The Tor Project has announced the release on March 12, 2024 of a new bridge called ”WebTunnel” designed to help users bypass censorship in highly problematic regions where accessing the Tor network is particularly challenging.
WebTunnel comes in addition to Tor browser‘s multiple censorship circumvention technologies, and its release coincides with the World Day Against Cyber Censorship.
Tor bridges are a kind of “unlisted” relay that gives users a secret entry point to connect to the Tor network by routing their traffic through a series of bounce points. Because these relays are unknown to the censoring entities (governments, ISPs, etc.), they aren’t included in common blocklists, so people can use them to bypass censorship.
What is WebTunnel and how does it work?
WebTunnel is a censorship-resistant pluggable transport designed to mimic encrypted web traffic (HTTPS) inspired by HTTPT. It works by wrapping the payload connection into a WebSocket-like HTTPS connection, appearing to network observers as an ordinary HTTPS (WebSocket) connection. So, for an onlooker without the knowledge of the hidden path, it just looks like a regular HTTP connection to a webpage server giving the impression that the user is simply browsing the web.
In fact, WebTunnel is so similar to ordinary web traffic that it can coexist with a website on the same network endpoint, meaning the same domain, IP address, and port. This coexistence allows a standard traffic reverse proxy to forward both ordinary web traffic and WebTunnel to their respective application servers. As a result, when someone attempts to visit the website at the shared network address, they will simply perceive the content of that website address and won’t notice the existence of a secret bridge (WebTunnel).
Comparing WebTunnel to obfs4 bridges
WebTunnel can be used as an alternative to obfs4 for most Tor Browser users. While obfs4 and other fully encrypted traffic aim to be entirely distinct and unrecognizable, WebTunnel’s approach to mimicking known and typical web traffic makes it more effective in scenarios where there is a protocol allow list and a deny-by-default network environment.
Consider a network traffic censorship mechanism as a coin sorting machine, with coins representing the flowing traffic. Traditionally, such a machine checks if the coin fits a known shape and allows it to pass if it does or discards it if it does not. In the case of fully encrypted, unknown traffic, as demonstrated in the published research How the Great Firewall of China Detects and Blocks Fully Encrypted Traffic, which doesn’t conform to any specific shape, it would be subject to censorship. In our coin analogy, not only must the coin not fit the shape of any known blocked protocol, it also needs to fit a recognized allowed shape–otherwise, it would be dropped. Obfs4 traffic, being neither a match for any known allowed protocol nor a text protocol, would be rejected. In contrast, WebTunnel traffic resembling HTTPS traffic, a permitted protocol, will pass.
How to use a WebTunnel Bridge?
Step 1 – Getting a WebTunnel bridge
At the moment, WebTunnel bridges are only distributed via the Tor Project bridges website. We plan to include more distributor methods like Telegram and moat.
1. Using your regular web browser, visit the website: https://bridges.torproject.org/options
2. In „Advanced Options”, select „webtunnel” from the dropdown menu, and click on „Get Bridges”.
3. Solve the captcha.
4. Copy the bridge line.
Step 2 – Download and install Tor Browser for Desktop
Note: WebTunnel bridges will not work on old versions of Tor Browser (12.5.x).
1. Download and install the latest version of Tor Browser for Desktop.
2. Open Tor Browser and go to the Connection preferences window (or click on „Configure Connection”).
3. Click on „Add a Bridge Manually” and add the bridge lines provided on Step 1.
4. Close the bridge dialog and click on „Connect.”
Or Download and install Tor Browser for Android
1. Download and install the latest version of Tor Browser for Android.
2. Run Tor Browser and choose the option to configure a bridge.
3. Select „Provide a Bridge I know” and enter the provided bridge addresses.
4. Tap „OK” and, if everything works well, it will connect.
Art. sources:
– Hiding in plain sight: Introducing WebTunnel – ”blog.torproject.org”
– Tor Introduces New ‘WebTunnel’ Bridge to Help Bypass Censorship – ”restoreprivacy.com”
Related art.:
– Tor’s new WebTunnel bridges mimic HTTPS traffic to evade censorship – ”bleepingcomputer.com”