- How to Help
- Research Paper
- How it Works
- How to Use It
- Some Technical Information
- Source Code
- More Information
Flash proxies are a new way of providing access to a censorship circumvention system such as Tor. A flash proxy is a miniature proxy that runs in a web browser. It checks for clients that need access, then conveys data between them and a Tor relay.
Tor has bridge relays, but in some cases even these can be blocked despite the fact that their addresses are handed out only a few at a time. The purpose of this project is to create many, generally ephemeral bridge IP addresses, with the goal of outpacing a censor's ability to block them. Rather than increasing the number of bridges at static addresses, we aim to make existing bridges reachable by a larger and changing pool of addresses.
How to Help
Copy and paste this HTML into your web site or blog. An example is at the bottom of this page.
<iframe src="//crypto.stanford.edu/flashproxy/embed.html" width="80" height="15" frameborder="0" scrolling="no"></iframe>
There is an options page (the same page you
get by clicking on the badge) with which users can choose whether they
want to be a proxy. By default, if a user has not made a choice, they
will be a proxy. If you want only people who have explicitly clicked
"yes" to be a proxy, add the
cookierequired parameter. If a
user has selected "no," they will never be a proxy, regardless of the
<iframe src="//crypto.stanford.edu/flashproxy/embed.html?cookierequired" width="80" height="15" frameborder="0" scrolling="no"></iframe>
Customize your Wikipedia skin to include a flash proxy badge.
This paper contains a fuller description of the system and the results of performance experiments.
- Evading Censorship with Browser-Based Proxies (PDF)
In the Proceedings of the 12th Privacy Enhancing Technologies Symposium (PETS 2012), LNCS 7384, pp. 239–258, 2012.
An overview of the flash proxy system and its state of development as of February 2013.
How It Works
In addition to the Tor client and relay, we provide three new pieces. The Tor client contacts the facilitator to advertise that it needs a connection. The facilitator is responsible for keeping tack of clients and proxies, and assigning one to another. The flash proxy polls the facilitator for client registrations, then begins a connection to the client when it gets one. The transport plugins on the client and relay broker the connection between WebSockets and plain TCP.
A sample session may go like this:
- The client starts Tor and the client transport plugin program
flashproxy-client), and sends a registration to the facilitator using a secure rendezvous. The client transport plugin begins listening for a remote connection.
- A flash proxy comes online and polls the facilitator.
- The facilitator returns a client registration, informing the flash proxy where to connect.
- The proxy makes an outgoing connection to the client, which is received by the client's transport plugin.
- The proxy makes an outgoing connection to the transport plugin on the Tor relay. The proxy begins sending and receiving data between the client and relay.
The whole reason this is necessary is because the client cannot communicate directly with the relay. (Perhaps the censor has enumerated all the relays and blocked them by IP address.) In the above diagram, there are two arrows that cross the censor boundary; here is why we think they are justified. The initial connection from the client to the facilitator (the client registration) is a very low-bandwidth, write-only communication that ideally may happen only once during a session. A careful, slow, specialized rendezvous protocol can provide this initial communication. The connection from the flash proxy to the client is from an IP address the censor has never seen before. If it is blocked within a few minutes, that's fine; it wasn't expected to run forever anyway, and there are other proxies lined up and waiting to provide service.
Doesn't the censor win just by blocking the facilitator? Doesn't this shift the problem from bridge-blocking to facilitator-blocking? The short answer to these questions is no. We assume that the censor has blocked the facilitator. For more details, see the FAQ.
From the user's perspective, only a few things change compared to using normal Tor. The user must run the client transport plugin program and use a slightly modified Tor configuration file. Complete details are in our README.
How to Use It
Fuller instructions and troubleshooting are in our README. These instructions require you to be able to receive TCP connections from the Internet (you may have to configure port forwarding on your router). There are some alternative connection scenarios covered in the README.
Download and unzip the
flashproxy-clientpackage containing the programs and configuration file you will need.
(See the section on verifying the signature.)
Start Tor with the included
tor -f torrc
If you already use a custom
torrcfile, you can instead copy the contents of this one into your own.
By default the flash proxy plugin listens on Internet-facing TCP port
9000. If you have to use a different port (to get through a firewall,
for example), edit the
torrc to give a different port number:
ClientTransportPlugin websocket exec ./flashproxy-client --register :0 :8888If you have installed the
flashproxy-clientprogram in a different place, edit the line to give the full path:
ClientTransportPlugin websocket exec /usr/local/bin/flashproxy-client --register
Verifying the package signature
See the Tor Project page on verifying signatures for the commands to run and the expected output. The client packages are signed with subkey 0x5CD388E5 of this key:
pub 8192R/C11F6276 2012-07-21 Key fingerprint = AD1A B35C 674D F572 FBCE 8B0A 6BC7 58CB C11F 6276 uid David Fifield <firstname.lastname@example.org> sub 4096R/D90A8E40 2012-07-21 sub 4096R/5CD388E5 2012-07-21
You are looking for output like this:
gpg --verify flashproxy-client-version.zip.asc flashproxy-client-version.zip gpg: Signature made date using RSA key ID 5CD388E5 gpg: Good signature from "David Fifield <email@example.com>"
Some Technical Information
Limitations on outgoing connections
It is a restriction of WebSockets that they cannot receive TCP connections, only open them. That is the reason for the client transport plugin: it allows Tor to receive connections instead of making them.
The badge changes color depending on its state.
- Dark blue means the proxy is running but no client is being served.
- Light blue means a client is currently being served.
- Gray means that the badge has disabled itself. This can be because it has detected it is running on a mobile device, or the browser doesn't support WebSocket (this happens on Internet Explorer 9).
- Black means that there was an internal error and the proxy is no longer running.
All the programs making up the flash proxy system are free software and their source code is visible. To get a copy of everything, run this command:
git clone https://git.torproject.org/flashproxy.git
Or browse the code through gitweb.
HistoryFlash proxies began as a project in Stanford's CS294s class in spring 2011. David Fifield, Nate Hardison, and Jonathan Ellithorpe were members of the project team. They and Emily Stark, Roger Dingledine, Phil Porras, and Dan Boneh wrote a research paper on the subject. Development continues as part of the Tor Project.
Estimated number of daily users. See the metrics site for more control over the graph and historical measurements.
David Fifield <firstname.lastname@example.org>