Lox: Protecting the Social Graph in Bridge Distribution

Abstract

Access to the open Internet, free from surveillance and censorship, is an important part of fulfilling the right to privacy. Despite this, in many regions of the world, censorship of the Internet is used to limit access to information, monitor the activity of Internet users and quash dissent. Where access to the Internet is heavily censored, anti-censorship proxies, or bridges, can offer a connection to journalists, dissidents and members of oppressed groups who seek access to the Internet beyond a censor's area of influence.

Bridges are an anti-censorship tool that can provide users inside censored regions with a link to the open Internet. Using bridges as an anti-censorship tool is fraught with risks for users inside the censored region who may face persecution if they are discovered using or requesting bridges. Bridge distribution systems that are built for widespread public distribution of bridges face the inherently conflicting issues of extending bridges to unknown users when some of them may be malicious. If not designed with care, bridge distribution systems can be quickly compromised or overwhelmed by attacks from censors and their automated agents and leak user and usage data, undermining the integrity of the system and the safety of users. It is therefore crucial to prioritize protecting users when developing such systems.

In this work, we take a holistic and realistic view of the bridge distribution problem. We analyze known threats to deployed bridge distribution systems, (i.e., The Tor Project's BridgeDB), and combine insights from prior work to create a new bridge distribution system. To this end, we propose Lox, a bridge distribution system that is open to anyone while also leveraging users' trust networks to distribute bridges. Lox protects the privacy of users and their social graphs and limits the malicious behaviour of censors.

We use an updated unlinkable multi-show anonymous credential scheme, suitable for a single credential issuer and verifier, to protect bridge users and their social networks from being identified by malicious actors. We formalize a trust level scheme that is compatible with anonymous credentials and effectively limits malicious behaviour while maintaining user anonymity. Our work includes a full system design of Lox, as well as an implementation of each of Lox's protocols. We evaluate the efficiency of our Lox protocols and show that they have reasonable performance and latency for the expected user base of our system, thus demonstrating Lox as a practical bridge distribution system.