Naked Security Naked Security

‘Clever’ TapDance approach to web censorship that works at ISP level

The TapDance approach is just a proof of concept at the moment, but observers have welcomed it as a potentially useful tool

Both China and India have been found to block websites sometimes. Don’t feel smug if you live outside of Asia, the American government may block websites in the future. The UK government has already talked about blocking websites that feature pornography of consenting adults, unless an adult Briton specifically asks to be able to access it.

Researchers from the University of Colorado at Boulder, Georgetown University Law Center, University of Michigan, and University of Illinois Urbana-Champaign have found a way to circumvent web censorship, but ISPs worldwide would need to implement their technology. Their refraction networking system is called TapDance.

One of the most common ways that people bypass region-based content blocking is by using third-party VPNs that operate in different countries. But governments and corporations can interfere by blocking access to a third-party VPN, or other kinds of internet proxies, such as Tor.

David Robinson is one of the researchers behind TapDance. The research team deployed a limited implementation of TapDance with the help of Psiphon, an application that helps people access the internet without censorship. Robinson wrote about TapDance on Medium:

For our trial, we built a high-performance implementation of the TapDance refraction networking scheme and deployed it on four ISP uplinks with an aggregate bandwidth of 100 gigabits per second. To reach end users, we partnered with Psiphon, a popular anti-censorship tool. For this trial, some Psiphon users received a specially updated version of the Psiphon client, which was configured to use TapDance instead of Psiphon’s other circumvention strategies. Over one week of operation, our deployment served more than 50,000 real users. The experience demonstrates that TapDance can be practically realized at ISP scale with good performance and at a reasonable cost, potentially paving the way for long-term, large-scale deployments of TapDance or other refraction networking schemes in the future.

Image courtesy of David Robinson and

Here’s how TapDance works. A TapDance station at each participating ISP is located by a client that requests a blocked webpage. The station passively inspects a copy of its network traffic, and stealthily injects new packets into it, using HTTPS.

A user’s TapDance client sends incomplete HTTPS requests to sites that aren’t blocked. Clients tag the ciphertext of the connecting packets, which can be seen by the TapDance system, but not seen by censorship mechanisms. The reachable site won’t respond to the HTTPS requests because they’re incomplete. While the requests travel its route, the TapDance station impersonates the server and exchanges data with TapDance clients in a covert way.

The TapDance system has advantages that other refraction networking technologies lack. The researchers partnered with Merit Network, and the University of Colorado at Boulder’s internet infrastructure to test the technology. About 50,000 users were involved, and the ISP upsteam links peaked at a bandwidth of more than 55 Gbps. The researchers found that TapDance was less expensive to deploy than other refraction networking systems. That’s partly due to how TapDance uses infrastructure that ISPs already have in deployment, including standard gateway routers and default network interfaces for packet injection.

EFF senior staff technologist Seth Schoen and EFF staff technologist Erica Portnoy think TapDance is promising:

This is an impressive accomplishment at the engineering level and also logistically. The researchers had to do a lot of work to turn this idea into reality at a real ISP on the real internet; an ISP environment has traditionally been a challenging setting for a change like this on both technical and political levels.

Refraction networking is quite different from previous anti-censorship techniques. Previous techniques like domain fronting do something similar at the application layer, often using a content-delivery network (CDN) as the hidden anti-censorship intermediary that grants access to the blocked content.

This new method works further down at the network level, using an ISP as the anti-censorship intermediary. Using a fundamental network component this way partly re-architects the internet itself to be more resistant to censorship.

That’s clever, and may also be harder to detect and to block. But on the other hand, it’s not something that the operator of an individual censored site can just go and do directly. Instead, it has to start with ISPs. So this technique also shifts the ability and responsibility for getting around network-based censorship.

The new technique is an improvement. The statistical methods that the censors may use are much less certain overall than figuring out which particular sites are being used as anti-censorship proxies, and blocking those, which is what’s currently possible. In refraction networking, there’s no simple list of sites that can be blocked, since any site whatsoever can be used as a decoy even without that site’s knowledge.

So the researchers know that TapDance works on a small scale. What they don’t know yet is whether or not TapDance can circumvent censorship mechanisms that are used by governments to block internet content if their technology is deployed to millions of users.

The TapDance research team hypothesizes that the technology might be able to circumvent mass government censorship methodologies because interfering with a refraction networking system as covert as TapDance would be impractically expensive. We’ll only know for certain if TapDance is tested with millions of users simultaneously.

Leave a Reply

Your email address will not be published. Required fields are marked *