Fighting Censorship

Aravinth Manivannan | @realaravinth

Evolution of Censorship Cirbumvention Technologies

  1. VPN
  2. Tor
  3. Distributed Web(dWeb)

What happens when you normally browse the web?


Problems with this workflow


What is it?

Metadata (or "data about data") is data that describes a piece of information, apart from the information itself.

What does it look like?

➜  guard git:(master) stat
  Size: 2631      	Blocks: 8          IO Block: 4096   regular file
Device: 10304h/66308d	Inode: 28196546    Links: 1
Access: (0644/-rw-r--r--)  Uid: ( 1000/aravinth)   Gid: ( 1000/aravinth)
Access: 2021-04-15 10:52:23.016926774 +0530
Modify: 2021-04-11 14:07:33.394090235 +0530
Change: 2021-04-11 14:07:33.394090235 +0530
 Birth: 2021-04-11 14:07:33.394090235 +0530

Why does it matter?

We kill people based on metadata
- David Cole, Former Director of NSA and CIA

What happens when you use VPN?



  • Payload is encrypted
  • As far as attacker is concerned, user is accessing VPN server only

Traffic Analysis on a live VPN


  • Too much trust on single entity
  • Evil service provider; no way of knowing
  • Security breach has cascading effects
  • Easy fingerprinting



  • Tor circuit: Single user session
  • Relay: A server on the Tor network
  • Guard relay: Entry point where client connects to
  • Middle relay: Relay between Guard and Exit relays
  • Exit relay: Relay that connects to the internet

Data Workflow

Encryption Workflow

  • Guard relay: Knows client's IP address
  • Middle relay: Doesn't know anything
  • Exit relay: Can read user data and user destination


  • Run by the community
  • Payload is encrypted thrice
  • No single point of failure like VPNs
  • Relays are chosen at random


  • Doesn't scale: Every user uses atleast three relays in a session
  • Tracking still possible

Attacks on Tor

Traffic Analysis on a live Relay

God's Eye View

What goes in must come out

Denial of Service Attacks

AIM: Find user's source and destination IP addresses
  • Run a bunch of Guard and Exit relays
  • Take down known Exit relays by DoS
  • See if payload size on Exit is same as payload size on Guard:
    • Yes: source and destination is mapped
    • No: repeat process until sucessful

IPFS: a fully distributed network

What does it do differently?