Roger Dingledine presented a talk at the 37th Chaos Communication Congress about the challenges of web censorship and the censorship attempts that countries including Russia, Iran and Turkenistan have attempted. Tor effectively has an technological arms race with these censors as they race to build new ways of bypassing network censorship in adversarial countries. One of the anti-censorship mechanisms that Tor uses is pluggable transports which disguise internet traffic as something else to evade detection or uses alternative protocols which are problematic to block as they will lead to civil unrest if implemented.
Tor currently supports the following pluggable transports:
- obfs4: One of the more popular pluggable transports, it adds an extra layer of encryption that disguises Tor traffic as seemingly random data and is hard to distinguish from other traffic.
- meek: This transport is designed to blend in with cloud traffic, making it useful in situations where Tor itself might be blocked. However, it can be slower than other options. There are also variations like meek-azure or meek-amazon that leverage specific cloud providers.
- snowflake: This transport uses a different technique to disguise Tor traffic, making it appear like legitimate web browsing activity.
- fte: This is a more experimental transport that offers good performance but might not be as widely supported as others.
The Tor project has recently announced a new pluggable transport called WebTunnel which is designed to circumvent internet censorship by disguising online activity.
“WebTunnel is a censorship-resistant pluggable transport designed to mimic encrypted web traffic (HTTPS) inspired by HTTPT. It works by wrapping the payload connection into a WebSocket-like HTTPS connection, appearing to network observers as an ordinary HTTPS (WebSocket) connection. So, for an onlooker without the knowledge of the hidden path, it just looks like a regular HTTP connection to a webpage server giving the impression that the user is simply browsing the web.
In fact, WebTunnel is so similar to ordinary web traffic that it can coexist with a website on the same network endpoint, meaning the same domain, IP address, and port. This coexistence allows a standard traffic reverse proxy to forward both ordinary web traffic and WebTunnel to their respective application servers. As a result, when someone attempts to visit the website at the shared network address, they will simply perceive the content of that website address and won’t notice the existence of a secret bridge (WebTunnel).”
