-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Jean-Philippe Ouellet: > On Sun, Mar 12, 2017 at 2:12 PM, iry > <[email protected]> wrote: >> The attachment is my proposal for the Lantern-Gateway for Google >> Summer Code. Could anyone offer me some feedback about it please? >> Any recommendation, suggestion and criticism are very welcome and >> appreciated! > > I absolutely guarantee more people would read it if you included > it inline in a plain-text email instead of as an attachment in a > proprietary file format. >
Hi Jean!
Thank you very much for your suggestions! The following is my inline
proposal. I also reattached a .odt file for those who would like to see
it in a more organized form. Thank you very much for remind me my misuse
of the file format. I appologize for my mistakes.
The Lantern-Gateway
A censorship circumvention proxy qube
Abstract
This document is a proposal that may be accepted as one of the Qubes
OS’s 2017 Google Summer Code projects. I state the situation where
Lantern is one of a few censorship circumvention tools that works
effectively under heavy censorship circumstance. I argue that using a
Lantern-Gateway will bring a large number of advantages over using
Lantern in an AppVM in many aspects which includes security, privacy,
usability, compatibility and extensibility. I also discuss some brief
details about the implementation and point out that Whonix can serves as
a useful guideline to the development of the Lantern-Gateway. I also
review the previous work related to the topic in a hope to develop the
Lantern-Gateway on a solid and beneficial base stone. I conclude with an
argument that Lantern-Gateway can be a promising anti-censorship tool
that helps people in censored area enjoy their Internet freedom.
KeywordsLantern software; Qubes; Whonix; censorship circumvention;
I. Introduction
The Lantern-Gateway is a VM (virtual machine) which runs as a proxy qube
in Qubes OS (Operating System) [1]. Similar to Whonix-Gateway which has
a Tor client as a core component that routes all the coming traffic
through the Tor network [2], a Lantern-Gateway handles all the coming
traffic through a built-in Lantern client. Lantern is a free (as in
freedom) Internet censorship circumvention software developed by the
brave new software organization [3] which effectively helps its users
bypass the Internet censorship by proxying its encrypted traffic through
one of a set of uncensored web severs called Lantern server instead of
letting users try to access their target web sites directly [4].
II. Background
One may well ask why we should choose Lantern as the core censorship
circumvention tool in Lantern-Gateway. The simply and short answer is
that we could use any other censorship circumvention tool as a
replacement or substitution to Lantern, however, under some severe
censorship circumstance, Lantern may be the most reasonable choice among
all the other known censorship circumvention tools.
A. Assumption of Internet environment
To clarify, the “severe censorship circumstance” mentioned in this
report implicitly refers to the China mainland Internet environment.
Such an assumption has been made because of two reasons. Firstly, China
has the largest online population [5] and the population has been
growing fast [6], which means a solution to censorship circumvention
will potentially benefit more population. In addition, China has the
most sophisticated Internet censorship mechanism which includes the
infamous filtering system Great Fire Wall [7]. Therefore, a solution to
circumvent the Internet censorship in China is very likely to be a
useful way to circumvent the censorship under other systems, too.
B. Required operating system environment
Although the detailed discussion about the specific operating system on
which Lantern-Gateway will be based will be discussed in detail later in
this report, one simple agreement can be made that the Lantern-Gateway
should run in a Unix-like operating system because of the tremendous
benefits it offers, including the less difficulty in development and
maintenance and the mitigation on security and privacy concern.
III. Alternative Choices of Lantern
The following sub-paragraphs in this section will be several comparisons
between Lantern and other Internet censorship circumvention tools which
helps to support the argument that Lantern is currently one of the best
choices under the circumstance mentioned in the previous section due to
the lack of other effective censorship circumvention tools.
A. Tor
The direct connection to the Tor network in China has been blocked since
2009 [8]. This fact also means there is no way to connect to the Tor
network directly in other Tor-relied software, including Whonix-Gateway
and Tails. Besides, the problem also reflects another fact that the
Chinese users can not use Whonix or Tails without doing a certain amount
of configuration.
B. Tor Bridges
Tor “[b]ridges are unlisted Tor relays that make it possible for a user
to connect to the Tor network even if a censor blocks all publicly
listed Tor relays”[9]. However, Tor Bridges have also been blocked by
the Chinese authority [10].
C. Pluggable transports
Pluggable transports helps to “obfuscate Tor’s network protocol”[9],
making it hard for censors to detect the Tor traffic in order to prevent
the Tor network from being blocked. However, among all the possible
choices offered by the most recent Tor Browser Bundle (version 6.5.1),
including fte, meek-amazon, meek-azure, obfs3, obfs4, only the
meek-amazon option can sometimes be useful to circumvent the Internet
censorship in China [11]. Besides, meek-amazon is not an available
option in Whonix currently [12]. A worth noting fact is that both
Lantern and meek-amazon use the meek-like technology to bypass the
censorship [13].
D. Virtual Private Network (VPN)
Although VPN is one of the most common ways to bypass the censorship, it
may not be a very reasonable choice to be a default option used by the
Censorship-Circumvention-Gateway. Specifically, we doubt that the reason
why VPN can be widely-used by Chinese users is not because the
authority is not able to block it, instead, it may because almost all
the VPN providers available to Chinese citizens are under the strict
control of the Chinese authority [14]. Therefore, a free (as in price),
trusted and blocking-resistant VPN provider is comparatively rare. A
VPN-Gate “is an online service as an academic research at Graduate
School of University of Tsukuba, Japan” [15]. Although it has not failed
the requirements, the software it developed support Windows platform
only right now.
E. Psiphon3
Psiphon3 is an effective censorship circumvention tool. It adopts the
meek technology that is also used by Lantern and meek-amazon. However,
Linux is not the supported platform currently [16]. Several attempts to
run Psiphon3 under WineHQ in Unix-like operating system have been
failed, which can be an interesting topic for future development.
F. Free-gate and UltraSurf
Both Free-gate and UltraSurf are developed by companies which are
sponsored by FaLunGong. Since both of them are not open-source and can
only run on Windows, they are not the suitable choices to the
Lantern-Gateway.
G. Shadowsocks
Shadowsocks or other shadowsocks-like software including SSR, rely on an
individual web server to proxy their traffic [17], which means users
have to setup the proxy server themselves or purchase pre-configured
server from some trusted third parties. Also, the clients of
Shadowscocks-like softwares can only run on Windows Operating System.
H. I2P
I2P is a distributed network which is similar to Tor network from many
aspects. However, due to its unbearable small bandwidth and high delay,
I2P should be an alternative but not default choice in Lantern-Gateway.
Fortunately a large amount of related discussion and work has been done
[18], making the future implementation easier.
I. John-Do
John-Do network is also similar to the Tor network, which may be an
available choice to censorship circumvention tools in Lantern-Gateway.
IV. Advantages Of Lantern-Gateway
Although Lantern as a censorship circumvention software has many
advantages over other censorship circumvention tools, the benefits of
putting it in a standalone qube needs further discussion. The following
paragraphs will be a brief overview stating the advantage of using a
Lantern-Gateway instead of install it in any other AppVM solely.
A. Security
Since Qubes is a security-oriented operating system [19], it is safe to
assume its users have a higher expectation in terms of security than
average computer users. Therefore, a better security implementation can
be significantly essential. The following discussion indicates that it
can be very reasonable to isolate Lantern into a qube instead of letting
Lantern run in any AppVM.
1) Lantern software
Although Lantern has a high performance in bypassing the censorship, it
does not necessarily mean Lantern is very secure as well. Actually, as a
censorship circumvention tool, the ability to circumvent censorship is
the key factor that determines if it will be used by users, rather than
its security level. Therefore, it is reasonable for us to seek more
details and evidences before simplify assuming it is secure.
a) Lantern community
As we know, a thrive community behind a software is vital to a software
in many aspects which include security. This is partly because a thrive
community will be more likely to find a security flaw and fix the bug as
soon as possible. Considering some facts about the current Lantern
community, security is not their first priority.
b) security audit
As far as I know, no internal or external security audit has been done
for Lantern [20], which means it can be hard to tell if Lantern software
is secure enough or not.
2) Human Factors
The users of Qubes operating system may have a higher expectation in
terms of security, however, it does not mean that every Qubes user has
already been a security expert. We can still assume that users may
expect the Lantern-Gateway has a set of mechanism that reduces the
possibility of shooting their own feet. Similar to the mechanism offered
by Tor Browser Downloader in Whonix, a Lantern Downloader should be
offered in order to simplify and secure the downloading process when
users are trying to get the latest version of Lantern.
a) Download sources
The download process for Lantern is not as easy as one may expect,
especially for users in censored area. The official website of Lantern
has been blocked by at least Chinese authority, making it hard for one
without any other usable censorship circumvention tools to get a Lantern
.
Another trusted sources to download a binary Lantern software without
the help of any other censorship circumvention tools is its Github
download sources [21]. However, this is not widely-known by people,
especially for the first-time users since there is instruction for them
to know about it.
Considering the facts above, people who want to get a Lantern software
themselves may accidentally download it from untrusted sources and
install it without doing any verification, which may lead to a
compromise of the entire system. Given that there has already been some
malwares that pretend to being legal censorship circumvention tools
which secretly infect the victims’ computers [22], it is vital important
to download it from trusted sources.
b) Verification
It is reasonable to assume that most users will not do the verification
themselves. This can be shown in a current report. Tor Browser is a
privacy-oriented software, its users are expected to have a higher
awareness of security. However, there are still one out third users who
do not download the signature of it [23]. Therefore, we should provide a
mechanism that automatically do the verification rather than expect
users do it themselves.
c) Configuration
An improper configuration of a Lantern-Gateway may lead to unwanted
risk. Therefore, the configuration should be handle in a secure
mechanism offered by the developers instead of letting users do it
manually.
B. Privacy
The Lantern software is developed by a business company called brave new
software [3]. A business company should not be given as much trust as we
give to non-profits organization especially in terms of user privacy.
However, the good part is that we do not have to trust it. By placing
Lantern in an independent qube, it will not be able to collect the local
user behaviors that happen in other qubes. Additionally, a
whonix-gateway can be set up between Lantern-Gateway and an AppVM,
making all the traffic through the Lantern client encrypted by Tor
client already.
C. Usability
Apart from the reason that user may mess the qube up when downloading
and configuring Lantern-Gateway manually themselves, another important
reason that the Lantern-Gateway should handle the downloading and
configuration process automatically is because it will greatly improve
the usability of Lantern-Gateway. Regardless of the fact that the user
may not be acknowledge enough to follow an instruction to configure a
Lantern-Gateway, helping users to do the tasks mentioned above
automatically will also save a large amount of time for users. This
feature can be especially useful when users would like to set up several
Lantern-Gateways quickly.
According to the document of Lantern on Whonix wiki: “From the
beginning of version 3.0, Lantern implemented a bandwidth limitation of
800 MB/ month. When the bandwidth limit is reached, the connection is
slowed down and Free users are prompted to upgrade to Lantern Pro.
Specifically, the connection will be slowed down to approximately
20KB/s, making Lantern kind of unusable. On the other hand, considering
the payment methods Lantern company offers, it is merely impossible for
one to pay for Lantern Pro without damaging his/her privacy or/and
anonymity. An easy way to circumvent the problem describing above is to
set up a new VM and install a new Lantern application in it” [24]. That
is to say, it is predictable that a Lantern-Gateway user will have to
reinstall the Lantern-Gateway after a period of time. Therefore, it is
of importance to make the installation process as quick and simple as
possible.
D. Compatibility
Another benefit of using Lantern from a Lantern-Gateway over using it in
an AppVM is its better compatibility. That is to say, users do not have
to worry about if they can successfully install Lantern on their AppVMs.
Pratically, the AppVMs’ environment can be very different from one to
another, which means that the operating system of the AppVMs or the
software or dependency the AppVMs have installed may be very different
from one to another, making it hard to predict if Lantern will run
properly in it. Besides, the only Unix-like operating system officially
supported by Lantern is Ubuntu, which means one may have to compile the
sources code himself/herself when trying to run Lantern on an
unsupported distribution or operating system.
By using lantern through Lantern-Gateway, one can simply configure the
NetVM of their AppVM to be Lantern-Gateway. This implementation will
greatly improve the compatibility of the Lantern software, making it
possible for different qubes to proxy their traffic through Lantern
network.
E. Extensiblity
Although it is called Lantern-Gateway, it just means that the qube uses
Lantern as the default censorship circumvention tool. It is not hard to
imagine using other alternative censorship circumvention tools which are
also contained in it. This feature provides great extensibility to the
Lantern-Gateway because it not only offers user multiple options to
choose the most suitable censorship circumvention tools for themselves,
but also mitigates the potential negative influence caused by the
termination of the Lantern Project in the future. Notice that although
there is no evidence that Lantern will be ended in the future, however,
we should still take the possibility seriously since the ending of a
censorship circumvention tool also depends on the technology used by
censors. Once the Lantern was not able to circumvent the censorship, its
life will come to an end.
V. Implementation
The following paragraphs are a brief discussion about essential
implementation of the Lantern-Gateway. Since the Lantern-Gateway is very
similar to Whonix-Gateway, several features that have been
implementation in Whonix-Gateway can serve as good references which
guide the development of the Lantern-Gateway.
A. Operating System Choices
a) Fedora or Debian
According to the document about operating system on Whonix wiki, both
Debian and Fedora can be a reasonable choice for the distribution on
which Lantern-Gateway will be based [25]. According to some simple tests
which has been done by myself, both Debian and Fedora can be manually
configured into a Lantern-Gateway. A slight difference is that the
Lantern software has to be complied from sources code on Fedora OS
because no binary installation file for Fedora OS has been supported by
the Lantern community.
Considering the Lantern-Gateway as a potential project which may be
mentored by a Whonix developer, Debian will be a more realistic choice
since a large number of potential issues have been solved or
acknowledged by Whonix developers.
b) Fedora-minimal
Qubes OS has shipped a template called Fedora-minimal which “only
weighs about 300 MB and has only the most vital packages installed,
including a minimal X and xterm installation” [26]. A reduce of
unnecessary installation will lead to a smaller attacking surface which
may be very useful to mitigate potential security risk.
B. Major components
a) Installation Script
Similar to the Tor Browser Downloader in Whonix [27], a program that
downloads, verifies and configures the Lantern and other censorship
circumvention toos is needed in Lantern-Gateway. A simple shell script
can be written to implement those functions basing on the current
documentations [21]. If time permits, a GUI application will be
developed to increase the usability.
b) Lantern-Gateway-Setup
Sharing the similar function with the Whonix-Setup in Whonix[28], a
Lantern-Gateway-Setup can be used to let users choose which censorship
circumvention tools they would like to enable or disable.
c) Lantern-Gateway-Check
Similar to the WhonixCheck in Whonix [29], a Lantern-Gateway-Check can
be used to detect whether the censorship circumvention tools are out of
date and whether the Lantern-Gateway can effectively bypass the Internet
censorship.
VI. Conclusion
In conclusion, the Lantern-Gateway can be a very promising
anti-censorship tool. It will be very helpful for Qubes users to
circumvent the Internet censorship effectively and enjoy the free
Internet. The implementation of Lantern-Gateway will also benefit other
projects available on Qubes OS. Qubes/Whonix will benefit from it
because it will change the situation where currently available
censorship circumvention tool may not be effective enough to help Whonix
users connect to the Tor network. We can also expect that the
implementation of the Lantern-Gateway will attract more and more people
in censored area considering to adopt Qubes as their daily operating
system.
VII. Previous Work
Apart from the previous works that have been mentioned in the previous
discussion, the following resources will also be helpful:
1. A document on how to make a VPN Gateway manually:
https://www.qubes-os.org/doc/vpn/
2. A working repository related to I2P Gateway:
https://github.com/cle4r/var
3. A document on how to make a Lantern Gateway manually:
https://www.whonix.org/wiki/Lantern
References
[1]
https://theinvisiblethings.blogspot.nl/2011/09/playing-with-qubes-networ
king-for-fun.html
[2] https://www.whonix.org/wiki/About
[3] http://www.bravenewsoftware.org/
[4] https://www.getlantern.org/faq/index.html
[5] http://www.reuters.com/article/us-china-internet-idUSKBN0L713L201502
03
[6]
https://www.forbes.com/sites/kenrapoza/2014/04/28/by-2016-china-internet
- -users-to-double-entire-u-s-population/#3ae2cd5c7e46
[7] https://en.wikipedia.org/wiki/Great_Firewall_of_China
[8] https://blog.torproject.org/blog/tor-partially-blocked-china
[9]
https://www.petsymposium.org/2015/papers/fifield-tor-censorship-usabilit
y-hotpets2015.pdf
[10] https://blog.torproject.org/blog/knock-knock-knockin-bridges-doors
[11] https://www.torproject.org/docs/pluggable-transports
[12] https://phabricator.whonix.org/T386
[13] https://trac.torproject.org/projects/tor/wiki/doc/meek
[14]
https://www.forbes.com/sites/gordonchang/2015/01/25/china-attacks-vpns-c
utting-business-off-from-internet/
[15] http://www.vpngate.net/en/about_overview.aspx
[16] https://www.psiphon3.com/en/download.html
[17] https://github.com/Long-live-shadowsocks
[18] https://forums.whonix.org/t/i2p-running-on-whonix-gateway/2163
[19] https://www.qubes-os.org/
[20] https://github.com/getlantern/lantern/issues/659
[21] https://github.com/getlantern/lantern
[22] https://citizenlab.org/2014/03/maliciously-repackaged-psiphon/
[23] https://blog.torproject.org/blog/tor-browser-numbers
[24] https://www.whonix.org/wiki/Lantern
[25] https://www.whonix.org/wiki/Dev/Fedora
[26] https://www.qubes-os.org/doc/templates/fedora-minimal/
[27] https://github.com/Whonix/tb-updater
[28] https://github.com/Whonix/whonix-setup-wizard
[29] https://www.whonix.org/wiki/Whonixcheck
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYxa5yAAoJEKFLTbxtzdU8xy0P/jPtIg752w0w918LKTY76Nik
VPmczqgSQtIKzeahTmIbItCXKqBOHOe5i3IsWsRn9PBk4t65dMnk3D1Njcpdie9y
w/Ut1mG8ebycArllitnOLH+2+GhRqSfGluGWX+w5TjLUkYLBMKtd+OxLVJcu/oFq
emDteiYUVaz5nTXbYpf6KKxGZYb9HcCNyOkOvjWS3VTgurw8ZA703Ef+mIw7QSj+
LR/EAg81/tjsf5yJ7tkJshQzXelz4uhKzPTHAgKxgj/jMO+ERSve4DZ6l22iRimc
MtrdabB7vfj3ppgsOybUsmWoVBJaZPPDO7d6t6e2sXp98FHWU7dt0URLK66VJhsn
EMnPZNh9Ekwcf4NC/d6Yrg1+dhwKIy8Zjtch9WKjxDmnmKSOLSAUqaPYH2Qadw3q
2rJlO5sprQckq7i2VgN7dyuk0pAYYsFxZF63uIy3R6SdW6nHkPo47Jl5NM32pB+0
F5lZtBKwpjEOdKZs6dLh+Desjwk7P9cH0A7Lde1FOxihG+7nd54IIY7UCe7xcRUe
/teeCxk3Ju5xMQ3N77Xc3pWSeBQbRzls5atheAi1TFU67LRhGuYyqvw4WK8jy0h5
Mjm/x7GgRjf5bmA+bo18BRA32IqetoULeV/hYgoNaWOgR/u61WWbx/ENOAB5ul+L
rtk1Kzwq/D/Ko5AiI4pZ
=A6Tj
-----END PGP SIGNATURE-----
--
You received this message because you are subscribed to the Google Groups
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-devel/oa4app%24oof%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.
Proposal_of_Lantern_Gateway_first_draft.odt
Description: application/vnd.oasis.opendocument.text
0x6DCDD53C.asc
Description: application/pgp-keys
Proposal_of_Lantern_Gateway_first_draft.odt.sig
Description: PGP signature
0x6DCDD53C.asc.sig
Description: PGP signature
