2012-fifield-evading
findings extracted from this paper
-
Flash proxies successfully relayed Tor traffic from within China in December 2011, but the test relied on a simple HTTP-based rendezvous blockable by IP address; the authors identify rendezvous — getting just a few bytes (the client's IP address) out of the censored region — as the bottleneck that determines whether the entire proxy system remains operational.
-
Because browser-based proxies can only initiate outbound connections, flash proxies connect to censored clients rather than the reverse, requiring the facilitator to maintain a registry of client IP addresses; a censor can impersonate a legitimate flash proxy to query the facilitator and enumerate the IP addresses of circumvention users.
-
Applying Little's law to measured traffic parameters (mean inter-arrival time 1/λ = 1407.6 s, mean visit duration µ = 285.8 s), 100 volunteer web pages each embedding the flash proxy badge can support approximately 203 simultaneous censored clients; capacity scales linearly, so 1,000 such pages support ~2,030 clients.
-
Flash proxies provide mean throughput of 79.7 KB/s when uninterrupted — comparable to direct Tor (69.5 KB/s) — but throughput drops to 56.6 KB/s (20–40% lower) when proxies alternate on 8-second duty cycles, with most variance attributable to Tor circuit reconstruction overhead rather than transport switching.
-
Flash proxy tunnels carry inherent network-level fingerprints that survive application-layer obfuscation: WebSocket connections begin with a plaintext HTTP upgrade handshake followed by structured binary framing, and Flash socket connections open with a crossdomain XML policy request — both are distinguishable from ordinary TCP by a DPI middlebox.