FOCI '20 Workshop Program

Our study makes a rare positive observation: Saudi Arabia has been opening its digital borders since 2017 in a deliberate new era towards openness. In this paper, we present a comprehensive longitudinal study of digital filtering, which we define to include both mobile apps and website access, in Saudi Arabia over a period of three years. Our results show that Saudi Arabia has indeed made significant progress towards opening its digital borders: (a) the use of mobile applications has been significantly permitted; and (2) web access is becoming more open. We use: (a) 18 social media and communications mobile apps such as WhatsApp, Facetime, and Skype; and (b) Alexa’s top 500 websites in 18 different categories. For mobile app access, our mobile app group was completely blocked in 2017, but access was permitted to 67% in 2018, 93% in 2019, and all, except WeChat, in 2020. For web access, we find that Internet filtering decreased by 3.4% and 2.2% in Adult and Shopping, respectively, which are the most two blocked categories. Finally, we examine how digital filtering reflects the wider geopolitical events, such as the blocking of ISIS-friendly sites in 2020 and news sites from Qatar, Iran, and Turkey in 2017, 2018, and 2020, respectively, due to diplomatic tensions.

The Great Firewall of China (GFW) has long used DNS packet injection to censor Internet access. In this work, we analyze the DNS injection behavior of the GFW over a period of nine months using the Alexa top 1M domains as a test list. We first focus on understanding the publicly routable IPs used by the GFW and observe groups of IPs used to filter specific sets of domains. We also see a sharp decline in public IPs injected by the GFW in November 2019. We then fingerprint three different injectors that we observe in our measurements. Notably, one of these injectors mirrors the IP TTL value from probe packets in its injected packets which has implications for the use of TTL-limited probes for localizing censors. Finally, we confirm that our observations generally hold across IP prefixes registered in China.

We present Slitheen++, a decoy routing system that---in contrast to its predecessor Slitheen---is not susceptible to traffic analysis in the upstream channel. Slitheen++ overcomes key challenges such as scheduling for covert connections and technologies to more realistically emulate a real user's behavior, such as crawling or delaying overt communication. We measure Slitheen++ according to metrics that not only show the maximum theoretical throughput of the system, but for the first time, also assess the actual user experience by measuring loading times of websites from ten covert targets. We show that emulating a user increases loading times, yet raises the difficulty for an advanced censor to expose decoy routing as such. For example, crawling raises the median of the loading time for covert setups by 1 second from 7s to 8s.

Recently, censors have been observed using increasingly sophisticated active probing attacks to reliably identify and block proxies. In this paper, we introduce HTTPT, a proxy designed to hide behind HTTPS servers to resist these active probing attacks. HTTPT leverages the ubiquity of the HTTPS protocol to effectively blend in with Internet traffic, making it more difficult for censors to block. We describe the challenges that HTTPT must overcome, and the benefits it has over previous probe resistant designs.

DNS over TLS (DoT) and DNS over HTTPS (DoH) encrypt DNS to guard user privacy by hiding DNS resolutions from passive adversaries. Yet, past attacks have shown that encrypted DNS is still sensitive to traffic analysis. As a consequence, RFC 8467 proposes to pad messages prior to encryption, which heavily reduces the characteristics of encrypted traffic. In this paper, we show that padding alone is insufficient to counter DNS traffic analysis. We propose a novel traffic analysis method that combines size and timing information to infer the websites a user visits purely based on encrypted and padded DNS traces. To this end, we model DNS Sequences that capture the complexity of websites that usually trigger dozens of DNS resolutions instead of just a single DNS transaction. A closed world evaluation based on the Tranco top-10k websites reveals that attackers can deanonymize test traces for 86.1 % of all websites, and even correctly label all traces for 65.9 % of the websites. Our findings undermine the privacy goals of state-of-the-art message padding strategies in DoT/DoH. We conclude by showing that successful mitigations to such attacks have to remove the entropy of inter-arrival timings between query responses.

Platforms have struggled to keep pace with the spread of disinformation. Current responses like user reports, manual analysis, and third-party fact checking are slow and difficult to scale, and as a result, disinformation can spread unchecked for some time after being created. Automation is essential for enabling platforms to respond rapidly to disinformation.

In this work, we explore a new direction for automated detection of disinformation websites: infrastructure features. Our hypothesis is that while disinformation websites may be perceptually similar to authentic news websites, there may also be significant non-perceptual differences in the domain registrations, TLS/SSL certificates, and web hosting configurations. Infrastructure features are particularly valuable for detecting disinformation websites because they are available before content goes live and reaches readers, enabling early detection.

We demonstrate the feasibility of our approach on a large corpus of labeled website snapshots. We also present results from a preliminary real-time deployment, successfully discovering disinformation websites while highlighting unexplored challenges for automated disinformation detection.

A new cold war has emerged, and Internet Freedom is at the heart of it. US policies have sought to influence politics in other countries, empowering citizens vis a vis their governments, but those governments have cried foul, claiming foreign interference and destabilization. The historical record gives grounds for concern, with conflict erupting in Egypt, Syria, Libya, and Ukraine. This panel will examine Internet Freedom in terms of geopolitics between states.

Does the Internet empower free speech—or is it a powerful tool to control speech? Internet publishing has allowed new voices and analyses to multiply, but online publishers increasingly complain of being de-ranked, de-monetized, and de-legitimated as fake news. Individual speech has also been empowered but has increasingly met with a social media-fueled "cancel culture" that renders dissenters fearful of online attacks. This panel will examine challenges to Internet Freedom in the context of the US and other Western societies.

Ten years ago the US Secretary of State announced an ambitious program in Internet Freedom, and ten years of programs have since followed, much of it centered in the Open Technology Fund (OTF). Two months ago the Trump administration made wholesale changes at OTF (and other information agencies, like Voice of America.) In this panel, we review the accomplishments—and some of the criticisms—of US Internet Freedom policies and institutions.