Trouble opening websites/social media; the website of a client has been blocked and they would like to provide visitors with tools to circumvent the block; the client needs to anonymously browse the internet
Edit me

Circumvention & Anonymity tools list

Best and secure circumvention tools, Tor, VPN, Tails

Problem

  • The traffic can be monitored by the government on different points of the path.
  • The client is suffering from online censorship.

Solution

We need to understand the exact needs of the client, even if they have already mentioned a specific tool.

There are different ways of circumventing Internet censorship, some of which provide additional layers of security. The tool that is most appropriate for the client depends on their threat model and their specific need.

Initial evaluation

We need to assess and understand the threats the client is facing, and evaluate how we can respond.

Questions for the client
  • What is the client’s primary need? Are they interested only in circumvention, or are privacy and anonymity also important?
  • What data is being censored that the client wants to view? What is the censorship context of his/her country?
  • What appropriate tools are available and work in their country?
  • In certain repressive regimes, the usage of VPNs or other tools might be illegal. If you are unsure, you can involve the policy team for guidance, and consult with Helpline management.
  • If the client is asking how to hide their identity:
    • We need to know what they want to hide: just IP location, internet navigation, or more?
    • Why do they need to hide their identity?

Best Practices

These are best practices we should explain to the client:

At first, we need to advise the client to use HTTPS - the secure version of the HTTP protocol used to access websites.

This HTTPS Everywhere plug-in may be an easy install

In addition to the obvious benefits of HTTPS, there is a chance that the encrypted version of the site is not blocked.

Check if the mobile and laptop website versions are both blocked.

For example, instead of visiting https://twitter.com, the client could try to visit https://m.twitter.com, the mobile version of the site. Censors that block websites or web pages usually work from a blacklist of banned websites, so anything that is not on that blacklist will get through.

What follows is a list of some circumvention tools listed from a higher risk threat model to lower:

Circumvention & anonymity

Warning for every Tor-based tool

Before starting to use Tor, the client should check that their connections are really anonymised: https://check.torproject.org/

More warnings

What the client should know in a nutshell:

  • Don’t open documents downloaded through Tor while online. These documents can contain Internet resources that will be downloaded outside of Tor by the application that opens them.
  • Web browsing is much slower than through a normal browser or a VPN because your traffic is encrypted and relayed through the Tor network, but it shouldn’t be crippling. If you find it’s too slow, you can try to change the circuit in Tor Browser with Ctrl+Shift+L (with Orbot you can switch to a new identity by swiping from right to left or from left to right on the onion icon) - https://tor.stackexchange.com/questions/8673/tor-browser-bundle-tbb-new-circuit-versus-new-identity
  • Flash and many other features of websites won’t work, for example you may not be able to watch videos - this is a drawback, but enabling these features may compromise your anonymity. Some websites, including Youtube, support HTML5 players when Flash is not supported by the browser and sometimes you can watch the video by switching to the HTML5 version.
  • You shouldn’t log into accounts that can identify you through Tor, and you should switch off geolocation if you’re using a device that supports it.
  • Don’t disactivate default plugins and don’t install other plugins in Tor Browser or in Orfox/Orweb - use the default settings

  • Tor FAQ - In particular: - Why is Tor so slow?
  • How can I tell that Tor is working, and that my connections are really anonymized?
  • Does Tor remove personal information from the data my application sends?
  • Why can’t I view videos on some Flash-based sites?

  • Understanding and Using Tor - An Introduction for the Lay(wo)man

Tails

Tails is a live operating system that you can boot on almost any computer from a DVD, USB stick, or SD card.

It aims at preserving your privacy and anonymity, and helps you to:

  • Use the Internet anonymously
  • Circumvent censorship
  • Leave no trace on the computer you are using unless you ask explicitly
  • Use state-of-the-art cryptographic tools to encrypt your files, emails and instant messaging
  1. Website
  2. Interactive Guide
Warnings
  • If you use Tails, all traffic is routed through Tor and default applications have been enhanced to protect your anonymity

Whonix

Whonix is a complete operating system designed to be used in a virtual machine.

Designed for advanced security and privacy, Whonix mitigates the threat of common attack vectors while maintaining usability. Its fail-safe, automatic, and desktop-wide use of the Tor network allows for censorship circumvention and anonymity. A heavily reconfigured Debian base is run inside multiple virtual machines, providing a substantial layer of protection from malware and IP address leaks. Commonly used applications are pre-installed and safely pre-configured for immediate use.

Warnings
  • If you use Whonix, all traffic is routed through Tor and default applications have been enhanced to protect your anonymity.

Tor Browser

Tor Browser is software that protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world. In certain locations, where connections are slow, it might be difficult to establish the circuit through the Tor network.

  1. The Tor Browser lets you use Tor on Windows, Mac OS X, or Linux without needing to install any additional software. It can run off of a USB flash drive
  2. Official website
  3. Security in a Box has an updated guide on Tor Browser:
Warnings

Please keep in mind that if you’re using Tor Browser, only your activity within the Tor Browser is encrypted and anonymised - any other internet traffic is not. Other applications, like Skype or the regular browsers, will not be routed through the Tor network, even if the Tor Browser is running.

Tor Browser (Android)

Tor Browser is now available bundled on Android, without needing Orbot. Orfox will be depreciated for it over time.

Orbot

Orbot is an anonymity tool for Android devices. It is needed to Tor-ify other applications besides Tor Browser on an Android device, or to route all of your device’s traffic through Tor.

Warnings
  • If you use Orbot, by default only applications aware of Orbot will be anonymised.
  • You can also run Orbot in “VPN Mode” which will route all phone traffic through Tor. Be aware that there is a lot of identifying information that applications (and your phone) transmit, so this is not a sufficient way to achieve anonymity on the phone. To enable the “VPN Mode”, open the side panel and click on the button next to “Apps VPN Mode”.

If needed we can mention that you can also torify your connections for some selected apps that are not anonymised by default [Settings –> Select Apps in v.15.2], but this requires root privileges on your device, so it’s more difficult and shouldn’t be recommended to non experts.

Onion Browser

Onion Browser is a free web browser for iPhone and iPad that encrypts and tunnels web traffic through the Tor network, with extra features to help you browse the internet privately.

Available only for iOS.

  • Websites: 1 - 2
Warnings:
  • Only connections through the Onion Browser are anonymised. Other applications will not be routed through the Tor network, even if the Onion Browser is running.
  • Multimedia content often bypasses Tor and compromises your privacy; video files and video streams are blocked by default and are not supported by the Onion Browser.
  • Use of the Onion Browser is at your own risk; remember that sensitive data does not always belong on a mobile device.

Circumvention

FreeBrowser

FreeBrowser FreeBrowser is a free Android app that provides access to an uncensored internet. Currently targeting Chinese users.

Freenet

Freenet is a peer-to-peer platform for censorship-resistant communication and publishing. You can browse websites, post on forums, and publish files within Freenet with strong privacy protections.

VPNs

A VPN encrypts and sends all Internet data between your computer and another computer. A VPN protects your traffic from being intercepted locally, but your VPN provider can keep logs of your traffic (websites you access, and when you access them). These logs could trace back to you, and if your adversary is powerful enough, they could pressure VPN providers to disclose this information.

It is very important to trust the VPN provider you use. We have contacts with some providers who can offer free accounts to civil society members. Some options are listed below:

Mullvad

Mullvad is a VPN which incorporates some obfuscation tech. Its client can be installed on Mac, Windows, and Linux.

TunnelBear

Freemium multiplatform VPN that offers tunneling to many different jurisdictions and doesn’t keep logs. It includes a feature to make the encrypted connection less detectable by governments, businesses, and ISPs.

AirVPN

AirVPN is a VPN based on OpenVPN and operated by activists and hacktivists in defence of net neutrality, privacy and against censorship.

RiseupVPN
Bitmask

Bitmask is A VPN client that uses Riseup, Calyx, and other VPN servers. Depending on their technical capacities, users could install this option on their own server.

  • Available only for Android, Linux, and macOS. A Windows version should be available soon.
  • Website
Warnings
  • Bitmask is experimental software: It should not be used for situations where a compromise of the user’s data could put them in danger.
  • Limitations of Bitmask
Private Internet Access

In general, we should not recommend Private Internet Access to our clients.

Nevertheless, this VPN has shown to work better than others in the CSI region, so we can use it with the clients trying to circumvent censorship in that area.

Circumvention Tools Based on Encrypted Proxies

These are proxy tools that utilize encryption. Although the connection is encrypted, it might be traced back to you: these tools do not provide anonymity. They are, however, more secure than a plain web-based proxy. Examples of these tools include Lantern and Psiphon.

Psiphon

Psiphon is a circumvention system that uses a combination of secure communication and obfuscation technologies.

  1. Available for: Android 2.2 and up, iOS 8 and up, Windows XP, Windows Vista, Windows 7, Windows 8 (desktop), and Windows 10.
  2. Website
  3. User guide
Lantern

Lantern is an Internet proxy tool. Its goal is to provide access to the open internet. Lantern is unique because it uses peer connections as a source of internet connectivity when servers are unavailable.

  1. Available for Mac, Windows, Android, and Linux Debian-based distributions.
  2. Website

Web-based Proxies

This is a good way of circumventing censorship. Basically you route your HTTP requests through a different computer (the proxy). The user must be careful, since there are malicious proxy servers, capable of rerouting and modifying users’ requests for malicious purposes.

Never use or trust a proxy server no one has ever heard of. And even if you receive the proxy from a trusted partner, play it safe and do not pass on any private information that isn’t encrypted.


Comments