- A Little History
- How a PAC Proxy Works
- Using the Tor PAC Proxy
- Creating Your Local Tor Proxy
- Some Final Thoughts
A Little History
In June 2004 BT took the step of putting technical measures in place that allowed them to censor the Internet.
At the time there was muffled dissent at the idea of creating and deploying such technology but those voices were silenced by accusations that opposition to CleanFeed was to support the abuse of children.
We warned that this was the start of a slippery slope.
In 2011 the MPA took BT to court in an attempt to block Newzbin, when the Honourable Justice Arnold understood that BT already had an Internet censorship system in place he ordered it to be used to block Newzbin
In respect of its customers to whose internet service the system known as Cleanfeed is applied whether optionally or otherwise, [BT] shall within 14 days adopt the following technical means to block or attempt to block access by its customers to the website known as Newzbin2 currently accessible at www.newzbin.com, its domains and sub-domains and including payments.newzbin.com and any other IP address or URL whose sole or predominant purpose is to enable or facilitate access to the Newzbin2 websiteHon Justice Arnold
On the back of the Newzbin success various other private entities took to the High Court to chase more ISPs and in February 2012 the Honourable Justice Arnold ruled
… that both users and the operators of TPB infringe the copyrights of the Claimants (and those they represent) in the UK.Hon Justice Arnold
The result of this ruling was that BT, TalkTalk, Sky and others were required to take measures to block or at least impede access by their customers to a peer-to-peer (“P2P”) file-sharing website called The Pirate Bay (“TPB”).
At the time the OpenRightsGroup issued the following statement;
Blocking the Pirate Bay is pointless and dangerous. It will fuel calls for further, wider and even more drastic calls for internet censorship of many kinds, from pornography to extremism.Jim Killock, Executive Director of the Open Rights Group
So here we are in 2014, a decade after we originally predicted the slippery slope of Internet censorship and we have Court ordered censorship at the behest of foreign private entities, secret URL blocklists courtesy of the IWF, varying levels of Internet Filtering in homes, Internet filtering in coffee shops etc and now the City of London Police appear to be using organised Crime Legislation to intimidate and shut down proxies.
How a PAC Proxy Works
The PAC (Proxy auto-config) file format was originally designed by Netscape in 1996 for the Netscape Navigator 2.0 and is a text file that defines which URLs are to be routed over a proxy and optionally which proxy to use on a per URL basis.
A very basic PAC file could look like this;
function FindProxyForURL(url, host)
{
var list = new Array("wtfismyip.com","www.ipchicken.com");
for(var i=0; i < list .length; i++)
{
if (shExpMatch(host, list[i]))
{
return "SOCKS socks.survivetheclaireperryinter.net:9050";
}
}
return "DIRECT";
}
This PAC file defines two URLs (wtfismyip.com and www.ipchicken.com) and tells the browser that these URLs should be routed via the SOCKS proxy socks.survivetheclaireperryinter.net using port 9050. Any other URLs are routed directly (as in not using a proxy).
The Tor Project is one of the most powerful tools we have against Internet censorship and one of the features of a Tor relay is the ability to be used as a SOCKS proxy.
There are lots of Tor relays on the Internet that are configured not only as Bridges, pluggable transports, Exits & relays but also as SOCKS servers. We will create a Tor relay to be coupled with a PAC file to selectively route certain URLs over The Onion Routing network to bypass censorship.
Using the Tor PAC Proxy
To test a Tor powered PAC proxy simply set your Browser Proxy settings to; https://RoutingPacketsIsNotACrime.uk/pac.config?id=piratebay this will allow you to browse to thepiratebay.se via a Tor proxy in Russia.
To create your own list of URLs to route via your Tor proxy start by navigating to https://RoutingPacketsIsNotACrime.uk and identify which URLs you would like to route.
Add all of your URLs separated by a comma e.g. “google.com, yahoo.com, bing.com” then click “Save PAC File”.
Make note of your unique PAC file URL e.g. https://RoutingPacketsIsNotACrime.uk/pac.config?id=ABCDEF1234567890
Configure your browser to use your unique PAC file
Configure Internet Explorer
- Go to Start then Control Panel. (Windows 8 users hover your mouse to the bottom right, click Settings, then click Control Panel)
- Find Internet Options (sometimes under Network and Internet), then go to the Connections tab.
- At the bottom, click the LAN settings button.
- A new dialog will appear. Tick the box that says Use automatic configuration script.
- In the address field, paste in your unique PAC file ID e.g. https://RoutingPacketsIsNotACrime.uk/pac.config?id=ABCDEF1234567890
- Press OK, then OK on the Internet Options dialog.
Configure Mozilla Firefox
- In Mozilla Firefox, go to Options. In Windows, click the Firefox button then choose Options, or go to Tools, then Options. In Mac OS X, go to Firefox, then Preferences. In Linux, go to Tools, Options.
- Go to the Advanced tab, then go to the Network tab.
- Click Settings next to Configure how Firefox connects to the Internet.
- Select Automatic proxy configuration URL.
- In the text field, paste in your unique PAC file ID e.g. https://RoutingPacketsIsNotACrime.uk/pac.config?id=ABCDEF1234567890
- Press OK, then OK on the Options dialog.
Configure Google Chrome
- In Google Chrome, click the menu button to the right of the URL bar, and choose Settings.
- At the bottom, click the Show advanced settings
- Under Network, click Change proxy settings.
- On Windows, at the bottom click the LAN settings button. A new dialog will appear. Tick the box that says Use automatic configuration script.
- On Mac OS X, tick Automatic Proxy Configuration.
- On Linux, click Network proxy, select Automatic from the Method drop down menu.
- In the address field, paste in your unique PAC file ID e.g. https://RoutingPacketsIsNotACrime.uk/pac.config?id=ABCDEF1234567890
- Close the dialogs to save the settings. On Mac OS X, press Apply first.
You’ll note that the PAC file specifies the proxy as localhost:9050, trying to visit the URLs in question won’t work until we setup the local Tor relay.
Creating Your Local Tor Proxy
If you want to help the Tor network grow and create your own proxy to use with the RoutingPacketsIsNotACrime PAC files then these instructions should get you started.
If you don’t already have a dedicated server consider visiting DigitalOcean, Amazon EC2 or for some really good deals check LowEndBox.com.
For various reasons I would suggest hosting the server outside of the UK but that is a choice for you to make.
CentOS 6
Install EPEL
wget http://www.mirrorservice.org/sites/dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm yum install epel-release-6-8.noarch.rpm
Edit iptables
vim /etc/sysconfig/iptables
Allow the ORPort and the proxy port (in this case 9001 and 9150)
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 9001 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 9150 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
Save and quit
/etc/init.d/iptables restart
If your server has IPv6 then make similar changes to ip6tables
Editing torrc
vim /etc/tor/torrc
A minimal torrc for use with a PAC file style proxy would look similar to the below (although you should read all the options to understand what you are doing);
SocksPort xx.xx.xx.xx:9150 ORPort 9001 Nickname TheNameOfYourRelay ContactInfo YourContactDetails ExitPolicy reject *:*
xx.xx.xx.xx should be a routeable IP (e.g. not 127.0.0.1) of your server, if you want to keep your relay server partially private you might want to add PublishServerDescriptor 0 to your config too.
If your Tor relay is on a public IP (e.g. not 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16) then you may want to restrict the IPTables allow rule to only allow your source IP addresses
Start Tor & Confirm it is working
/etc/init.d/tor start tail -f /var/log/messages
You should see something along the lines of;
socks Tor[31452]: Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor. socks Tor[31452]: Bootstrapped 85%: Finishing handshake with first hop. socks Tor[31452]: Bootstrapped 90%: Establishing a Tor circuit. socks Tor[31452]: Tor has successfully opened a circuit. Looks like client functionality is working. socks Tor[31452]: Bootstrapped 100%: Done. socks Tor[31452]: Performing bandwidth self-test...done.
Done!
Assuming you have chosen the URLs you wanted in the previous section (Using the Tor PAC Proxy) you can now browse to the URLs that were previously censored as they are now being routed over Tor. Any non-restricted URLs will route over your normal Internet connection.
Windows
Follow our tutorial on Securely Installing Tor on Windows to get the full Tor Browser bundle up and running.
Once installed and started Tor will be running on localhost:9150 (do not close the Tor Browser as this will also close the relay)
Done!
Assuming you have chosen the URLs you wanted in the previous section (Using the Tor PAC Proxy) you can now browse to the URLs that were previously censored as they are now being routed over Tor. Any non-restricted URLs will route over your normal Internet connection.
Some Final Thoughts (and quotes)
Internet Censorship is abhorrent, we shouldn’t stand by and let the Government, Police or lawyers dictate what we can read. The slippery slope is getting steeper every day so we all need to help stop it.
When bad men combine, the good must associate; else they will fall, one by one, an unpitied sacrifice in a contemptible struggle.Edmund Burke
I always wondered why somebody doesn’t do something about that. Then I realized I was somebody.Lily Tomlin
Withholding information is the essence of tyranny. Control of the flow of information is the tool of the dictatorship.Bruce Coville
Who is more to be pitied, a writer bound and gagged by policemen or one living in perfect freedom who has nothing more to say?Kurt Vonnegut
Once a government is committed to the principle of silencing the voice of opposition, it has only one way to go, and that is down the path of increasingly repressive measures, until it becomes a source of terror to all its citizens and creates a country where everyone lives in fear.Harry S. Truman
Free societies…are societies in motion, and with motion comes tension, dissent, friction. Free people strike sparks, and those sparks are the best evidence of freedom’s existence.Salman Rushdie
All men dream: but not equally. Those who dream by night in the dusty recesses of their minds wake in the day to find that it was vanity: but the dreamers of the day are dangerous men, for they may act their dreams with open eyes, to make it possible.T.E. Lawrence
