Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Sunday November 29 2015, @08:05AM   Printer-friendly
from the internet-routing-around-blockages dept.

Two web browser extensions that use content delivery networks (CDNs) in entirely opposite ways:

A research group at UMass Amherst has developed the CacheBrowser extension to circumvent the great firewall of China. In a nutshell, it works for websites that are hosted on CDNs like akamai and cloudfare. When you access a blocked site, CacheBrowser goes directly to the CDN and pulls a copy from there via SSL. The key is that the data is retrieved via SSL so the chinese censors are unable to distinguish between CDN access to blocked websites and CDN access to permitted websites. They are playing a game of chicken with China's censors. If China wants to block those websites it must block all websites using that CDN, the overwhelming majority of which are not on the censor list.

The yin to CacheBrowser's yang is the Decentraleyes firefox extension. Nearly every large website, and many small ones, use cross-site includes to pull javascript libraries like jquery, googleapis, cloudfare, etc from a CDN. That enables the CDN to track every page a browser loads from those websites. Decentraleyes helps the user go black by redirecting those CDN accesses to local copies of the libraries, making the user invisible to the CDN's tracking systems.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: -1, Offtopic) by Anonymous Coward on Sunday November 29 2015, @08:45AM

    by Anonymous Coward on Sunday November 29 2015, @08:45AM (#269384)

    Hans Reiser did not one thing wrong. Not one thing.
    The Mountain Man in Colorado did not do anything wrong either?
    They both faithfully executed a commandment in Deuteronomy for their God.

    Hans Reiser killed the adulterous woman, as explicitly commanded to do.
    Mountain Man of Colorado killed 2 people who entice others to follow another god/ruler/judge other than that of Deuteronomy.

    They were just doing what they were told by their religion.

    Mountain man from Colorado and Hans Reiser did nothing wrong.

                                                                    >In the United States, as late as the 1880s most States set the minimum age at 10-12, (in Delaware it was 7 in 1895).[8] Inspired by the "Maiden Tribute" female reformers in the US initiated their own campaign[9] which petitioned legislators to raise the legal minimum age to at least 16, with the ultimate goal to raise the age to 18. The campaign was successful, with almost all states raising the minimum age to 16-18 years by 1920.

                                                                    Even though Deuteronomy allows it (Deuteronomy 22 28-29, hebrew)

  • (Score: 0) by Anonymous Coward on Sunday November 29 2015, @09:35AM

    by Anonymous Coward on Sunday November 29 2015, @09:35AM (#269392)

    The second plugin could be also solved by a public cashing web proxy... why don't you see those any more?

    • (Score: 0, Informative) by Anonymous Coward on Sunday November 29 2015, @09:40AM

      by Anonymous Coward on Sunday November 29 2015, @09:40AM (#269393)

      > The second plugin could be also solved by a public cashing web proxy...

      No it can't. The browser still checks in with the real server to ask it if the local cached copy is expired.

      • (Score: 2) by wonkey_monkey on Sunday November 29 2015, @11:29AM

        by wonkey_monkey (279) on Sunday November 29 2015, @11:29AM (#269407) Homepage

        I thought the proxy did that. Seems to me that would be more efficient, anyway.

        --
        systemd is Roko's Basilisk
        • (Score: 1, Informative) by Anonymous Coward on Sunday November 29 2015, @11:58AM

          by Anonymous Coward on Sunday November 29 2015, @11:58AM (#269417)

          If the proxy does it or the web browser does it the result is the same. Every page load causes the CDN to get a pingback.

      • (Score: 2) by M. Baranczak on Sunday November 29 2015, @04:43PM

        by M. Baranczak (1673) on Sunday November 29 2015, @04:43PM (#269446)

        The second plugin could be also solved by a public cashing web proxy...

        No it can't. The browser still checks in with the real server to ask it if the local cached copy is expired.

        The caching proxy only checks the origin server if the document's TTL is expired. If you set the TTL to 20 minutes, then the origin server won't get more than 1 request per 20 minutes, no matter how often clients request the document. And the origin server has no idea who the clients are.

        • (Score: 0) by Anonymous Coward on Sunday November 29 2015, @05:21PM

          by Anonymous Coward on Sunday November 29 2015, @05:21PM (#269458)

          The CDN sets the TTL via the http expires header.

          • (Score: 2) by M. Baranczak on Sunday November 29 2015, @06:16PM

            by M. Baranczak (1673) on Sunday November 29 2015, @06:16PM (#269471)
            A caching proxy is free to ignore the "Expires" header. And in either case, the origin server has no idea where the client requests are coming from - which is the whole point that we're talking about.
            • (Score: 0) by Anonymous Coward on Sunday November 29 2015, @07:00PM

              by Anonymous Coward on Sunday November 29 2015, @07:00PM (#269488)

              There are some big unstated assumptions in your post that make usage much more difficult in this single-user scenario:

              (1) That a regular will user will know how to install a caching proxy, configure it to ignore expiration times from servers and maintain it.
              (2) That the caching proxy will be used by enough people such that the proxy's IP address isn't enough to identify the user.

              So yeah, it is technically true that an expert user with a lot of resources could put up a caching proxy and make it available to enough people so that his own usage is mixed in with a bunch of other people. But that is not the use-case that Decentraleyes addresses.

  • (Score: 0) by Anonymous Coward on Sunday November 29 2015, @10:03AM

    by Anonymous Coward on Sunday November 29 2015, @10:03AM (#269396)

    I'd think China would just block all SSL connections to those CDNs instead, or even block any SSL connection not on a (probably very short) whitelist. Plain text connections to non-blacklisted content would still be possible.

    • (Score: 2, Insightful) by Francis on Sunday November 29 2015, @11:57AM

      by Francis (5544) on Sunday November 29 2015, @11:57AM (#269416)

      They can't, not without doing themselves a huge amount of damage. I was using something like this occasionally when I was in China and the authorities aren't in a position to block it.

      Yes, they could do block it, but that would take down a considerable portion of the internet and they're already hitting the limit of what they can do in terms of blocking. The Chinese people don't have any say in it, shy of a revolution, but foreign companies expect that things like that are going to work. They're not going to accept being in China and having to use a VPN for absolutely everything because the government took down the CDNs.

      As it stands, the cost of production in China is already rather iffy in terms of cost savings, something like this would represent a likely coup de grace for a lot of companies that aren't dedicated to being in China.

      • (Score: 0) by Anonymous Coward on Sunday November 29 2015, @01:49PM

        by Anonymous Coward on Sunday November 29 2015, @01:49PM (#269427)

        The censors might pay off the CDNs to implement the block list on their side - if a chinese IP requests a censored web page the CDN would refuse to serve it. Everybody has a price...

        • (Score: 0) by Anonymous Coward on Sunday November 29 2015, @05:32PM

          by Anonymous Coward on Sunday November 29 2015, @05:32PM (#269460)

          China had better have the money then, because the two solutions are to put special servers on their side of the wall or doing it outside of it on their regular servers. Either way, the result for the CDN company is expensive for them to implement, easy to detect, and would result in getting creamed in the tech press. They get enough crap for, essentially, MITM your TLS connection to the website you want or otherwise futzing with them. Now imagine how many people would leave if they started denying eyeballs to your ads or content (whichever you care about most). In addition to losing that revenue from paying companies, the less people using your CDN, the less tracking information you have to sell to goodness knows who. Also, other places would demand censoring of their own and that CDN is toast as such demands snowball.

          • (Score: 1, Interesting) by Anonymous Coward on Sunday November 29 2015, @07:05PM

            by Anonymous Coward on Sunday November 29 2015, @07:05PM (#269492)

            > Now imagine how many people would leave if they started denying eyeballs to your ads or content (whichever you care about most).

            That is not how it would be sold. China says - implement our blocklist or we block the entire CDN. Cooperating CDNs would be able to say "come to us and if you are not on the blocklist you are guaranteed eyeballs in china." But if you don't use a cooperating CDN, China blocks the entire CDN so you get no eyeballs in China.

    • (Score: 0) by Anonymous Coward on Sunday November 29 2015, @04:40PM

      by Anonymous Coward on Sunday November 29 2015, @04:40PM (#269445)

      10 years ago, sites like tripod and geocities were completely blocked from within China; by my guess as punishment for not editing the content people put on those sites.
      The obvious economic solution is to ban out-of-region connections to CDN servers, and set up a bunch of servers that will obey Chinese law for that market.