Open Technology Fund

Adversary Lab is a service that analyzes captured network traffic to extract statistical properties.

Adversary Lab is a publicly available and open source resource for the worldwide community of Internet freedom tool developers. The purpose of this tool is to test network traffic to determine its blockability before it is deployed in the field, helping application developers to create applications which are more resistant to network filtering attacks. In particular, applications which use or provide network traffic obfuscation mechanisms can be tested before they are deployed. Adversary Lab has been used to analyze the network traffic patterns of many popular Internet freedom tools and network traffic obfuscation techniques.

Adversary Lab uses machine learning to analyze captured network traffic, extracting statistical properties and synthesizing filtering rules. The result of the analysis is a report on which properties of the analyzed traffic can be most effectively used to block the target application. This report can be used by tool developers to eliminate these blockable properties from their network traffic, either by modifying the application’s network protocol or by utilizing one of the network traffic obfuscation layers, such as Operator’s Shapeshifter library, an open source implementation of the Pluggable Transports specification.

Through funding from the OTF, Adversary Lab continues to evolve to analyze more sophisticated attacks. In recent updates, support for SSL-specific attacks such as SNI matching have been added. Additionally, Adversary Lab’s detection of identifiable byte sequences in network protocols has been greatly optimized to run orders of magnitude faster. This allows for a wider variety of byte sequences to be extracted from the captured network traffic.

GreatFire tracks Apple iOS applications for instances of censorship in over 150 countries, documenting when and how apps are removed in order to provide more transparency.

This project allows researchers to better identify censorship by Apple, track whether apps are being blocked locally at the government’s request (which could provide an indication of local censorship) or globally, and enables advocates who know their local context to connect when censorship occurs due to civil society actions and political events. The project has already helped to identify censorship of apps related to religious freedom in China, the Tibetan diaspora, and the protests in Hong Kong. The data and information generated by this project is being made accessible to policymakers, journalists, advocates, and everyday citizens on the applecensorship.com website.

This project will increase the security and privacy of VPNs and VPN-like technologies.

The majority of censorship circumvention, privacy, and anonymity tools work in ways that are essentially VPN-like under the hood and are based on tunneling connections through an encrypted tunnel by re-routing locally generated packets on the VPN client device. This technology helps take the burden off the user to, e.g., configure their apps to use a local socket-based proxy. While there has been a great deal of research into securing the encryption tunnel for VPNs, we instead consider the endpoints of the tunnel and the low-level packet routing behaviors within the operating system kernels of the VPN client and VPN server. Our goal is to promote a more solid foundation for the security of VPNs from a packet-level perspective through vulnerability research. Our work builds on William Tolley's OTF-sponsored Internet Controls Fellowship Program project, which led to two CVEs (CVE-2019-9461 and CVE-2019-14899).

Breakpointing Bad is a non-profit founded in 2019 based out of Albuquerque, New Mexico. Our team has over 66 years of combined experience in network security, penetration testing, reverse engineering, malware analysis, developing CTFs for training, IT, and cryptography. The vast majority of these activities have focused on technical security issues motivated by privacy, free speech, and human rights. Our goal is to provide technical expertise and capabilities to at-risk populations subjected to repressive and authoritarian control.

Building networked apps that can remain connected in the event of a complete Internet shutdown

Awala (formerly known as Relaynet) is a new computer network where compatible apps use the Internet as-normal when it's available, but are able to switch to a secure sneakernet when the Internet has been cut off. Developers can use Awala today to make existing Internet services (like social networks) resilient to Internet blackouts, or build Awala-native apps to unlock additional benefits (e.g., decentralization, spam protection). The Awala team is now working on drastically lowering the barrier to adopt Awala, which includes the delivery of a basic version of Letro (an Awala-native service analogous to email).

ISC develops and maintains BIND, one of the most widely-used open source software applications for running a DNS resolver.

ISC develops and maintains BIND, one of the most widely-used open source software applications for running a DNS resolver. This project will add a significant new feature to BIND, QNAME minimization. QNAME minimization is an important component of an overall Internet privacy strategy.

DNS lookups happen in the background during almost every user interaction on the Internet. Standard DNS routinely leaks extra information to every DNS system in the path of those lookups. This was not a concern back when the DNS was first invented, but of course it is now. The information leaked is metadata, related to the Internet resource the end user is seeking: it could disclose the existence of an email conversation, pgp key lookup of a correspondant, or research on sensitive topics or people. Repressive governments have been storing and analyzing these "lookups" in order to surveil users. This project will eliminate unnecessary information leakage through BIND DNS systems.

The goal of this project is to bring a new level of DNS privacy to the large numbers of users whose service providers use BIND. This project is benefiting from the works of the open source Unbound and Knot DNS resolvers, who have added QNAME minimization. These other implementations have exposed some Internet breakage that can happen with QNAME minimization, so BIND has a configuration setting to permit a "fallback" to disable QNAME minimization when this is detected. The project plans to enable the "relaxed" mode, with the fallback by default, with a "strict" mode, which will not expose extra data even in cause of fault, as an option. Like the two other previous implementers, ISC have decided to enable QNAME minimization by default in BIND.

QNAME minimization has been committed to the BIND master branch in ISC"s public code repository. The project plans to issue a release incorporating this new feature, and further optimizations to make QNAME minimization more efficient and compatible with existing systems.