ReQrypt - Request Encryption
ReQrypt is an experimental tool for encrypting and tunneling web browser requests so third parties cannot read them. ReQrypt can be used for:
- bypassing provider-level URL filtering (censorship) systems;
- bypassing provider-level forced proxy-ing systems; and
- bypassing provider-level URL logging and data retention systems.
ReQrypt - How it works
When you enter a URL, such as "http://reqrypt.org/home.html", into the address bar of your browser following sequence of events occur:
- your browser will send a web request to the server reqrypt.org asking it to fetch the content at URL "reqrypt.org/home.html".
- if the URL is valid, the server will send a web response containing the content of the webpage back to your browser.
Normally web requests are sent directly to web servers, and web responses are sent directly back in the other direction.
Most provider-level filtering systems work by intercepting unencrypted web requests and sending "fake" responses instead of the actual web content. The fake content is typically a block page, or a forged HTTP error message such as 404 Not Found. ReQrypt works by diverting your web requests via an encrypted tunnels that cannot be read by your local provider. This configuration is known as "triangular routing":
Since the provider (or other snooper) cannot see the web request, they cannot filter the web request, which will arrive at the web server unchanged. The web response, and not the "fake" web response, is sent back to your browser via the normal route. This is effective since most provider-level filtering and logging systems only monitor the outbound web requests, and will ignore the inbound web responses.
ReQrypt - Features
ReQrypt works very differently from more traditional methods for bypassing filtering and logging systems. Most systems, such as as proxy servers, VPNs, and TOR, tunnel web traffic in both directions. In contrast, ReQrypt only tunnels traffic in the outbound web request direction, and leaves the inbound web response direction unchanged.
This has the following implications:
- Fast: ReQrypt is faster than other tunneling systems because web responses are sent via the normal route. When ReQrypt is working well it can sometimes be difficult to tell that it is even enabled.
- Free: Web request traffic is typically much smaller than web response traffic, meaning that it is much cheaper to run a ReQrypt tunneling server. This means we can offer a tunneling server for free. (Or at long as ReQrypt does not get too popular.)
- Keeps IP address: Unlike tunnels that work in both directions, ReQrypt does not change your IP address. This also means that ReQrypt is not an anonymity tool.
ReQrypt - Effectiveness
ReQrypt is effective against most kinds of provider-level filtering, proxy-ing and data retention technologies used in western democracies. The exact ReQrypt configuration depends on what kind of technology you wish to defeat. This is summarized in the following table:
|DNS poisoning||✗||ReQrypt is overkill for DNS poisoning. Instead reconfigure your system to use a different DNS server, such as Google Public DNS.|
|DNS blocking||✓||This occurs when your provider blocks access to alternative DNS servers. In this case reconfigure your system to use a different DNS server then run ReQrypt with "Do not hide HTTP traffic" and "DNS Hiding" modes enabled.|
|IP address blocking||✓||Provider blocks certain IP addresses. Use ReQrypt with "Hide all HTTP traffic" mode enabled.|
|Proxy-ing||✓||Provider forces all HTTP traffic through proxy servers. In some cases ReQrypt can completely bypass the proxy servers with "Hide all HTTP traffic" mode enabled.|
|Hybrid proxy-ing||✓||Provider forces some HTTP traffic through proxy servers based on IP address. As above use ReQrypt with "Hide all HTTP traffic" mode enabled.|
|Hybrid filtering||✓||Provider blocks access to certain URLs at the Network level using Deep Packet Inspection (DPI). For Network-level filtering only the URLs need to be hidden. Use ReQrypt with "Hide HTTP URL traffic only" or "Hide partial HTTP URL traffic only" modes enabled.|
|Mirror filtering||✓||This is similar to hybrid filtering except the provider copies (mirrors) rather than selectively redirects packets. As above, use ReQrypt with "Hide HTTP URL traffic only" or "Hide partial HTTP URL traffic only" modes enabled.|
|URL sniffing||✓||Provider is sniffing packets to extract URLs for logging or data-retention purposes. User ReQrypt with "Hide HTTP URL traffic only" mode enabled.|
|Strong filtering||✗||The various strong filtering methods used in countries like China or Iran. ReQrypt is generally ineffective against such systems since they typically block or severely restrict inbound traffic.|
ReQrypt should work behind most NATs, but some may experience problems.
ReQrypt - Further Reading
The following additional information about ReQrypt is available:
- ReQrypt Documentation -- The ReQrypt manual.
- ReQrypt Quick Start Quide -- How to install and run ReQrypt (Windows 7).
- ReQrypt Case Study -- Using ReQrypt against a real-world ISP-level filtering system.
ReQrypt - Download
ReQrypt version 1.0 is available for download:
- reqrypt_1.0_amd64.deb: Debian (Ubuntu) package for 64-bit Linux.
- reqrypt-1.0-linux64.sh: Stand-alone executable for 64-bit Linux.
- reqrypt-1.0-macosx64.sh: Stand-alone executable for 64-bit MacOSX.
- reqrypt-1.0-win64-install.exe: Installer for 64-bit Windows Vista, Windows 7, and Windows 8. Note: Windows XP is not supported.
- reqryptd_1.0_amd64.deb: Debian package for 64-bit Linux.
ReQrypt is an open source project released under GNU GPL VERSION 3.
ReQrypt - Spin-off projects
- WinDivert - Divert sockets for Windows.