If you live in a free and democratic society, the idea that someone can control your browsing choices probably is quite disturbing. Employers blocking Facebook during working hours may be acceptable. What a free society should completely oppose, however, is censorship based on someone else's moral code, religious belief or political ideology.
Irrespective of who does the censoring, the methods used are more or less the same. This article examines some of the most common methods used to filter content as well as emerging trends. In each case, I have provided a solution or practical workaround.
The current state of internet censorship
The internet is being censored in several countries around the world. Over a billion people — 20% of the global population — are affected. Due to its large population of internet users (over 500 million), China is the best known culprit, but certainly not the worst. Our Information Liberation Guide by Jim Rion has some useful information on global internet censorship and lists the following countries as the worst violators: North Korea, China, Iran and Saudi Arabia.
Other countries not well known for internet censorship include Bahrain, Belarus, Burma, Cuba, Syria, Uzbekistan, Turkmenistan and Vietnam.
Internet censorship isn't limited to oppressive regimes. For example, it is common practice for educational institutions all over the world to implement filtering of content deemed objectionable. Companies and institutions also do the same. Many public Wi-Fi access points block pornography or material based on hate and violence. Maybe you have also used public Wi-Fi hotspots where access to streaming media sites was blocked and file downloads were restricted. Clearly, the internet isn't free.
The methods used for internet censorship
This is the most basic method used to filter content. It involves blocking the IP address of the target website. Unfortunately, all websites sharing the same IP address, which is usually the case on a shared hosting server, are also blocked. This was the method used by ISPs in the UK to block The Pirate BayWorkaround: All you need is a proxy with access to the blocked site. There are numerous free proxies online. This article by Guy McDowell lists four sites that give you a free updated proxy list. The proxy server fetches the website for you and displays it on your browser. Your ISP only sees the IP address of the proxy and not the blocked website. Blocked websites can also beat this censorship method by adding a new IP address and letting users know about it. Users are then able to access the site without any problems.
DNS filtering and redirection
This is a much more sophisticated filtering method where the Domain Name Server (DNS) fails to resolve the correct domain or returns an incorrect IP address. ISPs in many countries use this method to block illegal sites, for example, Denmark and Norway use DNS filtering to block child porn websites. China and Iran have also used this method numerous times in the past to block access to legitimate sites. Read Danny's article on how to change your DNS for more in-depth information.
Workaround: One way to circumvent this is to find a DNS that resolves the domain name correctly, for example, OpenDNS or Google Public DNS. To change your DNS from your ISP to OpenDNS or Google Public DNS, you must configure it in your operating system or device. Both have excellent tutorials for all types of operating systems. You can also type the numeric IP address in your URL bar instead of the actual domain name though this is less effective especially where sites share IP addresses.
With URL filtering, the requested URL is scanned for targeted keywords irrespective of the actual domain name typed in the URL. Many popular content control software and filters use this method. Typical users include educational institutions, private companies and government offices.
Workaround: A highly technical method to circumvent this is to use escape characters in the URL. However, it is much simpler to use encrypted protocols such as a Virtual Private Network (VPN) service or Tor. Once the data is encrypted, the filter cannot scan the URL and you can therefore access any website.
This method is also known as static packet filtering. It is a firewall technique used to control network access. Incoming and outgoing data packets are monitored and either stopped or allowed through based on pre-determined rules such as source and destination IP addresses, keywords and ports. When used in internet censorship, TCP packet transmissions are terminated by the ISP when targeted keywords are detected.
Workaround: Again, VPN services and Tor are the best ways to get around packet filtering. Packets sent over VPN and Tor contain dual IP headers. Firewalls are only able to apply the filtering rules to the outer header but not the inner header when these data packets are transmitted.
Man-in-the-middle (MITM) attack
I have only heard of this method being used by some of the regimes I mentioned earlier. It is a common hacking method, but in January 2010, Chinese authorities successfully used a MITM attack to intercept and track traffic to Github.com. As the name implies, an MITM attack is based on impersonation, where the eavesdropper makes independent connections with the victims and makes them believe they are communicating with one another.
Workaround: The best defense against MITM attacks is to use encrypted network connections, such as offered by HTTPS (what is HTTPS?) and VPN. HTTPS utilizes SSL capabilities in your browser to conceal your network traffic from snooping eyes. There are Chrome and Firefox extensions known as HTTPS Everywhere, that encrypts your communication on most major sites. When browsing on HTTPS, always take note of any browser warnings to the effect that a website's certificate is not trusted. This could indicate a potential MITM attack. VPN and Tor technology also uses SSL, which forces the attacker to obtain the key used to encrypt the traffic.
TCP connection resets/forged TCP resets
In this method, when a TCP connection is blocked by an existing filter, all subsequent connection attempts are also blocked. It is also possible for other users or websites to be blocked, if network traffic is routed via the location of the block. TCP connection resets were originally used by hackers to create a DOS (Denial of Service) condition, but Internet censors in many countries are increasingly finding the technique useful to prevent access to specific sites. In late 2007, it was reported that Comcast used this method to disable peer-to-peer communication. The US FCC ordered Comcast to terminate the practice in August 2008.Workaround: The workaround for this mainly involves ignoring the reset packet transmitted by the firewall. Ignoring resets can be accomplished by applying simple firewall rules to your router, operating system or antivirus firewall. Configure your firewall to ignore the reset packet so that no further action or response is taken on that packet. You can take this a step further by examining the Time-to-live (TTL) values in the reset packets to establish if they are coming from a censorship device. Internet users in China have successfully used this workaround to beat the Great Firewall of China.
Deep Packet Inspection (DPI)
Now this one is really scary. Under the wings of the PRISM project, the NSA used this method to eavesdrop and read private email communications. China and Iran use deep packet inspection for both eavesdropping and Internet censorship. DPI technology allows prying eyes to examine the data part of a packet to search for non-compliance against pre-determined criteria. These could be keywords, a targeted email address, IP address or a telephone number in the case of VoIP. While DPI was originally used to defend against spam, viruses and system intrusion, it is clear from recent developments that it is a now a weapon of choice for Internet censorship.
Workaround: To beat a Deep Packet Inspection, you need to connect to a remote server using a secure VPN link. The Tor Browser bundle is ideal to evade deep packet inspection because it conceals your location or usage from anyone carrying out network surveillance or traffic analysis.
Conclusion & Outlook
I have mentioned VPN and Tor as a workaround to most forms of internet censorship. However, I need to issue a caveat. Recent developments in China have demonstrated that even VPN can be blocked. In late 2012, it was widely reported that the Great Firewall of China is now able to learn, discover and block encrypted network traffic from several VPN systems (not all). China Unicom, one of the largest ISPs in China, is now terminating connections whenever an encrypted connection is detected.
However, it is clear that the there is an intense contest pitting VPN firms against internet censors with each trying to stay ahead. It is a cat-and-mouse game with the VPN companies just managing to stay above water - after all that is what we pay them to do. For complete anonymity online, though, nothing beats Tor. The NSA, in documents leaked to The Guardian, has admitted that Tor is hands down "the king of high-secure, low-latency internet anonymity."
Finally, future attempts at censorship appear aimed at hacking desktops, tablets and smartphones to embed blocking software directly in users' devices. Moving forward, powerful antivirus and anti-spyware will prove to be a sensible investment.