Thwarting Web Censorship with Untrusted
Messenger Discovery
Nick Feamster, Magdalena Balazinska, Winston Wang, Hari Balakrishnan, and
David Karger
MIT Laboratory for Computer Science
200 Technology Square, Cambridge, MA 02139
{feamster,mbalazin,wwww,hari,karger}@lcs.mit.edu
Abstract. All existing anti-censorship systems for the Web rely on prox-
ies to grant clients access to censored information. Therefore, they face
the proxy discovery problem: how can clients discover the proxies without
having the censor discover and block these proxies? To avoid widespread
discovery and blocking, proxies must not be widely published and should
be discovered in-band. In this paper, we present a proxy discovery mech-
anism called keyspace hopping that meets this goal. Similar in spirit to
frequency hopping in wireless networks, keyspace hopping ensures that
each client discovers only a small fraction of the total number of proxies.
However, requiring clients to independently discover proxies from a large
set makes it practically impossible to verify the trustworthiness of every
proxy and creates the possibility of having untrusted proxies. To address
this, we propose separating the proxy into two distinct components—the
messenger, which the client discovers using keyspace hopping and which
simply acts as a gateway to the Internet; and the portal, whose iden-
tity is widely-published and whose responsibility it is to interpret and
serve the client’s requests for censored content. We show how this sepa-
ration, as well as in-band proxy discovery, can be applied to a variety of
anti-censorship systems.
1 Introduction
Many political regimes and corporations actively restrict or monitor their em-
ployees’ or citizens’ access to information on the Web. Many systems try to cir-
cumvent these censorship efforts by using cooperative proxies. Anonymizer [1] is
one of the oldest such systems. Peekabooty [15], Safeweb [11], and Zero Knowl-
edge’s WebSecure [13] use an SSL-encrypted channel to communicate requests to
proxies outside of the censored domain, which then return the censored content
over this encrypted channel. In Infranet [3], clients communicate with cooperat-
ing proxies by constructing a covert and confidential channel within an HTTP
request and response stream, without engendering the suspicion that a visibly
encrypted channel might raise.
These systems require a client within the censored domain to discover and
communicate with a cooperating proxy outside of the domain, as shown in Fig-
ure 1. Each of these systems assumes that a censor blocks access to a Web server

2 Feamster et al.
Internet
TargetProxy
CENSOR
Client
Fig. 1. Current censorship circumven-
tion schemes rely on access to trusted
proxies that serve clients’ requests for
censored content.
Internet
Target
Messengers
CENSOR
Client Portal
Fig. 2. Forwarding a message and de-
coding that request can be decomposed
into two separate operations.
based on its identity (i.e., IP address or DNS name) and that the censor allows
access to any host that does not appear to be delivering objectionable content.
Thus, the livelihood of these systems depends on the existence of proxies that
the censor does not know about.
All proxy-based censorship avoidance systems face the troubling proxy dis-
covery problem. To gain access to censored content, clients must have access
to cooperating proxies. However, if the censor can operate under the guise of
a legitimate client, it can discover these proxies and block access to them. For
example, China’s firewall previously blocked access to the Safeweb proxy. An
effective proxy discovery technique must allow a client to easily discover a few
participating proxies but make it extremely difficult for a censor to discover all
of these proxies. Any reasonable solution to the problem must defend against
both out-of-band discovery techniques (e.g., actively scanning or watching traffic
patterns) and in-band ones (e.g., where the censor itself becomes a client).
To achieve these goals, a proxy-based censorship avoidance system should
have the following characteristics:
– The system should have a large number of proxies. A system with no more
than a few proxies is useless once those proxies are blocked. A system with
more proxies makes it more difficult for a censor to block all of them.
– Clients must discover proxies independently of one another. If every client
discovers the same few proxies, a censor could block access to these popular
proxies and render the system useless.
– The client must incur some cost to discover a proxy. Because the censor can
assume the identity (i.e., IP address) of any client behind its firewall, it is
relatively easy for a censor to operate a large number of clients solely to
discover proxies. As such, discovering a proxy should require a non-trivial
investment of resources, such as solving a client puzzle [6].
– Brute-force scanning techniques must not expose proxies. A censor may sus-
pect that a host is a proxy and try to verify this in some fashion (e.g., by
acting as a client and seeing if it acts as a proxy, etc.). Thus, to an arbitrary
end-host, a proxy should look innocuous.
We propose a proxy discovery technique called keyspace hopping that limits
in-band discovery of proxies by ensuring that no client knows more than a small