Draft "PoProxy" binding to relay parcels over TLS proxies #80
Labels
attribute-censorship-circumvention
Technology or technique to evade censorship
enhancement
New feature or request
Executive summary
Relaynet-Internet Gateway operators could deploy highly-distributed pools of ephemeral TLS proxies to bypass censorship in regions employing a denylist approach (e.g., China). Proxy addresses won't be public to prevent censors from adding them to the denylist -- Instead, each proxy will only be shared by 1-5 devices. Additionally, proxies would look like legitimate websites if a censor were to probe them (e.g., by sampling the connections that were allowed recently).
The problem you're trying to solve
Circumventing denylist-based censorship has always been a cat-and-mouse game because (a) proxies are always shared with a large number of users and (b) it's relatively easy for a censor to check if a
host:port
netloc looks like a sanctioned service or a potential proxy/VPN/Tor node.The solution you'd like
Gateway operators could optionally deploy a huge pool of reverse proxies, where each proxy would:
443
. Some of these IP addresses could be ephemeral.https://proxy.com/<random>/v1/parcels
) -- only known to the private gateways that use the proxy.frankfurt.relaycorp.cloud
could digitally sign a plaintext stating thatproxy.com
is an authorised proxy.https://proxy.com
-- they'd see an innocuous website, such as:Additionally, people would have the option to purchase dedicated proxies that aren't automatically shared with anyone else, and tech-savvy people should also be given the option to "donate" existing domain names (nice to bypass an eventual block of domain names registered in the past N months). This would be particularly useful for diaspora communities trying to help their family back home.
The person provisioning the private proxy -- if different from the final user -- will be given the parameters to access the proxy using the following methods:
https://relaynet.tld#<PROXY-PARAMETERS>
. When the user taps on the URL, the Android Gateway will import it.Private proxies could be tied to specific private gateways, which could be particularly useful when sharing over insecure channels like SMS.
Collateral damage / Ethical considerations
This may "force" the censor to switch to a denylist approach or even cut the whole region from the global Internet.
Alternatives
The text was updated successfully, but these errors were encountered: