Considering complete alternative IP routing and DNS services

[borgs8472]

So ever since the we launched our pirate bay proxy along with many others, we're technically and actively involved in battle to ensure the robustness of the internet as we know it.

Whilst there has been some criticism that the pirate bay has been singled out for special treatment, rather than providing a more generic service, I feel the move was correct at this point to ensure maximum reliability of the service without opening up to the technical risks that running a full generic proxy would.

The block announcement appeared to come as a surprise to many as we still don't have a clarification on forum linking policy or separate IP for the service, but these are simply symptoms of the premature launch, rather than major issues unto themselves.

Now we have the frequently correct, but still powerful IWF block list which whilst 'voluntary', is the industry standard for UK ISPs, we see ISPs acting as government appointed gatekeepers to the internet, it's not a function they want to perform, but is enforced upon them.

Now how about this - extending from the pirate bay proxy, we could offer more services to bypass the coming great firewall of the UK?

Now through use of proxy domains, browser plugins and desktop applications, rather than having to run a full blown VPN service (expensive, requires registration from end users) we could offer services that would only kick in when needed. This could be done via local routing and DNS rules.

Example, a consumer wants to access website X that has been blocked by their ISP. They try and visit it in the usual way and the ISP null routes it. This data can be passed back to the proxy service who can run a command similar to that found on downforeveryoneorjustme.com. If site X is not down for the proxy service it can update the client that it has prepared a route for X and handle proxying of requests via a transparent IP or alternative domain name.

Since at this time there are so few ISP blocked sites of note, this would a good time to attempt such a project. As the service got further take up, it would require the proxy service become more distributed, there would also have to be a secure way of joining and updating the service data between participants which poses more problems providing in a true peer to peer fashion than a central control. Privacy of the proxy data remains an issue.

TL;DR?
* Following TBP blockade there is increased demand for very easy to use anti censorship tools
* Providing a 'if blocked, reroute' service should require far, far less traffic than a full VPN/proxy service

This idea seems to be in alignment set by precendent set by our proxy service - one could argue in a purer sense than just offering the service for the pirate bay.

Thoughts?

[liamreed]

would it not be simpler to create a plug-in or desktop application that upon entry of a censored address it automatically routes through the proxy? I think that if all requests were to be checked there would be a possibility for massive memory spikes.

[M2Ys4U]

What's wrong with throwing our weight behind Tor?

If it's good enough for the Great Firewall of China it'll be good enough for the Great Firewall of the United Kingdom.

[liamreed]

hmm just from personal experience tor has good days and bad days in terms of speed although something is better than nothing. I'd like to see some kind of service that has a *constant* uptime and level of quality plus also comes with universal compatibility (all applications not just the specific browser).

[borgs8472]

would it not be simpler to create a plug-in or desktop application that upon entry of a censored address it automatically routes through the proxy? I think that if all requests were to be checked there would be a possibility for massive memory spikes.

My suggestion for a dynamic rerouting algorithm would involve profiling the 'blocked site' behaviour and only calling home to arrange a circumvention route if it detected a block, otherwise the system would consult it's local routing DB with minimal overhead.

What's wrong with throwing our weight behind Tor?

If it's good enough for the Great Firewall of China it'll be good enough for the Great Firewall of the United Kingdom.

Tor fits a gap in the ecosystem where the requirement is to both avoid eaves dropping (SSL), circumvent IP blocks(proxies) and provide full anonymity (multiple proxies).

For your average internet user, requirements are currently much lighter, to simply to circumvent IP blocks. Even though you can run Tor in portable form, I still find it slow to start and the performance poor. I'm looking a solution for the masses, to truely render IP blocking ineffective, not necessarily a solution for people who know or care what browser their run, who just want the sites they use to be cut off all of a sudden.

I was surfing with Tor yesturday and discovered the concept of a Tor entry node software. The idea is you can give a publically routable DNS address, but have it enter the Tor network and exit at a designated spot, e.g. a blocked site. This is basically what we have with our pirate bay proxy, but with more than one node provided by Tor.

The focus of my posting is aimed around solutions like our proxy site, but extending the technology so it's more generic and scalable.

[Finlay_A]

What's wrong with throwing our weight behind Tor?

If it's good enough for the Great Firewall of China it'll be good enough for the Great Firewall of the United Kingdom.

This.

I did propose the party operate an exit node when I was a (non-voting) NEC member, back in 2010, as a way to show material support for the Tor project. Maybe an idea worth revisiting?

Then again, nothing stopping us doing both

[cooky560]

BTW guys, SSL isn't as secure as you think if it's hit by Deep Packet Inspection (something China's firewall is incapable of but the UK firewall IS capable of). While Deep Packet Inspection won't reveal the actual content, it's very easy to use it to work out where a Tor user has been.

[borgs8472]

^ ^
Source on UK being able to break SSL?

I did propose the party operate an exit node when I was a (non-voting) NEC member, back in 2010, as a way to show material support for the Tor project. Maybe an idea worth revisiting?

That's a relvant gesture, but I'm suggsting a more user friend approach to proving mass anti censorship.

[cooky560]

^ ^
Source on UK being able to break SSL?

I did propose the party operate an exit node when I was a (non-voting) NEC member, back in 2010, as a way to show material support for the Tor project. Maybe an idea worth revisiting?

That's a relvant gesture, but I'm suggsting a more user friend approach to proving mass anti censorship.

Who says the boxes have to come from the UK? or that the "black boxes" are anything other than software which analyses streams from anywhere in the world, however Deep Packet Inspection is designed exactly for the purpose of snooping on unsnoopable packets.

[borgs8472]

I know what DPI is, I've never heard of it being used routinely to break SSL though, please cite a source.

[naggedbycats]

Here's a source from Sonicwall : http://www.sonicwall.com/downloads/Soni ... Module.pdf

TL;DR, apparently it executes a man in the middle attack and all your packets are belong to spais.

[borgs8472]

Here's a source from Sonicwall : http://www.sonicwall.com/downloads/Soni ... Module.pdf

TL;DR, apparently it executes a man in the middle attack and all your packets are belong to spais.

That only works if you add a certificate exception for the sonicwall / are on a corporate network etc. It's for use by corporate sysadmins to view their users traffic. I have one in fact - but it lives at a data centre, not an office

To try this from the comfort of your own home, you can use fiddler, where if you add it as a certificate exception, it can decrypt your SSL traffic for debugging purposes.

[naggedbycats]

Aren't you assuming that the state can't / won't use some form of rubber hose attack to obtain the private keys from the CA's?

[borgs8472]

I'm assuming such compromise couldn't be kept secret.