Salmon: Robust Proxy Distribution for Censorship Circumvention (PETS 2016)

[agiix]

Salmon: Robust Proxy Distribution for Censorship Circumvention Frederick Douglas, Rorshach, Weiyang Pan, and Matthew Caesar https://censorbib.nymity.ch/#Douglas2016a http://caesar.cs.illinois.edu/papers/salmon-pets16.pdf

Salmon is a system designed for censorship circumvention that relies on a network of volunteers in uncensored countries to run proxy servers. It claims to significantly reduces the amount of users that can be cut off from access by a censor, compared to other systems like rBridge, while making the system easily accessible to the general public and at the same time make it difficult for the censor-agents to infiltrate the system. Access to Salmon is only possible by recommendation or by proving ownership of a well-established Facebook account. The algorithm entails identifying some users as especially trustworthy or suspicious, based on their actions and is based on 3 components:

1. Suspicion: probability that a user is a censor-agent. Every time a server that has been assigned to n amount of users is blocked, the suspicion that one of the users is a censor-agent rises.
2. Trust: Users who knew a server address for months without the server getting blocked, seem less likely to be censor-agents. Higher trusted users will be served with higher-quality servers and will keep them better isolated from new users, which are more likely to be censor-agents. Possible censor-agents are only revealed if a server has been blocked in a certain country. Additionally servers are also assigned to a trust level. When Salmon assigns a server to a user, it will only choose a server of the user’s trust level. Trust levels of servers can only move up, while user trust levels can either move up or down. If a user falls below a certain threshold, the access to Salmon will be revoked. Non-recommended users start at level 0. Salmons recommended maximum level is 6. Promotion time doubles after each level. It takes one day for a user to level up from 0 to 1 and it takes over 2 months to reach level 6.
3. Recommendation: Users on a certain trust level are able to recommend friends to Salmon. This is accomplished by maintaining a social graph of user recommendations, and assign members of the same connected component to the same servers, whenever possible. Recommended users start one level below the friend that recommended them.

A censor can follow 2 possible strategies to restrict access. Either block immediately every server address they get a hold of, therefore not being able to harm higher level users, or wait and allow users to circumvent censorship system while the censor-agents try to discover higher level server addresses.

Recommendations can pose a risk since they give a patient censor the ability to exponentially grow a collection of censor-agents at high trust levels. Salmon addresses this risk with two measures:

1. The censor is delayed. Significant exponential growth in the recommendation system takes several months. The first wave of users must wait over four months to recommend the second wave; the second and all subsequent waves must wait over two months to begin recommending.
2. Users want to avoid being grouped with censor-agents, so they should naturally want to be grouped with their recommender: real-world friends whom they trust not to be agents. The trust levels keep highly trusted users isolated from impatient agents and the recommendation system tends to cluster agents who joined by recommendation into groups. Both mechanisms share a fundamental purpose: keeping censor-agents as tightly grouped together as possible. The more evenly the agents can spread throughout the system, the more servers they will discover.

Salmon was the subject of the Tor anti-censorship team's reading group on 2020-05-14. There is a transcript of the discussion: http://meetbot.debian.net/tor-meeting/2020/tor-meeting.2020-05-14-16.00.log.html#l-181