Anti-censorship technologies: bridges and pluggable transports
Regular Tor connection
Tor connection with Bridge
Tor provides the ability to access sites that are censored or blocked. However, what steps can you take if Tor becomes inaccessible due to blocking? In such cases, bridges and pluggable transports offer solutions to circumvent censorship.
Censors block Tor in two ways: they can block connections to IP addresses of known Tor relays, and they can analyse network traffic for use of the Tor protocol. Bridges are secret Tor relays – they don’t appear on any public list, so the censor doesn’t know which addresses to block. Pluggable transports disguise the Tor protocol by making it look like something else – like HTTP or completely random.
There are several pluggable transports, and it can be hard to know which one to use. If this is your first time, try obfs4: it’s a randomising transport that works for most people. If obfs4 doesn’t work, try webtunnel. If that doesn’t work either, it may mean that the default bridges are blocked, and you should get a custom bridge from the Tor Project database. If a custom bridge doesn’t work, try snowflake, meek_lite or conjure.
Vanilla bridges do not use pluggable transport at all, but like other bridges, they use servers that are not publicly listed. This type of bridges uses robust TLS encryption, the same as regular HTTPS websites. You can also use the Fake SNI option to improve their censorship resistance.
Obfs4 is a randomising transport: it adds an extra layer of specialised encryption between you and your bridge, which makes Tor traffic look like random bytes. It also resists active-probing attacks, where the censor detects bridges trying to connect to them. Obfs3 and scramblesuit are essentially similar to obfs4, but can’t resist active-probing attacks, so they are deprecated.
WebTunnel is a censorship-resistant pluggable transport designed to mimic encrypted web traffic (HTTPS), inspired by HTTPT. It works by wrapping the payload connection in a WebSocket-like HTTPS connection, which to observers on the network looks like a normal HTTPS (WebSocket) connection. Thus, to an outside observer unaware of the hidden path, it looks like a normal HTTP connection to a web server, giving the impression that the user is just browsing the web.
Meek makes Tor traffic look like a connection to an HTTPS site. Unlike other transports, it does not connect directly to the bridge. Meek first connects to a real HTTPS web server (in the Microsoft Azure or other cloud) and from there connects to a real bridge. Censors cannot easily block meek connections because HTTPS servers also provide many other useful services. But it is slower and more expensive to maintain than other pluggable transports, so you should use obfs4 or webtunnel bridges if they are suitable for you.
SnowFlake consists of three key components: volunteers who operate snowflake proxy in their browsers, Tor users who need access to the internet, and a broker who provides the link between the snowflake proxy and the users. Each snowflake proxy serves to link a user’s internet connection to the IP address of a Tor relay, allowing their traffic to be stealthily forwarded in a manner that looks innocent to observers. Snowflake helps you avoid attention from internet censors by making it appear that you are using the internet for a normal video or voice call.
Conjure is an anti-censorship tool in the refraction networking (a.k.a. decoy routing) lineage of circumvention systems. Conjure’s key innovation is to turn the unused IP address space of deployed Internet Service Providers (ISPs) into a large pool of phantom proxy servers to which users can connect. Due to the size of the unused IPv6 address space and the potential for collateral damage to real websites hosted by deploying ISPs, Conjure provides an effective solution to the problem of censors listing deployed bridges or proxies.
