How Tor Combats Internet Censorship


When civil unrest broke out in Belarus, local users ran into hurdles trying to access various online services. Open Observatory of Network Interference (OONI), an independent project that monitors Internet censorship around the world, was regularly reporting outages both in the capital city Minsk and throughout the republic.

To top it off, a series of ISPs prevented their customers from accessing the Tor network even if they used anonymous gateways called bridges. However, the architecture of Tor allows for fairly effective ways of circumventing such obstacles. This article will give you the lowdown on these techniques.

The Belarus quandary with Internet outages and Tor blocking is not one of a kind. Residents of Venezuela have previously encountered such difficulties as well. Although all connections to obfs3 and obfs4 bridges are thoroughly obfuscated, the authorities in this South American country somehow succeeded in filtering and blocking such traffic. The only way to establish a connection was by using the “meek” pluggable transport or a conventional VPN service.

So, what are the principles of Tor’s anti-censorship technology and how effective is it? Let us try to figure out.

The Anonymity Facet of Tor

Based on the DEF CON 2019 talk by Tor Project co-founder Roger Dingledine, the number of users who connect to the network everyday ranges between 2 and 8 million. That is an impressive count comparable to the population of a small country. Not only do all these users opt for Tor to visit dark web resources or sites blocked by their governments, but they also want to stay anonymous when online.

Unfortunately, many people do not distinguish between encryption and anonymity. The truth is these are different things. Web traffic is encrypted whenever you connect to sites that use the HTTPS protocol. However, virtually any third party can determine what resources you are visiting and when.

The use of a VPN can slightly raise the bar for Big Brother, but with the caveat that a meticulous investigator may still be able to build a profile of you based on publicly available data. Furthermore, you cannot be absolutely sure that your VPN provider is not leaking your information.

That being said, the concept of anonymity typically implies that a user can hide the following types of data from surveilling parties:

  • The precise location and even the country of connection.
  • Sites being visited.
  • Time intervals of Internet connections.
  • Hardware and software details.

When you are surfing the web via Tor, all of your requests flow through several randomly selected nodes. This makes it impossible to track down the routing of the packets. Moreover, the browser blocks tracking scripts and cookies.

These measures ensure a fair degree of anonymity. However, Tor can be blocked, and judging by known instances of censorship, this process is not as complicated as it may appear.

Methods Used to Block Tor

According to Roger Dingledine, there are four basic mechanisms for blocking Tor. The first one seems to be simple: since the Tor network hinges upon nine directory servers, blocking access to them will prevent users from establishing connections. The second technique is to retrieve the list of roughly 7,000 relay nodes of the Tor network and block all the associated IP addresses.

The third method is not as reliable but still quite effective – it boils down to connection fingerprinting, where a third party identifies fingerprints inherent to Tor-related packets and filters out such traffic. That is what the Iranian authorities did during the 2009 protests. They leveraged deep packet inspection (DPI) to scrutinize traffic.

Because Tor packets resembled SSL requests in several ways, the Iranian government used special equipment to reduce the bandwidth of encrypted SSL traffic in their networks. This move pulled the plug on the use of Tor across the country.

The fourth method is to prevent users from accessing specific resources that host applications required for connection. As a result, people simply get blocked or redirected and can’t download the software they need.

From the perspective of governments and intelligence agencies, a combo of these four techniques can yield excellent results. But what is the response of the team behind the Tor Project?

Bridges to the Rescue

Pluggable transports form the first line of defense against Internet censorship, with the obfs3 and obfs4 bridges being the early instances of implementing this tactic. The logic is as follows: since “bad guys” can obtain a complete list of open relay nodes and block access to these nodes or their public repositories, the Tor crew added thousands of bridges whose IP addresses aren’t publicly available.

In order to connect to Tor via a bridge, you need to visit, select the type of pluggable transport, specify whether your network supports IPv6, enter a human verification code, obtain a bridge address, and then select it in your Tor Browser settings. You can also take an easier route by configuring your connection to request a bridge address from the Tor Project site. Again, you will need to enter a CAPTCHA when doing it.

If you cannot access, you can send an email with a blank subject field to and type “get transport obfs4” in the message body. Keep in mind that you need to send the message from the Gmail or Riseup service; otherwise, it will be ignored. A special bot will reply with bridge addresses that you can specify in your Tor Browser settings.

Tor bridges mostly use the SOCKS Proxy interface, and their architecture bears a resemblance to the Chinese Shadowsocks project that fights for an open Internet. Essentially, they operate as obfuscators that veil traffic within the Tor network by making it look like regular HTTP packets or a sequence of random bytes, which hampers filtering.

The obfs3 transport turned out to be susceptible to what is called “active probing,” a technique focused on pinpointing bridge addresses to be blocked. Therefore, it was superseded by a more sophisticated obfs4 counterpart.

Governments are increasingly adept at blocking such connections. To achieve better results, they often combine active probing with the above-mentioned deep packet inspection technique. DPI allows authorities to monitor all connections that are similar to Tor traffic.

Having spotted a “suspicious” node, a government-run host attempts to connect to it over the Tor protocol. If the node supports this protocol and responds, it is blocked, and its IP address gets blacklisted. In China, this type of filtering is executed at the Internet backbone level, which makes blocking fairly effective.

Tor developers reacted to this by releasing patches that modified the structure of packets, eliminated characteristics that triggered filters, and altered the behavior of bridges. Governments, in turn, would tweak their filter settings, and the game would start over. This scenario was the case during massive protests in Iran, in the course of the Arab Spring in Egypt, and during the 2010-2011 revolution in Tunisia.

Simply put, authorities can block Tor bridges in a specific area if they are really determined to. Tor developers masterminded meek to help users bypass these filters.


The NutsAand Bolts Of Meek

Tor includes one more pluggable transport called meek. It kicks in when bridges are off-limits. It works similarly to a proxy in a way, except that it leverages Inc AMZN Web Services (AWS), CloudFront, Alphabet Inc's GOOG GOOGL Google, or Microsoft Inc MSFT Azure cloud servers as an in-between link for transmitting the traffic.

The advantage of using this approach is that a sober-thinking government would never completely block the likes of AWS and Azure. These cloud services underlie numerous online resources that will simply stop functioning in the aftermath of such moves.

However, entirely hinging on the common sense of some governmental bodies could be a slippery slope. Sometimes they do not mind ruining the bulk of a national Internet segment to try and block a single stubborn messenger, even if they eventually fail to subdue the service.

Opting for meek is a piece of cake. When launching Tor Browser, you need to click the Configure button, put a checkmark next to “Tor is censored in my country,” slide the toggle to the “Select a built-in bridge” position, and then pick meek in the drop-down list.

Meek uses a mechanism called domain fronting to do its thing. To reach a target node on the Internet, it creates special HTTPS requests and submits them to a whitelisted external service such as AWS. The service of the user’s choice is reflected in all DNS requests and the data used by the Server Name Indication (SNI) protocol.

Meanwhile, the actual hostname that the client is trying to connect to is cloaked in the HTTP Host header. The intermediate cloud service retrieves this name and forwards it to the meek server launched at a Tor bridge. The server, in its turn, decrypts the body of the request and reroutes it to the Tor network. From there, it ends up on the open Internet.


Suppose you know how to install and configure Tor Browser on Windows, good for you. It is also great if you can install Linux and run the “apt-get install obfs4proxy” or “apt-get install Tor” command in the Linux console. However, millions of users are not tech-savvy enough to do it.

To dodge this obstacle, the Tor Project team released a JavaScript-based browser extension called Snowflake. All it takes is adding this plugin or visiting a site that runs a special JS script, and voila – a Tor bridge is launched right from your browser. It employs WebRTC and implements Network Address Translation (NAT) flawlessly.

Snowflake renders Internet censorship attempts futile because no government can possibly block all web browsers. It also makes DPI pointless because reputable services such as Google Hangouts and numerous virtual meeting platforms leverage WebRTC technology. Pulling the plug on WebRTC data badly disrupts this whole infrastructure.

Snowflake has attracted an army of volunteers who provide their hardware resources to fight back against online censorship. As previously mentioned, you do not have to install a browser plugin. Simply opening a web page that runs the Snowflake script in a browser tab or depositing that script on your website (if you own one) will suffice to keep it working in the background.

One way or another, anti-censorship technologies have yet to mature. At last year’s DEF CON event, the Tor Project team announced their plans to enhance their toolkit with the Format-Transforming Encryption tech. It disguises Tor traffic as a flow of regular unencrypted HTTP packets, thereby confusing deep packet inspection mechanisms.

Another promising method comes down to dummy routing, where one of the intermediate nodes looks for a special tag inside an SSL-handshake packet and forwards such traffic to the Tor network. Meanwhile, a local ISP thinks that the client is interacting with a whitelisted dummy remote server and stays clueless about the rerouting process.

The Bottom Line

Combatting Internet censorship is like an arms race. Governments with unlimited resources and billion-dollar corporations are on one side of the fence. Public organizations and enthusiasts driven by a strong sense of justice and the pursuit of freedom are on the opposite side. The silver lining is that nobody can say for sure who wins.

Censorship is not the only problem. It is also important to draw regular users’ attention to the fact that they are being surveilled. Once they realize it, they can make an informed decision and opt for the most suitable method to keep their online privacy intact.

Posted In: Generalcontributorcontributors