Flash proxies: circumventing Internet censorship with Tor

Martin Brinkmann
Mar 29, 2013
Updated • Mar 29, 2013
Encryption, Internet

Depending on where you live, you may not be able to access select websites or services available on the Internet. This is not limited to countries where you would expect Internet censorship to exist, China, Iran or North Korea for example, but lately many European countries too have started to block sites, usually based on commercial interests rather than political or religious interests.

To circumvent Internet censorship, users need to use a proxy, virtual private network or other means that helps them access the blocked contents. The Tor project and its Tor software is one of those solutions and while it may work great most of the time, its public nature on the other hand provides censors with the means to blacklist the service's relays easily and bridges, unlisted relays, get blocked easily when they are discovered.

Instead of playing a cat and mouse game with censors, by adding new static IP bridges to the network, Stanford researchers came up with a concept they call Flash Proxy or Proxies. The idea here is to tap into the vast IP address pool of regular Internet users to use them as a proxy to connect to existing bridges and the Tor network.

The process is explained in detail on the official project website. You may ask yourself how this initial connection between the censored user (the client) and the Flash proxy is established. The researchers came up with badges that are added to websites.  Webmasters can configure the script to ask visiting users explicitly whether they want to act as a proxy, or make them proxies right away. I highly suggest the first option to give users full control over it. Despite the name Flash Proxies, the current implementation uses JavaScript and WebSockets only.

The badge communicates with the facilitator to find the addresses of clients that need a connection. Once it has a client address, it connects to the client transport plugin running on the Tor relay, and begins proxying data between them. The badge itself runs in the background and has no impact on the visitor's interaction with the volunteer site.

Censored users need to download a Tor browser bundle from the Internet and run it afterwards. They also need to setup port forwarding in their router for this to work.

You can visit a site like the one that is hosting the project to start acting as a proxy for users in countries where Internet traffic is heavily censored.  A Firefox extension and Chrome extension is available as well to turn your PC into a bridge if activated.

What is certainly interesting in this regard is that the service can be configured to automatically connect to other addresses without explicit permission by the user. (Thanks bastik for the tip and the excellent explanations).

Update: To clarify the last sentence. Websites can make your browser connect to other addresses without explicit permission, this is independent from the Flash Proxies script or any other script making use of the method. If you want to prevent that, you need to disable Websockets in the browser for now.

Firefox users can type about:config, enter network.websocket.enabled in the search and double-click the parameter to turn Websockets on (true) or off (false).

Chrome users can run the browser with the startup parameter --disable-web-sockets to do the same.


Tutorials & Tips

Previous Post: «
Next Post: «


  1. mehdi said on April 1, 2013 at 1:37 pm

    I wanted a strong proxy.

  2. SubgeniusD said on April 1, 2013 at 4:39 am

    For readers unfamiliar with The Onion Router (TOR) project Steve Gibson of Security Now has covered the subject thoroughly in a couple of Twit episodes – the latest, Tor 2.0, March 6 2013. He has a knack for making impossibly technical subjects fairly easy to digest. Transcripts are available on his site if you’d rather read it.



  3. Dan said on March 30, 2013 at 9:14 am

    I first used Tor on Windows June 2012; ran a bridge which worked for low-traffic folks all over the globe; lasted two weeks, and ever since Comcast lets ME use Tor if I want (for myself without helping truly censored it’s waaayyy too slow) but blocks bridge incoming; still following some Tor in-house forums, lots of folks around world/USA getting stomped on for being DCMA/similar “violating” exit nodes; a number of spam watcher orgs have whole special sections to pick on Tor IPs and post to blocking IT world; and not even Bruce Schneier thinks Tor hardly keeps any true IP THAT secret (http://www.schneier.com/blog/archives/2011/03/identifying_tor.html).

    On the other hand, something called “SafeIP” is out there as an upgradeable vpn; in the never-expires FREE version, it alters all browser traffic to a Google DNS, can stop ads from playing on top of YouTube videos/web ads, gives a wide range of Asian/European/USA IPs to choose from (NONE of which yet exist in any IP-tracker group I checked), changes browser AND operating system by algorithyms, purports to block malware, and IS blazing fast on most IPs…with eternal UNLIMITED FREE BANDWIDTH USE!

    Trying it last week, I found this so, but also that its install files show it’s a Komodia Redirector-designed vpn with provider ability to sniff SSL throughput, has that much of Komodia Watchdog causing persistence w/o ability to spot/remove if uninstalled, can stop PC from shutting down, and runs silent background controllers (per GMER scans) even if exited; the only human name anything gives re “SafeIP” is Luc Peters (?) in Switzerland at a Bachstrasse mail forwarding company; “SafeIP” on route trace appears nested at the fake Chicago IP as in app. For a fee, one can upgrade to protect torrents and even change MAC addresses.

    It seems the choices today are use corporate vpns, or either “hide” in IPs every net watcher is gunning for, or trust too-good-to-be-true Israeli Intelligence Corps-grade offered for free with unlimited use by shadows who just want to downplay SSL sniffing and silent use of YOUR computer as if you.

    Lastly, watch out for free/cheap vpns; even if Tor and SafeIP did/do work, thay both leave PC and router ports 21 up through 443 “closed” rather than “stealth” when in use/post uninstallation…any ping from anywhere can find you then.

  4. Aram said on March 29, 2013 at 2:07 pm

    Thank you for your prompt reaction.
    I just restored the “places.sqlite” and bookmarks files from my weekly backup. And guess what, everything works fine again. Sorry to have bothered you.

  5. Aram said on March 29, 2013 at 1:49 pm

    I said:
    “Live Bookmark feed failed to load” in Firefox 19.02. Since a few days. Was never an issue before.
    To prevent any misunderstanding: Only your feed “https://www.ghacks.net/feed/” fails.

    1. Martin Brinkmann said on March 29, 2013 at 1:50 pm

      Which feed address are you subscribed to?

  6. Aram said on March 29, 2013 at 1:46 pm

    “Live Bookmark feed failed to load” in Firefox 19.02. Since a few days. Was never an issue before.

  7. jasray said on March 29, 2013 at 11:47 am

    I use the tor.exe alone as a socks proxy. Simple, effective. Forward DNS requests in FF.

  8. Leaving The G said on March 29, 2013 at 8:34 am

    Why can’t I see the whole article in the RSS feed?
    Oh no, GHacks is going the way of Engadget and co.
    Shortening the RSS feed is a “No! No!!” in my books.
    Fare thee well.

    1. SubgeniusD said on April 1, 2013 at 4:12 am

      I can see the full article in my main feedreader (Opera) as well by clicking on the entry which opens the article locally.

      That’s a really lame reason to stop subscribing to a site of this depth and quality IMO.

    2. Martin Brinkmann said on March 29, 2013 at 9:19 am

      I have not changed anything and I can see it in full in my RSS reader.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.