Hi. I was theorizing about a concept and wanted to bounce it of to get some opinions on if it would be feasible. If so, I might make a Proof-of-Concept as hobby project once for learning purposes.
TL;DR - IMHO stenography could be a really powerful and efficient tool - which we ATM are not fully leveraging - to distribute bridge relays (or even the Tor browser itself) to heavily restricted areas. I am theorizing about using stenography for this purpose by providing tools for users to do this easily.
I think it’s extremely important - and an interesting challenge - to make efforts ensuring Tor (and thus free internet) is accessible to people living in countries resembling 1984’s Oceania.
Currently Tor provides bridges, which are unlisted guard relays, allowing users to connect to Tor secretly. IMHO there are a few small impediments regarding how these need to be acquired:
- The distribution of bridge relays is somewhat centralized. Users have to contact Tor one way or another.
- While Tor provides several creative and obfuscated options for users to request bridge relays, it remains centralized and imposes risks.
- Users can decide to use bridges from unofficial sources, risking using a compromised relay.
- “Chicken or egg, what came first?” Surveilled people need Tor to have free internet, but how to download Tor when you have no free internet? - GetTor exists, but I am not confident Telegram is allowed everywhere.
1. Distributing bridge relays through images using stenography
Distributing
- It is possible to hide bridge lines in images using stenography (I already did it).
- The idea is to make a tool or service allowing volunteers to easily hide bridge lines in images.
- These volunteers and friends of Tor (bloggers, journalists, Reddit users, memers....) would be able to hide bridge lines in their visual content.
- A blogger could use the steg-encoded image as banner for his blogpost, Reddit users could hide bridge lines in memes going viral,...
This way the bridge lines would be distributed all over the internet, and users wouldn’t have to take the risk contacting the Tor Project itself. But how would a user retrieve a bridge?
Retrieving
- Users searching for bridges can be subtly directed to websites known for containing steg-encoded images.
- A browser plugin could be made checking all the images on the webpage for a hidden mark or smth we include in the steg-encoded images.
- When the plugin detects such an image it notifies the user about it, allowing the user to retrieve the data from the image (user is not anonymous while using thisplugin).
Advantages
- Users don’t have to contact a centralized point for bridges anymore.
- Bridge lines can be secretly shared, while being hidden in plain sight.
Disadvantages
- Enabling anyone to distribute images with hidden bridge lines, would also enable threat actors to distribute compromised bridge relays.
– We could solve this by making a centralized official webpage where volunteers can upload any image and we would apply the stenography ourselves in the back-end and sign it using RSA.
– The volunteer can download the steg-encoded image to distribute it decentralized, and the user could verify the bridge line by using a known public key.
– This would be a perfect balance between centralized signing and decentralized distributing.
2. Distributing Tor itself by hiding the executable in images
There is a paper -- ["Using Digital Images to spread Executable Code on Internet"](https://subs.emis.de/LNI/Proceedings/Proceedings165/371.pdf) -- describing how to hide complete executable binaries in images using stenography.IG in theory we could make a very small and lightweight binary using Arti, acting as a bootstrap mechanism, with the only task to download the Tor browser over Tor or launch an Arti proxy routing the network traffic of the user through Tor.
This way we could distribute Tor even in highly surveilled states.
WDYT? Would this be possible?