HTML5 Icon

MassBrowser

Fighting Internet Censorship in a Mass!


What is MassBrowser?

MassBrowser is a state-of-the-art system designed to circumvent Internet censorship. MassBrowser is open-source and free-to-use. It has been designed and developed by the Secure, Private Internet (SPIN) Research Group at the University of Massachusetts Amherst. MassBrowser operates with the help of normal Internet users with open access to the Internet who volunteer to help censored Internet users.

You can reach us with your questions and feedback by emailing at massbrowser@cs.umass.edu.

Follow us on Twitter for updates


For Censored Users: How to Use MassBrowser

If you live in a censored country like China, you can use MassBrowser to bypass censorship.

Installation Steps:
Step 1: Install the Firefox Browser: Our current installation wizard is designed for the Firefox browser, so you need to have Firefox installed. If you are an expert, you can easily set up Massbrowser for your preferred webbrowser.
Step 2: Obtain an Invitation Code: MassBrowser is currently in the beta release mode, so it is invitation-only. If you would like to be an early adopter, send us an email at massbrowser@cs.umass.edu so we send you an invitation code.
Step 3: Install MassBrowser Client: Download and install from the following links:

Watch this video on how to install and use MassBrowser (Coming Soon!)

Know the limitation of MassBrowser: Due to certain optimizations that we need to perform for different websites, currently, MassBrowser can only be used to browse a limited set of websites, but not arbitrary websites! The list of currently supported websites includes popular websites like Facebook, Twitter, CNN, Google, and YouTube. You can also tunnel your Tor traffic through MassBrowser (if you do not know a working Tor bridge). We will continuously add support for new websites.

Know your privacy guarantees: Using MassBrowser you will have the same level of privacy as using public VPNs or public HTTPS proxies. Therefore, the volunteer who is proxying your traffic will know your IP address as well as the websites you are browsing. For HTTPS websites (e.g., any URL starting with "https://"), the volunteer proxy will not be able to see your passwords or other data that you exchange with those websites. This is not true for HTTP websites. Therefore, use MassBrowser as a replacement for public VPNs and HTTPS proxies. If you plan to do something sensitive on the Internet that makes you worried about your anonymity, use a software like Tor (your connections will be much slower on Tor) or tunnel Tor over MassBrowser.

Know the security of your local certificate: During installation, MassBrowser asks you to install a local certificate in your Firefox browser. This local certificate is required for MassBrowser to implement an essential optimization technique called CDNBrowsing (which is described in the geek's section). Note that the certificate is locally created in your browser, is unique for each client, and never leaves your computer. Therefore no one, not even us, will be able to use that local certificate to eavesdrop your traffic. Make sure you do not share this local certificate with others. You can simply remove the certificate at any time by going to your Firefox settings.


For Volunteers: How You Can Help Out

If you are living in a country with open Internet like US and European countries, we need your help to fight Internet censorship! MassBrowser relies on help from volunteers who share their open Internet access with users in censored countries for a good cause. If you'd like to volunteer, you need to install a software called MassBuddy on your computer. Installing MassBuddy is absolutely harmless to your privacy and safety, and you will have full control over how censored users will share your Internet (they can only use your computer to get to websites that you approve, like Facebook, Google, etc.). Also, recall that MassBrowser is open-source. Watch this video (Coming Soon!) on how you can become a Buddy!

Sooo! If you'd like to help censored Internet users, download the MassBuddy software and become a Buddy:


For Geeks: MassBrowser's Technical Description

MassBrowser is an academic censorship circumvention system. This Technical Report describes the details of its design, the ideas behind its blocking resistance, and it privacy and security guarantees. A shorter version of the technical description is followed.

TL;DR Technical Description

Censorship circumvention tools traditionally work by relaying the user's traffic through proxy servers outside of the censoring region. The proxy servers have open access to the Internet and are able to retrieve the requested pages on behalf of the user. Unfortunately, this simple scheme has two downsides.

  • Proxy servers can be blocked by the censors. Since proxy servers have defined public IP addresses, censors can block access to the proxies by applying IP filtering at their border gateways. Even if the proxy IP addresses are not publicly announced, censors can gain access to the IP addresses by imitating censored users.
  • Maintaining proxy servers. Circumvention systems must have enough infrastructure to handle the bandwidth of all its users. The number of users using circumvention systems is relatively high, considering entire nations such as China and Iran have censored access to the Internet. This imposes extremely high costs for maintaining proxy servers for the circumvention system providers.

To provide a robust and cost-effective solution, we have designed MassBrowser. MassBrowser uses a number of different techniques to provide censorship circumvention which is hard to block by the censors, not too expensive to maintain and delivers performance comparable to that of traditional circumvention systems.

Volunteer Relays

Instead of relying solely on publicly hosted proxy servers, MassBrowser utilizes volunteers which we call MassBuddys. Volunteers are users residing outside the censored regions who are willing to help censored users gain open access to the Internet by allowing them to proxy their traffic through their devices. In concept, volunteer relays are very similar to traditional proxies, however they have two beneficial properties

  1. No single entity is responsible for providing all the necessary bandwidth needed to support censored users
  2. Volunteers may have changing and non-public IP addresses, making it more difficult for censors to block them using traditional methods
Volunteer-based systems are not a new concept. The largest anonymity system in use today, i.e., Tor, is run by volunteers. To answer to possible concerns volunteers may have, the MassBuddy client provides the volunteer with a range of options for limiting the bandwidth usage and even choosing websites they wish to allow.

Blocking volunteers is more difficult for censors than traditional public proxies, however it is far from perfect and censors may still block volunteer relays. A typical approach against censors used in many circumvention systems is to avoid announcing all available proxies (or volunteer relays) to the users. Similarly, in MassBrowser each client will only have access to a small number of all available relays. This way, even if the censors mimic benign users, they will only every be able to block a small portion of all available relays.

Backup Proxies and Domain Fronting

In the Volunteer Relays section we mentioned that each censored user will only have access to a small subset of all available volunteer relays. However, if the censors manage to block all the relays a particular user has access to, the user will be stuck with blocked relays and will be unable to use the system. The user cannot be assigned another non-blocked relay, since the censors would take advantage and start blocking more relays.

To mitigate this problem, the MassBrowser network has a number of public backup proxies which will be assigned to users if all the users available relays have been blocked. Of course, if we simply use a traditional proxy there is nothing keeping the censors from blocking those as well. Instead, we use a recently proposed technique called Domain Fronting to keep the proxies from being blocked.

Domain Fronting is a technique in which the proxy server is hosted behind a Content Delivery Network (CDN) and is accessed through the CDNs IP addresses in a way which avoids any unencrypted mentioning of the desired service (i.e. the proxy server). In order to block this proxy server, the censors would have to block access to any website hosted on that CDN which is a highly undesirable. You can learn more about Domain Fronting through the original paper linked below.

You might be thinking this seems great, why not make a circumvention system based solely on Domain Fronting? While Domain Fronting does make a very robust system against censors blocking proxies, it still requires a high maintenance cost. In fact, there already is a widely used Domain Fronting based system, named meek, deployed as a Pluggable Transport for Tor. In its approximately three years of operation, the total cost for operating meek's servers have reached over $50,000.

CDNBrowsing

CDNBrowsing is another recent technique in censorship circumvention which takes advantage of CDNs. Unlike Domain Fronting in which we access a proxy hosted behind a CDN, CDNBrowsing is used to directly access website content from CDNs without revealing to the censors what content is being accessed. You can read more about how CDNBrowsing works in the papers linked below.

CDNBrowsing can be used with virtually no extra cost as it accesses content directly without needing any hosted proxies. Similar to Domain Fronting, it is also unblockable by the censors. It's main disadvantage however is that it can only retrieve CDN hosted content. So on its own it is only suitable for websites which are completely hosted on CDNs. Even though many websites do satisfy this requirement, as of now the majority of websites only have their media content (e.g. images, videos,...) hosted on CDNs leaving their HTML pages inaccessible to CDNBrowsing systems.

While limited on its own, CDNBrowsing can prove to be hugely beneficial when used in conjunction with the other methods described above. Images, videos and other CDN hosted content are actually the bulk of most websites. Using CDNBrowsing techniques, MassBrowser obtains any CDN hosted content directly from CDN edge servers without going through any proxies or volunteer relays. This reduces the traffic load on volunteer relays, allowing them to serve more censored users with the same amount of used bandwidth, and also reduces the traffic on our backup proxy servers.

Want to contribute to the code?

MassBrowser's code is available on GitHub. If you are a geek, we welcome your contribution to the code.

Acknowledgment
This work is supported in part by the NSF CAREER grant CNS-1553301.