Page MenuHomePhabricator
Create Task
Maniphest T327286

Integrate In-App Internet censorship circumvention by domain fronting
Open, Needs TriagePublicFeature
Actions

Description

Feature summary:

Please add a censorship circumvention feature like domain fronting in both iOS and Android apps to use domain fronting to access Wikipedia where it is blocked. (e.g. China)

Similar features in other apps

  • Tor meek and snowflake, using Microsoft Azure and Fastly as fronting providers
  • A client for pixiv.net, for accessing pixiv.net which is also blocked in China by SNI detection, written in Kotlin
  • A client for e-hentai.org, also written in Kotlin
  • Signal has a "censorship circumvention" features which utilizes Google Cloud and domain fronting as an alternative route to their server
  • ProtonVPN. If it detects potential blocks, it will try to resolve a certain domain using DoH and use HTTPS certificate pinning to access that IP as an alternative backend
  • Geph, a popular proxy app which is successful at bypassing China & Iran censors. It uses domain fronting as a bootstrapping process.

Why this is important:

As shown in Censorship of Wikipedia article, many countries have blocked access to Wikipedia. While it's possible for volunteers to access Wikipedia though their own proxies, they may (1) not have enough knowledge or resource to setup or buy a proxy, or (2) encounter trouble editing Wikipedia because of proxy IP bans. Both may have negative impacts on user engagement. Most recently, the IPBE requesting mailing lists of Chinese Wikipedia (unblock-zh) has been queued for ~30 days, making the situation worse.

I believe, equipping in-app censorship circumvention methods is a balance between usability and availability, because enabling this would be as easy as toggling a switch, and users will not be affected by proxy IP bans. It may be one of the most viable options for now.

Related Objects

Event Timeline

Naruse_shiroha created this task.Jan 18 2023, 2:05 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 18 2023, 2:05 PM
Naruse_shiroha updated the task description. (Show Details)Jan 18 2023, 2:06 PM
Naruse_shiroha updated the task description. (Show Details)
Naruse_shiroha updated the task description. (Show Details)Jan 18 2023, 2:23 PM
GeneralNotability subscribed.Jan 18 2023, 2:58 PM
Diskdance subscribed.Jan 18 2023, 3:14 PM
Yahya subscribed.Feb 16 2023, 7:33 PM
Bugreporter mentioned this in T330024: Let all requests from mainland China will be processed to codfw/esams/drmrs.Feb 19 2023, 8:41 PM
Naruse_shiroha added a comment.Mar 15 2023, 1:07 PM

Have read BCronwall's response in T330024.

The team's limited capacity prevents the maintenance work required to provide such a solution. Were this a permanent solution then we'd be happy to oblige; However, implementing these measures would only provide temporary relief before more restrictions follow.

Surely depending Wikipedia accessibility on limited, unblocked IPs seems to be an impermanent solution, but I can say it's really a long-term solution: as my referred two similar apps above, one of them added such domain fronting feature in middle 2019, one added in late 2020, upon now, 2023, none of them seems be further limited or blocked. I think it's worth a try for even 3-5 years' accessibility.

ssingh subscribed.Mar 16 2023, 6:03 PM
LGoto added a project: Traffic.Mar 16 2023, 8:26 PM
Maintenance_bot added a project: SRE.Mar 16 2023, 8:29 PM
JTannerWMF moved this task from Needs Triage to Tracking on the Wikipedia-Android-App-Backlog board.Mar 29 2023, 4:50 PM
JTannerWMF subscribed.

Thanks for creating this task its a valid request. Our team can't prioritize it right now but its on our radar.

JTannerWMF moved this task from Needs Triage to Tracking on the Wikipedia-iOS-App-Backlog board.Mar 29 2023, 4:50 PM
Diskdance added a comment.EditedApr 1 2023, 10:06 AM

Domain fronting takes the advantage of collateral freedom, but unfortunately I cannot see much damage for the government to block Wikimedia IPs. Yes, for a medium term this is a feasible approach, but it costs nearly nothing for the government to block an IP, but changing one costs a considerable amount of resource. What should we do if all IPs are blocked in the future?

Another solution is to combine domain fronting with large 3rd party network infrastructure (like Azure, AWS, etc., and Signal uses this approach), but this is likely to be blocked by WMF privacy policy.

Naruse_shiroha added a comment.EditedApr 1 2023, 10:19 AM
In T327286#8747600, @Diskdance wrote:

Domain fronting takes the advantage of collateral freedom, but unfortunately I cannot see much damage for the government to block Wikimedia IPs. Yes, for a medium term this is a feasible approach, but it costs nearly nothing for the government to block an IP, but changing one costs a considerable amount of resource. What should we do if all IPs are blocked in the future?

Probably I used a wrong word? I cannot find a more appropriate word than 'domain fronting' to describe SNI field manipulation, but the word 'domain fronting' is usually connected with the use of clouds and CDNs.

In my experience, blocking IPs is the last method than DNS poisoning or DPI, probably because of this: IP blocking does cost something, for routers have very limited storage for saving both normal routing table and manually added blackhole routing table.

Naruse_shiroha updated the task description. (Show Details)Apr 1 2023, 10:22 AM
Diskdance added a comment.Apr 1 2023, 11:45 AM

...but the word 'domain fronting' is usually connected with the use of clouds and CDNs.

Then WMF's privacy policy may be an obstacle -- I don't think it allows a third party to know users' IP addresses, I may be wrong, though.

In my experience, blocking IPs is the last method than DNS poisoning or DPI, probably because of this: IP blocking does cost something, for routers have very limited storage for saving both normal routing table and manually added blackhole routing table.

Theoretically the censorship system acts like a black box to us. Blocking IPs may not be cost free but still costs far less than changing IPs on a limited budget (which is the case for WMF, unfortunately.)

Diskdance added a comment.Apr 1 2023, 11:49 AM

Another potential risk is that integrating censorship evading measures may cause the iOS app to be removed from China App Store. I'm not saying we should not add this -- censorship poses a risk to us all and we should resist, but I'd rather be cautious and think about wise and lasting solutions, so it won't be a waste of money.

Naruse_shiroha added a comment.Apr 1 2023, 11:52 AM

Hahha, yes, they can remove any apps from China App Store as they want. We have to consider this.

Diskdance updated the task description. (Show Details)Apr 1 2023, 12:01 PM
Diskdance updated the task description. (Show Details)Apr 1 2023, 12:03 PM
Naruse_shiroha added a comment.EditedApr 4 2023, 11:35 AM

@Diskdance , I saw you added exmaple of Signal and ProtonVPN, that in China, neither works.

Signal hides "censorship circumvention" switch deeply in "Advanced settings", and it seems to try obfuscating traffic as like connecting to Google, but domains of Google itself are blocked.

ProtonVPN' censorship circumvention doesn't work too. Probably the domains of DoH servers are blocked?

Diskdance added a comment.Apr 4 2023, 12:05 PM

That list is just for everyone's reference. They may not work in China currently, but we can possibly leverage their technique.

BCornwall moved this task from Backlog to Radar/Not for service by Traffic on the Traffic board.May 2 2023, 8:24 PM
Naruse_shiroha added a comment.May 14 2023, 4:00 PM

I recently read this proposal: Streamline the sign-up process for new editors from China.

It made a total of 3 plans:

  1. Automate the IPBE applying process. I am very supportive of this.
  2. Create an official, censored mirror of Wikipedia. I disagree with this.
  3. Let the Wikimedia Foundation spend money to provide VPNs to Chinese users. It must be kidding.

These are all targeted on WWW version of Wikipedia, but in Wikipedia app, it already has a sign up feature, users can take advantage of this if app's domain fronting feature is added.

Naruse_shiroha added a comment.EditedMay 14 2023, 7:02 PM

@Diskdance Ah, I remembered another thing. I don't think we need to worry about the Wikipedia app being removed from the China App Store at all. Because: Wikipedia is blocked in China, on iOS if people want to access it they have to have a VPN, and if he has a VPN, he must have a foreign Apple ID before, because, you know, Almost all VPN apps were removed in China App Store in 2017. So we don't have to worry about users not having an Apple ID outside the region to download the Wikipedia app.

EDIT: If the Wikipedia app is taken down, it won't matter to old users, who already have Apple IDs in other regions. But we might lose some new users who don't have a VPN and don't have an foreign Apple ID. Helpless.

Diskdance mentioned this in T336882: Set up a registration portal page to automate the IPBE application process for Chinese users.Jun 15 2023, 3:13 AM
ZauberViolino subscribed.Jun 15 2023, 7:58 PM

Is the Wikipedia app is available on Apple's App Store? (My iPad region is US so I cannot check it out.) Google Play is blocked. And I don't think the app exists on the app stores Android phone manufacturers provides us with.

BCornwall removed projects: SRE, Traffic.Jun 15 2023, 8:10 PM
Dbrant subscribed.Jun 15 2023, 8:12 PM
In T327286#8936603, @ZauberViolino wrote:

Is the Wikipedia app is available on Apple's App Store? (My iPad region is US so I cannot check it out.) Google Play is blocked. And I don't think the app exists on the app stores Android phone manufacturers provides us with.

Sure, the Wikipedia app is available for iOS on the Apple app store.

And for Android, if you are unable to use the Google Play Store, you may install the app from F-Droid, or if all else fails, download and install the latest APK directly.

ZauberViolino added a comment.Jun 21 2023, 10:01 AM

I checked my friend's App Store and to my surprise the Wikipedia app do exist on China store. F-Droid is not blocked, at least not in my region.

jbond added projects: Traffic, Infrastructure Security, Security.Jun 26 2023, 12:00 PM
jbond subscribed.
Diskdance mentioned this in T301772: Feature request: notify user in specific country/region of blockade of Wikipedia.Aug 9 2023, 4:29 AM
Diskdance added a comment.Oct 1 2023, 9:54 AM

For everyone's info, F-droid has been blocked in China now.

Diskdance updated the task description. (Show Details)Jan 3 2024, 3:08 PM
Restricted Application added a subscriber: Stang. · View Herald TranscriptJan 3 2024, 3:08 PM
Diskdance added a comment.Jan 3 2024, 3:11 PM

Changed description due to this following:

  1. WMF knows how their servers are blocked
  2. Hardcoding IPs are not feasible because IPs can be blocked as well, and WMF rejected the proposal to rotate IPs due to its unsustainability
  3. Needed to emphasize why this is important, and why it's better than other solutions
Diskdance updated the task description. (Show Details)Jan 3 2024, 3:12 PM
Bugreporter mentioned this in T367935: Proposal to build Wikipedia app for HarmonyOS.Wed, Jun 19, 1:55 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL