Uncensored Tor: How the Tor Project Fights for Free Speech

Since the very beginning of the political protests in Belarus, users have faced problems accessing the internet. The independent project OONI, which monitors internet censorship worldwide, regularly recorded numerous shutdowns both locally in the capital and across the entire country. Additionally, many ISP clients reported that it was impossible to connect to the Tor network, even when using bridges. However, Tor’s architecture includes sophisticated tools for bypassing censorship, capable of countering even technically advanced blocking attempts. This article explores those tools.

The Global Struggle Against Tor and Internet Censorship

The situation with Tor and internet blocks in Belarus is far from unique; similar issues have been faced by residents of Venezuela. Even though obfuscated traffic is used when connecting to obfs3 and obfs4 bridges, local authorities somehow managed to filter and block such connections. The only way to connect was by using the meek pluggable transport or a traditional VPN. So, how do Tor’s anti-censorship tools work, and how effective are they?

Let’s Talk About Anonymity

According to Tor Project co-founder Roger Dingledine, who spoke at DEF CON in 2019, between 2 and 8 million users connect to the Tor network daily—a sizable audience, comparable to the population of a small country. These people aren’t just looking to visit darknet sites or government-blocked resources; they want to remain anonymous while doing so.

Unfortunately, not everyone realizes that encryption does not equal anonymity. Traffic is encrypted when connecting to most HTTPS sites, but almost any third party can easily track which resources you’re accessing and when. Using a VPN can make things a bit harder for “Big Brother,” but a determined investigator can still build a graph of your interests and social connections based on open data. Plus, you can never be completely sure your VPN provider isn’t leaking your data.

So, “anonymity” usually means hiding from third parties:

• Your geolocation and even the country you’re connecting from
• The sites you visit
• The time periods during which you connect
• Information about the hardware and software you use

Roger Dingledine admitted, “I tell my friends or parents that I work in anonymity. But when I talk to corporate representatives, I say I work in communication or network security, because they believe anonymity is dead in today’s world.” Tor’s architecture—where requests are routed through several randomly selected nodes, making it impossible to trace packet routes, and the browser blocks tracking scripts and cookies—provides a certain degree of anonymity. But as practice shows, it can still be blocked, often without much difficulty.

How Is Tor Blocked?

According to Roger Dingledine, there are four basic ways to block Tor:

1. Block access to the nine public directories of Tor entry nodes. Without access, users can’t connect.
2. Download the list of about 7,000 Tor relay nodes and block them all by IP address.
3. Use packet fingerprinting to filter traffic based on characteristics typical of Tor data. This is how the Iranian government acted during the 2009 protests, using Deep Packet Inspection (DPI) to throttle SSL traffic and make Tor unusable.
4. Block access to resources where users can download the necessary software to connect to Tor.

Combining these methods can be very effective for governments and security agencies. So, how did Tor’s developers respond?

Building Bridges

The first line of defense against network censorship was the introduction of pluggable transports, starting with obfs3 and obfs4 bridges. The idea: since “bad actors” can get the full list of open relay nodes and block access to them or their public directories, Tor created thousands of bridges whose addresses are not publicly available.

To connect to Tor via a bridge, go to https://bridges.torproject.org, choose a transport type, indicate if your network supports IPv6, complete a captcha, get a bridge address, and enter it in the Tor Browser settings. Alternatively, you can request a bridge address directly in the connection settings (again, you’ll need to complete a captcha). If torproject.org is blocked, send an email with the line get transport obfs4 in the body to [email protected]—but only from Gmail or Riseup, or your request will be ignored. A bot will reply with bridge addresses you can use in Tor Browser.

Tor bridges use the SOCKS Proxy interface and are architecturally similar to the Chinese project Shadowsocks, which also fights censorship. Tor bridges act as obfuscators, disguising Tor traffic to look like regular HTTP or random bytes, making filtering harder. Obfs3 was vulnerable to active probing (a method of finding and blocking bridge addresses), so it was replaced by the more advanced obfs4.

Governments learned to block these connections, often combining active probing with deep traffic analysis. For example, with DPI, a government can monitor all connections resembling Tor. If a suspicious node is found, a government host tries to connect via the Tor protocol. If the node responds as a bridge, it’s immediately blocked and its IP blacklisted. In China, this filtering is done at the backbone level, making blocks very effective.

Roger Dingledine called bridges a “crappy arms race,” since government censors learned to filter traffic as described above. Tor developers responded with patches to change packet data and behavior, while governments updated their filters, and the cycle repeated. This happened in Iran during mass protests, in Egypt during the Arab Spring, and in Tunisia during the 2010–2011 revolution. Right now, something similar is happening in Belarus.

In other words, with enough persistence, a government can block available bridges in a region, leaving users with a message like this:

All bridges are down. You’re on your own.

To bypass such blocks, Tor developers created meek.

Meek

Tor also includes a pluggable transport called meek, which can work if bridges are blocked. It works similarly to a proxy, but uses cloud servers from Amazon, content delivery networks, Google, CloudFront, or Microsoft Azure as intermediaries. The idea is that a government imposing censorship would never block entire CDNs, AWS, or Azure, since so many internet resources rely on them. But counting on government rationality is naive—sometimes they’ll take down half the national internet segment chasing a single messenger, and still fail to block it.

To enable meek, launch Tor Browser, click Configure, check “Tor is censored in my country,” then select “Select a built-in bridge” and choose meek from the dropdown menu.

Meek uses a technique called domain fronting. To connect to a target node, the meek client generates special HTTPS requests and sends them to an unblocked “front” service, like a CDN or AWS. This “front” name appears in DNS queries and SNI data, while the real host name is hidden in the HTTP Host header. The cloud service reads this name and forwards the request to a meek server running on a Tor bridge, which decrypts the request and forwards it into the Tor network, and from there to the open internet.

Besides the default Azure setup, you can configure custom meek transport parameters—see detailed instructions here. It sounds simple, but it’s not for everyone.

Snowflake

It’s great if you can download and set up Tor Browser on Windows, or install Linux and run apt-get install obfs4proxy or apt-get install tor. But many millions of internet users can’t do even that.

To solve this, the Tor Project team developed a JavaScript browser extension called Snowflake. Just install the plugin (or visit a site with a special JS script), and without downloading extra software, your machine becomes a Tor bridge running right in your browser. It uses WebRTC and works correctly behind NAT.

With Snowflake, mass blocks become pointless, since no government can block every browser on the internet. Deep packet inspection with DPI also becomes useless, since legitimate software like Google Hangouts and many video conferencing tools use WebRTC. Blocking WebRTC would break this entire infrastructure.

Snowflake has given the fight against censorship an army of volunteers donating their hardware resources to help bypass blocks. You don’t even need to install the browser plugin—just open a web page with the Snowflake script in a browser tab, or host the script on your own site so it runs in the background when someone visits.

The Tor developers also seek feedback from users. There are independent censorship monitoring projects like the Open Observatory of Network Interference (OONI), an app that scans a user’s network environment for blocked resources, protocols, and services.

Still, anti-censorship technologies have a long way to go before reaching maximum effectiveness. At DEF CON, it was announced that the Tor Project is actively working on using Format-Transforming Encryption for traffic, which will make Tor traffic look as much like regular unencrypted HTTP as possible, confusing deep analysis mechanisms.

Another approach is called “false routing”—when establishing an SSL connection, an intermediate node looks for a special tag in the SSL handshake packet, and if found, redirects the traffic into the Tor network. Meanwhile, the local ISP thinks the client is communicating with a fake remote server from a whitelist, unaware of the route change.

Conclusion

The fight against censorship really is an arms race, with governments and massive corporations on one side, and public organizations and enthusiasts driven by a sense of justice and a desire for freedom on the other. It’s far from clear who will win.

At DEF CON, Roger Dingledine said:

“Australia censors its internet, the UK has something called the Internet Watch Foundation, which is part of their government. Denmark censors the internet, Sweden censors the internet. So when we criticize the Chinese government for not letting its citizens watch the BBC, they can rightly say they’re doing exactly what everyone else is… It’s not just about censorship: it’s important to make users aware that they’re being watched. Then they can make their own choices.”

And in this, the Tor Project co-founder is absolutely right. As long as the internet exists, everyone has a choice.