Internet Content Filtering

The following information is quoted from http://www.rsf.org/article.php3?id_article=15037#5

Technical ways to get round censorship (2/2)

Internet content filtering
Circumvention technologies
Determining needs and capacity
Web-based circumventors
Public Web-based circumvention services
Web-based circumvention software
Web-based circumvention: security concerns
Proxy servers
Proxy server software
Publicly accessible proxy servers
Locating open proxies
Open proxies: uncommon ports
Proxy servers: security concerns
Tunneling
Anonymous communications systems
Conclusion

--------------------------------------------------------------------------------

Beginning of the article


Proxy servers
A “proxy server” is a server that is situated between a client, such as a web browser, and a server, such as a web server. The proxy server acts a buffer between the client and the server and can support a variety of data requests including web traffic (HTTP), file transfers (FTP) and encrypted traffic (SSL). Proxy servers are used by individuals, institutions, and states for a variety of purposes including security, anonymity, caching and filtering. To use a proxy server, the end-user must configure the settings of their web browser with the IP address or hostname of the proxy server as well as the port number that the proxy server is running on. While this is fairly simple, it may not be possible to modify browser settings in public Internet access locations such as libraries, Internet cafés and workplaces.

Advantages:
There are many software packages to choose from that can transparently proxy traffic in addition to web traffic (HTTP) and can be configured to operate on non-standard ports.
There are many publicly accessible proxy servers.

Disadvantages:
Most proxy servers are not enabled with encryption by default, therefore the traffic between the user and the proxy is not secure.
The user must have the necessary permissions to change the browser settings, and if ISP’s require that all traffic go through the ISP’s proxy server it may not be possible to use an open proxy server.
The scanning for and use of publicly accessible proxy servers may be illegal and these proxies may become unavailable to the user at any time.

Proxy server software

Proxy server software can be installed by trusted contacts with some degree of technical expertise located outside of the country that filters. Proxy server software should be installed in locations where there is plenty of available bandwidth and should be configured to use encryption technology. It is especially useful for situations in which an office or small organization is in need of a stable circumvention solution. After users in the filtered locations configure their browsers to point through the proxy server they can transparently surf the Internet. While not the most stealthy circumvention solution, private proxy servers are a more robust solution than web-based proxy systems. Proxy servers are better than web-based proxies at seamlessly proxying sites that require authentication and cookies, such as web mail sites. The proxy servers can also be customized to meet the specific needs of the end-user and adapt to the local filtering environment.


Squid is free proxy server software and can be secured with Stunnel server.
www.squid-cache.org
www.stunnel.org
ice.citizenlab.org/projects/aardvark
Privoxy is a proxy with advanced filtering capabilities for protecting privacy.
www.privoxy.org
Secure Shell (SSH) has a built-in socks proxy ($ ssh -D port secure.host.com)
www.openssh.com
HTTPport/HTTPhost allows you to bypass your HTTP proxy, which is blocking you from the Internet.
Private proxy servers with encryption enabled are best suited for groups or users in an office environment that require a permanent, stable circumvention solution and have trusted contacts with sufficient technical skills and available bandwidth outside the country to install and maintain the proxy server.

Publicly accessible proxy servers

Open proxies are servers that are intentionally or otherwise left open for connections from remote computers. It is not explicitly known if open proxy servers have been set up as a public service or if they have been just badly configured to inadvertently allow public access.

WARNING: Depending on the interpretation of local law, the use of open proxy servers may be viewed as ’unauthorized access’ and open proxy users may subject to legal penalties. The use of open proxy servers is not recommended. Locating open proxies

Locating open proxies

Many websites maintain lists of open proxy servers, but this not a guarantee that the proxy service is still available. Nothing guarantees that the information on these lists, especially information concerning anonymity level and geographical location of the proxy, is accurate. Be aware that you are using these services at your own risk.


Open proxy list websites:
[www.samair.ru/proxy]->http://www.samair.ru/proxy]
www.antiproxy.com
tools.rosinstrument.com/proxy
www.multiproxy.org
www.publicproxyservers.com _
Software: ProxyTools/LocalProxy
proxytools.sourceforge.net
Open proxies: uncommon ports

Some countries that filter at national level block access to standard proxy ports. A “port” is a logical connection location used by specific protocols. Different Internet services pass data through on particular port numbers. Certain port numbers are assigned, by the Internet Assigned Numbers Authority (IANA), to specific protocols or services. For example, port 80 is reserved for HTTP traffic. When you access a website in your browser you are actually connecting to a web server running on port 80. Proxy servers also have ports that are assigned to them by default. Therefore many filtering technologies will not allow access to these ports. Therefore successful circumvention may require use of a proxy that has been configured to operate on a non-standard port.

www.web.freerk.com/proxylist.htm

Proxy servers: security concerns

The configuration of proxy servers is extremely important because it controls the security or anonymity of a connection. In addition to the lack of use of encryption, proxy servers may pass information about the end-user to the server the content has been requested from that can be used to identify the IP address of the computer initiating the request for content. Moreover, all the communication between you and the proxy server may be in plain text, thus easily intercepted by upstream filtering authorities. And any information passing through the proxy server can be intercepted by the owner of the proxy server.

The scanning for and use of publicly accessible proxy servers is not recommended. Open proxy servers are often used due to their availability but they do not provide any security despite the fact that they may be able to successfully circumvent Internet filtering.

As with web-based proxies, proxy servers are subject to the same security concern. Harmful scripts and cookies will still be transmitted to the end-user and even if used in conjunction with encryption technology, proxy servers can also be subject to MITM and HTTPS fingerprinting attacks. It should also be noted that some browsers will leak sensitive information when using a socks proxy, a particular type of proxy server capable of handling other types of traffic in addition to web traffic. When making a request for a website the domain name is translated into an IP address. Some browsers do this locally so the process is not directed through the proxy. In these cases, the request for the blocked website’s IP address will be handled by Domain Name System (DNS) servers in the country that implements filtering [1].

The use of open, publicly accessible proxy servers is not usually advisable and should only be used by people in low security risk environments with temporary or ad-hoc anonymity needs and who do not need to transmit sensitive information.


Tunneling
Tunneling, also known as port forwarding, allows one to encapsulate insecure, unencrypted traffic within an encrypted protocol. The user in a censored location must download client software that creates a tunnel to a computer in a non-filtered location. The normal services on the user’s computer are available, but run through the encrypted tunnel to the non-filtered computer which forward the user’s requests and their responses transparently. Various tunneling products are available. Users with contacts in a non-filtered country can set up private tunneling services while those without contacts can purchase commercial tunneling services, usually by monthly subscription.

When using free tunneling services users should note that they often include advertisements. Requests for the advertisements are conducted through plain text HTTP requests which can be intercepted by any intermediary who can then determine that the user is using a tunneling service. Moreover, many tunneling services rely on the use of socks proxies which may leak domain name requests.

www.http-tunnel.com
www.hopster.com
www.htthost.com

Advantages:
Tunneling applications provide encrypted network transfer.
Tunneling applications generally have the ability to securely proxy many protocols, not just web traffic.
There are existing commercial services that users who do not have contacts in non-filtered countries can purchase.

Disadvantages:
Commercial tunneling services are publicly known and may already be filtered.
Tunneling applications cannot be used by users in public access locations where users cannot install software, such as Internet cafés or libraries.
Use of tunneling applications may require a higher level of technical expertise than other circumvention methods.

Tunneling applications are best suited for technically capable users that require secure (but not anonymous) circumvention services for more than just web traffic and do not access the Internet from public locations. Commercial tunneling services are an excellent resource for users in censored countries that do not have trusted contacts in non-filtered locations.



Tunneling software
Anonymous communications systems
Circumvention technologies and anonymous communications systems are similar and often inter-related but operate under distinctly different criteria. Anonymous communications systems focus on ensuring the privacy of the user by shielding the identity of the requesting user from the content provider. In addition, advanced systems employ a variety of routing techniques to ensure that the user’s identity is shielded from the anonymous communications system itself. Circumvention systems do not necessarily focus on anonymity. Instead, the focus is on secure communications to bypass specific restrictions imposed on the users’ ability to send and receive Internet communications. Bypassing content restrictions requires secure communications technology and often a degree of stealth but not necessarily anonymity.

Anonymous communications systems are often used for circumvention. One advantage of them is that there are several existing networks that can be immediately tapped into and used to bypass content restrictions with the added benefit of being able to do so anonymously.

The use of anonymous communications systems for circumvention is restricted to computers on which the user has the appropriate permissions to install software. Persons who access the Internet through public terminals, libraries or Internet cafés will most likely be unable to use such systems for circumvention. They may also slow down connection speeds.

Users seeking to bypass Internet filtering at national or ISP level may find the filtering authorities take steps to block the use of anonymous communications systems. If the system being used operates on a static port, filtering software can easily be configured to deny access. The more well-known the anonymous communications system, the greater the risk that it will be blocked. In addition, to combat systems that rely on the use of peers or publicly known nodes the filtering authorities can simply deny access to these hosts. The filtering authorities may operate a node of their own and attempt to monitor users who try to connect to it. In some restrictive environments where traffic to these well-known systems is monitored, the use of such systems may draw attention to users [2].

Advantages:
They provide both security and anonymity.
They generally have the ability to securely proxy many protocols, not just web traffic.
They often have a community of users and developers who can provide technical assistance.

Disadvantages:
They are not specifically designed for circumvention. They are publicly known and may be filtered easily.
They cannot be used by users in public access locations where users cannot install software, such as Internet cafés or libraries.
Use of such systems may require quite a high level of technical expertise.

Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. Tor provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy.
JAP makes it possible to surf the Internet anonymously. Instead of connecting directly to a web server, users take a detour, connecting with encryption through several intermediaries, so-called mixes.
Freenet is free software which lets you publish and obtain information on the Internet without fear of censorship. It is entirely decentralized and publishers and consumers of information are anonymous.
Use of such systems may require quite a high level of technical expertise. Anonymous communications systems are best suited for technically capable users who require both circumvention and anonymity services for more than just web traffic and do not access the Internet from public locations.

Conclusion
The decision to use circumvention technology should be taken seriously, carefully analyzing the specific needs, available resources and security concerns of the end-user. There is a wide variety of technologies available for users who want to circumvent Internet filtering. However, using them for successful and stable circumvention service depends on a variety of factors, including the user’s level of technical skill, potential security risk, and contacts available outside the censored country. Governments may also take counter-measures to effectively block specific circumvention technologies.

The keys to successful and stable circumvention capability are trust and performance. Circumvention systems need to be targeted to users in specific circumstances or be readily adaptable to the needs of the end-user. They need to be secure, configurable and often stealthy. Trust should be established between circumvention provider and the end-user by understanding the specific legal and political environment in which the end-user operates and being up-front about the limitations of circumvention technologies.


--------------------------------------------------------------------------------
More...