How to: Understand and Circumvent Network Censorship

bnew

Veteran
Joined
Nov 1, 2015
Messages
57,343
Reputation
8,496
Daps
160,028


Home

SURVEILLANCE
SELF-DEFENSE

< TOOL GUIDES


How to: Understand and Circumvent Network Censorship​

Last Reviewed: February 01, 2024

This is an overview of network censorship, but it is not comprehensive.

Governments, companies, schools, and internet providers sometimes use software to prevent their users from accessing certain websites and services that are otherwise available on the open web. This is called internet filtering
or blocking
, and it is a form of censorship. Filtering comes in different forms. Even with encryption
, censors can block entire websites, hosting providers, or internet technologies. Sometimes, content is blocked based on the keywords it contains. When sites aren’t encrypted, censors can also block individual web pages.

There are different ways of beating internet censorship. Some protect you from surveillance, but many do not. When someone who controls your net connection filters or blocks a site, you can almost always use a circumvention tool to get to the information you need.

Note: circumvention tools that promise privacy or security are not always private or secure. And tools that use terms like “anonymizer” do not always keep your identity completely secret.

The circumvention tool that is best for you depends on your security plan. If you’re not sure how to create a security plan, start here. While creating a security plan, be aware that someone who controls your internet connection may notice that you are using a particular circumvention tool or technique, and take action against you or others.

In this guide, we’ll talk about understanding internet censorship, who can perform it, and how it happens, before moving onto what you can do to get around it.




Understanding Internet Censorship and Surveillance anchor link

The internet has a lot of processes that all have to work together properly in order to get your communications from one place to another. If someone is trying to block parts of the internet, or particular activities, they may target many different parts of the system. The methods they use may depend on what technology and devices they have control over, their knowledge, their resources, and whether they are in a position of power to tell others what to do.


Surveillance and Censorship: Two Sides of the Same Coin anchor link

Internet surveillance and censorship go hand-in-hand. Internet censorship is a two-step process:

  1. Spot “unacceptable” activity
  2. Block “unacceptable” activity

Spotting “unacceptable” activity is the same as internet surveillance. If network administrators can see where you’re going on the internet, they can decide whether to block it. By advocating for internet and data
privacy tools and technologies, we can also make internet filtering and blocking more difficult.

Many circumvention techniques have the additional benefit of protecting your information from network eavesdroppers when you go online.




The Cost of Surveillance anchor link

Blocking internet traffic comes at a cost, and over-blocking can come at an even greater cost. A popular example is that the Chinese government does not censor GitHub’s website, even though many anti-government newsletters are hosted on the website. Software developers need access to GitHub to perform work that is beneficial to the Chinese economy. Right now, these censors have decided that it will cost them more to block Github than they would gain by blocking it.

Not all censors would make the same decision. For example, temporary internet blackouts are becoming increasingly common, even though these measures can seriously harm local economies.


Where and How Censorship and Surveillance Happen anchor link


Where Is the Blocking Happening? anchor link
Your computer tries to connect to https://eff.org, which is at a listed IP address (the numbered sequence beside the server associated with EFF’s website). The request for that website is made and passed along to various devices, such as your home network router and your Internet Service Provider (ISP), before reaching the intended IP address of https://eff.org. The website successfully loads for your computer.

Your computer tries to connect to https://eff.org, which is at a listed IP address
(the numbered sequence beside the server associated with EFF’s website). The request for that website is made and passed along to various devices, such as your home network router and your Internet Service Provider (ISP), before reaching the intended IP address of https://eff.org. The website successfully loads for your computer.


An eye, watching a computer trying to connect to eff.org.

(1) Blocking or filtering on your devices. This is especially common in schools and workplaces. Someone who sets up or manages your computers and phones can put software on them that limits how they can be used. The software changes how the device works and can make it unable to access certain sites, or to communicate online in certain ways. Spyware can work in a very similar way.

An eye, watching traffic going in and out of a home network router.

(2) Local network filtering. This is also common in schools and workplaces. Someone who manages your local network (like a WiFi network) enforces some limits on your internet activity, like monitoring or controlling where you go online or when searching for certain keywords.

An eye, watching traffic coming in and out of an ISP.

(3) Blocking or filtering by Internet Service Providers (ISPs). Your ISP can generally perform the same type of filtering as the administrator of your local network. ISPs in many countries are compelled by their government to perform regular internet filtering and censorship. Commercial ISPs can perform filtering as a service for households or employers. Particular residential internet service providers may market filtered connections directly to customers as an option, and automatically apply specific censorship methods (like those described below) to all connections on their ISPs. They may do this even if it isn’t required by a government, because some of their customers want it.
 

bnew

Veteran
Joined
Nov 1, 2015
Messages
57,343
Reputation
8,496
Daps
160,028

How Is the Blocking Happening? anchor link

IP address blocking: “IP addresses” are the locations of computers on the internet. Every piece of information that is sent over the internet has a “To” address and a “From” address. ISPs or network administrators can create lists of locations that correspond with services they want to block. They can then block any pieces of information on the network that are being delivered to or from those locations.

This can lead to overblocking, since many services can be hosted at the same location, or IP address. Similarly, many people wind up sharing any given IP address for their internet access.

In this diagram, the Internet Service Provider cross-checks the requested IP address against a list of blocked IP addresses. It determines that the IP address for eff.org matches that of a blocked IP address, and blocks the request to the website.

In this diagram, the Internet Service Provider cross-checks the requested IP address against a list of blocked IP addresses. It determines that the IP address for eff.org matches that of a blocked IP address, and blocks the request to the website.

DNS blocking: Your device asks computers called “DNS resolvers” where sites are located. When you connect to the internet, the default DNS resolver your device uses typically belongs to your Internet Service Provider. An ISP can program its DNS resolver to give an incorrect answer, or no answer, whenever a user tries to look up the location of a blocked site or service. If you change your DNS resolver, but your DNS connection isn’t encrypted, your ISP can still selectively block or change answers for blocked services.

In this diagram, the request for eff.org’s IP address is modified at the Internet Service Provider level. The ISP interferes with the DNS resolver, and the IP address is redirected to give an incorrect answer or no answer.

In this diagram, the request for eff.org’s IP address is modified at the Internet Service Provider level. The ISP interferes with the DNS resolver, and the IP address is redirected to give an incorrect answer or no answer.

Keyword filtering: If traffic is unencrypted, ISPs can block web pages based on their contents. With a general increase in encrypted sites, this type of filtering is becoming less popular.

One caveat is that administrators can decrypt
encrypted activity if users install a trusted “CA certificate” provided by the administrators of their device. Since the user of a device must install the certificate, this is a more common practice for local networks at workplaces and schools, but is less common at the ISP-level.

On an unencrypted website connection, an Internet Service Provider (ISP) is able to check the content of a site against its blocked content types. In this example, mentioning free speech leads to an automatic block of a website.

On an unencrypted website connection, an Internet Service Provider is able to check the content of a site against its blocked content types. In this example, mentioning free speech leads to an automatic block of a website.

HTTPS
site filtering:
When accessing sites over HTTPS, all of the content is encrypted except the name of the site. Since they can still see the site name, ISPs or local network administrators can decide which sites to block access to.

In this diagram, a computer attempts to access eff.org/deeplinks. The network administrator (represented by a router) is able to see domain (eff.org) but not the full website address after the slash. The network administrator can decide which domains to block access to.

In this diagram, a computer attempts to access eff.org/deeplinks. The network administrator (represented by a router) is able to see the domain (eff.org) but not the full website address after the slash. The network administrator can decide which domains to block access to.

Protocol
and port blocking:
A firewall
or router might try to identify what kind of internet technology someone is using to communicate, then block certain ones by recognizing technical details of how they communicate (protocols and port numbers are examples of information that can be used to identify what technology is being used). If the firewall can correctly recognize what kind of communication is happening or what technology is being used, it can be configured not to pass that communication along. For example, some networks might block the technologies used by certain VoIP
(internet phone call), peer-to-peer file sharing software, or VPN applications.

In this diagram, the router recognizes a computer attempting to connect to an HTTPS site, which uses Port 443. Port 443 is on this router’s list of blocked protocols.

In this diagram, the router recognizes a computer attempting to connect to an HTTPS site, which uses Port 443. Port 443 is on this router’s list of blocked protocols.




Other types of blocking anchor link

Usually, blocking and filtering is used to prevent people from accessing specific sites or services. However, different types of blocking are becoming more common as well.

Network shutdown: A network shutdown can involve physically unplugging network infrastructure, like routers, network cables, or cellular towers, so that connections are physically prevented or are so bad that they are unusable.

This can be a special case of IP address blocking, in which all or most IP addresses are blocked. Because it’s often possible to tell what country an IP address is used in, some countries have also experimented with temporarily blocking all or most foreign IP addresses, allowing some connections within the country but blocking most connections going outside the country.

A computer attempts to connect to eff.org’s US-based IP address. At the Internet Service Provider’s level, the request is checked: the IP address for eff.org is checked against a list of blocked international IP addresses, and is blocked.

A computer attempts to connect to eff.org’s US-based IP address. At the Internet Service Provider’s level, the request is checked: the IP address for eff.org is checked against a list of blocked international IP addresses, and is blocked.

Throttling: ISPs can selectively throttle (slow down) different types of traffic. Many government censors slow down connections to certain sites rather than block them altogether. This type of blocking is harder to identify, and lets the ISP deny that it is restricting access. People might think their own internet connection is slow, or that the service they’re connecting to is not working.

A computer tries to connect to eff.org. Their Internet Service Provider slows down their connection.

A computer tries to connect to eff.org. Their Internet Service Provider slows down their connection.
 

bnew

Veteran
Joined
Nov 1, 2015
Messages
57,343
Reputation
8,496
Daps
160,028

Circumvention Techniques anchor link

Factors such as your location and what type of network censorship you encounter help determine which circumvention technique will work best for you. If you're unsure what sort of blocking you're dealing with, a tool like the OONI Probe can help identify what types of blocking you're facing. But, be warned that running the tool can put you at risk because whoever runs your network will know you're running the software, and certain countries may block the tool entirely.

The less information about your internet activity, the harder it can be for your ISP or network administrator to selectively block particular types of activity. That’s why using internet-wide encryption standards, like HTTPS and encrypted DNS, can help in some cases.

A graphic showing an insecure HTTP request for http://example.com/page from a device. The page URL and contents can be read by your network administrators, your ISP, and any entity in between.

HTTP protects little of your browsing information...

A graphic showing a secure HTTPS request for https://eff.org/deeplinks from a device. The site is revealed to your network administrators and your ISP, but they can't see the page you're viewing.

...HTTPS protects much more...

A graphic showing an ideal secure HTTPS request for https://eff.org/deeplinks from a device. By encrypting DNS and the site name, your network administrators or ISP will have trouble figuring out what website you're viewing.

…encrypted DNS and other protocols will protect the site name, too.




Change Your DNS Provider and Use Encrypted DNS anchor link

If ISPs are only relying on DNS blocking, changing your DNS provider and using encrypted DNS may restore your access.

Change your DNS provider: This can be done in the “network settings” of your device (phone or computer). Note that your new DNS provider will obtain the information about your browsing activity that your ISP once had, which can be a privacy concern depending on your threat model
. Mozilla compiles a list of DNS providers that have strong privacy policies and commitments to not share your browsing data.

Use encrypted DNS: Encrypted DNS technologies prevent any network actor from seeing (and filtering) your DNS traffic. But according to a 2022 report, some governments have blocked known endpoints for DNS over HTTPS and DNS over TLS. If you are using any of the popular encrypted DNS services such as 1.1.1.1 or 8.8.8.8, be aware that governments can target these endpoints and block them as well.

You can configure DNS-over-HTTPS on Firefox. Chrome and Microsoft Edge both support DNS-over-HTTPS, though they refer to it as "Secure DNS." You can also set up DNS over TLS on Android. Both iOS and macOS also support DNS-over-HTTPS, though they require you to install third-party profiles and are not enabled by default.




Use a VPN anchor link

In this diagram, the computer uses a VPN, which encrypts its traffic and connects to eff.org. The network router and Internet Service Provider might see that the computer is using a VPN, but the data is encrypted. The Internet Service Provider routes the connection to the VPN server in another country. This VPN then connects to the eff.org website.

In this diagram, the computer uses a VPN, which encrypts its traffic and connects to eff.org. The network router and Internet Service Provider might see that the computer is using a VPN, but the data is encrypted. The internet Service Provider routes the connection to the VPN server in another country. This VPN then connects to the eff.org website.

If you encounter certain types of local or region based IP blocking, a VPN may be useful in circumventing these techniques, though comes with its own caveats of use, and may not work at all.

A Virtual Private Network (VPN) encrypts and sends all internet data from your computer through a server (another computer), which can optionally be in another country. In some cases, this can help you access websites not available in the county you are in. This computer could belong to a commercial or nonprofit VPN service, your company, or a trusted contact. Once a VPN service is correctly configured, you can use it to access webpages, e-mail, instant messaging, VoIP, and any other internet service. A VPN protects your traffic from being spied on locally, but your VPN provider can still keep records (also known as logs) of the websites you access, or even let a third-party look directly at your web browsing. Depending on your threat model, the possibility of a government eavesdropping on your VPN connection or getting access to your VPN logs may be a significant risk
. For some users, this could outweigh the short-term benefits of using a VPN.

Check out our guide about choosing specific VPN services.
 

bnew

Veteran
Joined
Nov 1, 2015
Messages
57,343
Reputation
8,496
Daps
160,028

Using the Tor Browser anchor link

If you encounter protocol or port blocking, IP address blocking, DNS blocking, or if a VPN is not helping you circumvent censorship, then the Tor browser may help you. Tor has several options for getting around a variety of different types of censorship, but note that anyone who can see your network activity will know you're using Tor.

Tor is open-source software
designed to give you anonymity on the web. Tor Browser is a web browser
built on top of the Tor anonymity network. Because of how Tor routes your web browsing traffic, it also allows you to circumvent censorship.

The computer uses Tor to connect to eff.org. Tor routes the connection through several “relays,” which can be run by different individuals or organizations all over the world. The final “exit relay” connects to eff.org. The ISP can see that you’re using Tor, but cannot easily see what site you are visiting. The owner of eff.org, similarly, can tell that someone using Tor has connected to its site, but does not know where that user is coming from.

The computer uses Tor to connect to eff.org. Tor routes the connection through several “relays,” which can be run by different individuals or organizations all over the world. The final “exit relay” connects to eff.org. The ISP can see that you’re using Tor, but cannot easily see what site you are visiting. The owner of eff.org, similarly, can tell that someone using Tor has connected to its site, but does not know where that user is coming from.

When you first start the Tor Browser, click the "Configure Connection…" button to customize connection settings manually, or just click "Connect" to get started:

image-20230710142414-9.png

Tor will not only bypass some national censorship, but, if properly configured, can also protect your identity from an adversary
listening in on your country’s networks. However, it can be slow and difficult to use, and anyone who can see your network activity may notice that you are using Tor.

If for whatever reason Tor is blocked for you. The "Connection Assist" feature can help you choose a “bridge” for you using your location.

Learn how to use Tor for Linux, macOS, Windows, and on smartphones.

image-20230710131814-9.gif

Note: Make sure you’re downloading the Tor Browser from the official website.




Use a Proxy Server for Messaging Apps anchor link

If you cannot access secure messaging apps like WhatsApp or Signal in your region, you may be able to use a proxy server to get around some types of censorship. This can make it so you can communicate with others when the app is blocked. These proxy servers are run by volunteers, but your communications will remain end-to-end encrypted, ensuring that nobody, including those running the proxy server, can view the contents of the message. However, the proxy provider will be able to see your IP address.

Learn how to use proxy servers on both Signal and WhatsApp.

image-20231031095828-22.png
 
Top