Choosing Circumvention

In response to state-directed Internet filtering and blocking regimes many forms of circumvention technologies have emerged in order to allow users to bypass filtering restrictions. These technologies are often targeted towards different types of users with varying resources and levels of expertise. What may work well in one scenario may not be the optimal option in another. When selecting a circumvention technology it is important for the potential circumvention provider and user to ask the following questions:

  • What is the number of expected users and the available bandwidth? (for the circumvention provider and the user)
  • Where is the primary point of Internet access for the expected user(s) and what will they be using it for?
  • What is the level of technical expertise? (for the circumvention provider and the user)
  • What is the availability of trusted out-of-country contacts for the end user?
  • What is the level of expected penalty if the user is caught using circumvention technology?
  • Does the end-user properly understand the potential security risks of using the specific circumvention technology?

Number of Users and Available Bandwidth
The circumvention provider needs to estimate the number of users the circumvention technology is intended for and balance that with the available bandwidth. The end user must also take into account their bandwidth as circumvention technology will slow their Internet use.

People interested in running public proxies need to consider that their circumventor may be used by persons who are not in censored locations. For example, circumventors may be used to download entire porn movies which will use a lot of bandwidth. Therefore you may wish to restrict who has access to your circumventor or how much total bandwidth you�d like to circumventor to be restricted to. Different available technologies provide some or all of these options.

Primary Point of Access and Use
There will be varying options of applicable circumvention technologies depending on where the end-users access the Internet and what services they need to run through the circumvention system. For example users who access the Internet from public computers or Internet caf�s will not be able to install any software and will be restricted to web-based solutions. Other users may want to proxy protocols in addition to http and may be willing to install client software and adjust browser/system settings.

Level of Technical Expertise
The greater the level of technical expertise (and limited number of users) the more circumvention options increase. The barriers to non-technical users include the installation and set-up process as well as any configuration changes or extra steps that must be taken when actually using the circumvention technology.

Availability of Trusted Contacts
End users can greatly enhance their circumvention options if they know and trust persons outside of their country. If a user does not have a trusted contact then their options are limited to publicly available systems and if the user can locate these systems so can those implementing the filtering and blocking. With a trusted contact the end-user can consult with the circumvention provider to find a solution that meets their specific needs and can be kept private to avoid detection.

The Expected Penalty
It is extremely important to know the penalty that users face if they are caught using circumvention technology. Depending on the severity of the penalty options will vary. If the legal environment is lax and the expected penalty low users can choose from a variety of available options which while effective at circumvention are not very secure. If the environment is extremely dangerous care must be taken to implement technologies that are both discreet and secure. Some may even be used with a legitimate cover story or other forms of obfuscation.

Security Risks
Too often users in countries that implement Internet filtering and blocking are encouraged to use circumvention technology with being properly informed of the potential security risks of the circumvention technology they are using as well as the possible countermeasures that those implementing the filtering can take to detect, block, and monitor the circumvention technology and those using it. Depending on the deployment scenario users should be aware of the potential risk and countermeasures and the risks should be minimized by deploying the right technology in the right place and used in the correct manner by the end-user.


The Common Option: CGIProxy

The most common circumvention option is to use CGIProxy running on Apache/mod_ssl. CGIProxy is a web-based proxy system developed by James Marshall and is free for non-commercial use. CGIProxy acts as an HTTPS/HTTP or FTP proxy. When used to browser web pages it modifies all the links in the web page to point back through the CGIProxy so that users can browser seamlessly. Since CGIProxy is web-based the end-user does not have to install any software. CGIProxy�s ease of use for the end-user makes it an attractive option.

The installation assumes that you have a webserver, preferably Apache, already set-up so some level of technical knowledge is a base requirement. (For users in a Windows environment an automated installer has been developed by Peacefire). The CGIProxy can be setup with and without SSL support. There are two concepts here: one is setting up the CGIProxy tobe able to proxy traffic to SSL enabled sites, the other is setting up CGIProxy so that end-users access CGIProxy itself through an encrypted SSL connection.

When accessed through HTTP, CGIProxy has some URL obfuscation options (e.g. ROT-13) so that it can effectively circumvent filtering by keyword in domain and is a fast and effective means to circumvent Internet filtering. But it leaves the content of the session in plaintext which can be easily monitored. Basically, although you can go to a blocked site, the content of that site can be sniffed, so those implementing the filtering can still determine what websites have been visited through the circumventor.

The optimal set-up for CGIProxy is to place it in a location where is accessible though SSL. End-users would access it through HTTPS rather than HTTP. The advantage is that the path to the circumventor is encrypted as is the content of the session. It is important to re-name the .cgi script to a random name so that those implementing the filtering cannot guess it location. By using SSL to access CGIProxy one also does not need to obfuscate the circumvented URL�s as the entire path is encrypted. Although it may be slower, it is a far more secure option than accessing through normal HTTP.

One important note is that normal HTTP traffic occurs on port 80 whereas HTTPS traffic is on port 443. While it is common for a lot of traffic to pass through on port 80, a significant increase of traffic on 443 may draw attention. An additional point of concern is the browsing behavior of users. If a user tries to access a site and finds it to be blocked, but then immediately uses CGIProxy to access the blocked site, it may tip off the authorities to the location of the CGIProxy. Also, although the CGIProxy can be accessed through HTTPS, it is possible to fingerprint specific blocked sites and make a “probabilistic guess” to determine if users are accessing them.

An additional security risk that end-users should be aware of first is a Man-In-The-Middle (MITM) attacks. Most circumventor providers will not be able to purchase singed SSL certificates and will use self-signed certificates. These can be easily spoofed by those implementing filtering who can then retrieve the content of your session in plaintext. Therefore it is important for end-users to be provided with the Fingerprint/Thumbprint of the certificate so that they can make sure that the certificate has not been spoofed. (Also, it has been suggested that the filtering authorities may filter access to self-signed certificates entirely.)

There are also risks concerning the use of cookies and scripts. CGIProxy can be configured to remove cookies and scripts, but many sites (e.g. webmail sites) require the use of cookies and scripts. Care should be taken when enabling these options. There are also occasional technical problems with CGIProxy when trying to access heavily scripted sites and sites with frames.

It is also important to note that is there is not a trust relationship between the end-user and the CGIProxy operator it should be made abundantly clear that a “rogue” circumventor operator can retrieve the content of HTTPS traffic proxied through the CGIProxy in plaintext. Thus if you use CGIProxy to check your webmail, a circumventor operator can successfully sniff your webmail password and other personal information transferred ort accessed through CGIProxy.

* Note: Many of security issues with circumvention technology noted here have been drawn from documents by Bennett Haselton.


  1. Can I put in a plug for the various options described in my censorware investigations?

  2. Of course, Seth, plug in whatever you think is relevant.

  3. :D thanks much for this
    you’re helping high schoolers in my district look at :)

Post a comment.