, or public recursive name servers (especially when used through an encrypted DNS client), may bypass DNS-based blocking. Censors may block specific IP addresses. Depending on how
3024-450: The same day, UltraReach wrote that it had already resolved these issues. They asserted that Appelbaum's report had misrepresented or misunderstood other aspects of its software. UltraReach also argued that the differences between the software approaches to Internet censorship represented by Tor and UltraSurf were at base philosophical and simply different approaches to censorship circumvention. A top-secret NSA presentation revealed as part of
3087-433: The site available at other locations can be accessed within regions under internet censorship. An arms race has developed between censors and developers of circumvention software, resulting in more sophisticated blocking techniques by censors and the development of harder-to-detect tools by tool developers. Estimates of adoption of circumvention tools vary substantially and are disputed, but are widely understood to be in
3150-511: The software from the computer, a user needs only to delete the exe file named u.exe. It is only available on a Windows platform, runs through Internet Explorer by default, and has an optional plug-in for Firefox and Chrome. The UltraReach website notes that "Some anti-virus software companies misclassify UltraSurf as a malware or Trojan because UltraSurf encrypts the communications and circumvents internet censorship." Some security companies have agreed to whitelist UltraSurf. According to Appelbaum,
3213-438: The source and destination of traffic less traceable. It can in some cases be used to avoid censorship, especially when configured to use traffic obfuscation techniques. A censor may be able to detect and block use of circumvention tools through Deep Packet Inspection . There are efforts to make circumvention tools less detectable by randomizing the traffic, attempting to mimic a whitelisted protocol or tunneling traffic through
SECTION 50
#17327865375473276-471: The source server is to use the X-Forwarded-For HTTP header reported by the reverse proxy, to get the real client's IP address. It is possible for one Squid server to serve simultaneously as a normal and a reverse proxy. For example, a business might host its own website on a web server, with a Squid server acting as a reverse proxy between clients (customers accessing the website from outside
3339-411: The stored copy would be discarded). The result, without any action by the clients, is less traffic to the source server, meaning less CPU and memory usage, and less need for bandwidth. This does, however, mean that the source server cannot accurately report on its traffic numbers without additional configuration, as all requests would seem to have come from the reverse proxy. A way to adapt the reporting on
3402-664: The tens of millions of monthly active users. Barriers to adoption can include usability issues, difficulty finding reliable and trustworthy information about circumvention, lack of desire to access censored content, and risks from breaking the law. There are many methods available that may allow the circumvention of Internet filtering, which can widely vary in terms of implementation difficulty, effectiveness, and resistance to detection. Filters may block specific domain names, either using DNS hijacking or URL filtering. Sites are sometimes accessible through alternate names and addresses that may not be blocked. Some websites may offer
3465-412: The ultimate destination information from the data embedded in the HTTP request, sends out its own HTTP request to the ultimate destination, and then returns the result to the proxy client. A CGI proxy tool's security can be trusted as far as the operator of the proxy server can be trusted. CGI proxy tools require no manual configuration of the browser or client software installation, but they do require that
3528-494: The user accesses the site. The drawback of this method is that many censors block the IP address of restricted domains in addition to the DNS, rendering the bypass ineffective. Other tools circumvent the tunnel network traffic to proxies from other jurisdictions that do not fall under the same censorship laws. Through the use of technology such as pluggable transports, traffic obscuration, website mirrors , or archive sites , copies of
3591-434: The user and should not be confused with anonymizing proxies. A client program (e.g. browser) either has to specify explicitly the proxy server it wants to use (typical for ISP customers), or it could be using a proxy without any extra configuration: "transparent caching", in which case all outgoing HTTP requests are intercepted by Squid and all responses are cached. The latter is typically a corporate set-up (all clients are on
3654-440: The user use an alternative, potentially confusing browser interface within the existing browser. HTTP proxies send HTTP requests through an intermediate proxying server. A client connecting through a HTTP proxy sends exactly the same HTTP request to the proxy as it would send to the destination server unproxied. The HTTP proxy parses the HTTP request; sends its own HTTP request to the ultimate destination server; and then returns
3717-582: Was created to allow internet users in China to evade government censorship and monitoring. In 2011 UltraSurf reported over eleven million users worldwide. During the Arab Spring , UltraReach recorded a 700 percent spike in traffic from Tunisia . Similar traffic spikes occurred during times of unrest in other regions, such as Tibet and Burma during the Saffron Revolution . However, a study by
3780-496: Was designed as a means of allowing internet users to bypass the Great Firewall of China . In 2011, UltraReach claimed to have as many as 11 million users worldwide. UltraSurf is proprietary software ; critics in the open-source community have expressed concern about the software's closed-source nature and alleged security through obscurity design. In 2001, UltraReach was founded by members of Falun Gong . UltraSurf
3843-456: Was merged into the main Squid project in September 2006. Squid is now developed almost exclusively through volunteer efforts. In October 2023, it was revealed that Squid continued to suffer from 35 security vulnerabilities which had not been fixed for two and a half years after their initial reporting. After a Squid proxy server is installed, web browsers can be configured to use it as
SECTION 60
#17327865375473906-596: Was originally designed to run as a daemon on Unix-like systems. A Windows port was maintained up to version 2.7. New versions available on Windows use the Cygwin environment. Squid is free software released under the GNU General Public License . Squid was originally developed as the Harvest object cache , part of the Harvest project at the University of Colorado Boulder . Further work on
3969-509: Was revoked due to UltraSurf's refusal to comply with independent security audits. In 2020, when Michael Pack was appointed as the head of the U.S. Agency for Global Media by Donald Trump , Pack and several conservative allies pushed for additional funding for UltraSurf through the Open Technology Fund , despite use of closed-source code and low number of users. UltraSurf was awarded $ 1.8 million in funding under Pack, despite
#546453