Home Technical Report CoverUp Data Source Code General Setup External application + Message Feed Messenger Interactive browser


Strengthening Anonymous Communication via Passive Participation



Anonymous communication networks (ACNs) are basic building blocks for obtaining or exchanging data in a privacy-preserving manner. ACNs suffer from a bootstrapping problem: having few users leads to a small anonymity set, which renders the ACN unattrac- tive. We propose a system, CoverUp, that tackles the bootstrapping problem for ACNs. The key idea is to draw in non-ACN users from a collaborating website to connect to an ACN after an informed consent via a JavaScript snippet, thereby triggering them to passively participate (as passive participants). CoverUp implements a privacy-preserving broadcast with a downlink rate of 10 to 50 Kbit/s that renders the traffic of these passive participants indistinguishable from active participants. If this broadcast is accessed via an ACN with a constant-rate traffic pattern, CoverUp contributes active participants with legitimate-looking traffic, thus helping in bootstrapping the ACN. To protect active participants from potentially incriminating broadcast-data, an additional application is needed to extract any information from CoverUp’s broadcast. The indistin- guishability guarantee of CoverUp for broadcasts holds against global network-level attackers that control ev- erything except for the user’s machine. In addition, as long as active participants do not change their surfing behavior on these websites due to CoverUp, they hide their participation time, i.e., do not leak the time at which they listen to the broadcast, which counters intersection and statistical disclosure attacks. As passive participation raises ethical and legal concerns for the collaborating websites and the participants, we discuss these concerns and describe how they can be addressed.

We extend CoverUp to bi-directional point-to-point communication (e.g., messengers) with an up- and downlink rate of 10 to 50 Kbit/s. Bi-directional CoverUp can offer users of ACNs with constant-rate traffic an additional entry point that hides their participation time (as above). The indistinguishability for bi-directional CoverUp requires the integrity of the JavaScript snippet, for which we introduce a trusted party. We give evidence that with a latency of 3 seconds (including the random delays) the timing leakage is undetectable, even after a year of continual observation. As long as the timing leakage is undetected, bi-directional CoverUp achieves the same properties as for broadcasts against network-level attackers that control everything except for the user’s machine and the trusted party.

Back to top

Technical Report

Back to top

CoverUp Measurement Data

Download (11M)

Back to top

General Setup

The CoverUp back-end is not running currently. Feed and Chatting capablities are not provided. Please set-up a server yourself. Code and instructions are available here

This prototype implementation demonstrates both Message Feed (uni-directional) and Chat (bi-directional channel). The Message Feed works both with Mozilla Firefox and Chromium (or Google Chrome). However, the bi-directional channel (the messenger) works with Chromium only.

To get the prototype working, follow these steps:

  1. Download the Coverup external software package from the following links (depending on your operating system):

    Windows 32 bit

    Windows 64 bit

    Linux 32 bit

    Linux 64 bit

  2. Download the Chromium extension secure_ext.crx and install it as follows:
  3. Install and open Chromium, navigate to

    "Settings → Extensions".

    Use drag-and-drop to install the extension file (click on the extension file "secure_ext.crx" in your file browser, keep the mouse button pressed down, and drag it to the Chromium extension window where you release the button).
  4. In Chromium: visit our sample entry server page here

Now a data packets is downloaded. For this demo, we set the parameters according to the specification in our technical report. The iframe waits a random amount of seconds uniformly distributed in [1,5] seconds, before it dispatches the first request. After this, it requests periodically data again uniformly distributed in [1,5] seconds. To read the feed or to use the bidirectional channel, you need to start the external application:

Now we provide step by step instructions to run CoverUp external application. We divided the instructions into three sections: Message Feed, Messenger and Interavtive Browsing.

Back to top

Starting External Application and receiving Message Feed

  1. Execute the CoverUp.jar file by either double clicking it or in console "java -jar NinjaPumpkin< platform >.jar". Make sure you have Java version 1.8 and Python27 installed. ( important : windows users are needed to run the application with admin privilege)
  2. You will see this following window. Select the option BROWSER_NATIVE_MESSAGE to select Google Chrome as the primary browser for messenger (bi-directional channel). In this mode, the application listen on the TCP port 56789 from the browser extension to receive information. BROWSER_FIREFOX is for settting Mozilla Firefox but is implemented to receive the unidirectional message feed only. BROWSER_CHROME selects Google chrome as the primary browser for unidirectional message feed on. Both BROWSER_CHROME and BROWSER_FIREFOX polls the localstorage database (cache database of the browser located in the disk) to fetch information. We strongly recommend use BROWSER_CHROME option as the latter is in experimental stage.

    After clicking "Select", a file dialog may appear if the you have more than one Chrome profile in your system. In such case choose the one which is currently active. You will see a file prowser like this:

  3. application failed to detect Chrome's default cache location. In such case navigate to
    • "C:\Users\< YOUR USER NAME >\AppData\Local\Chromium\User Data\Default" and select "Local Storage" directory and press OK if you are using Windows OS.
    • Or put "/home/< YOUR USER NAME >/.config/chromium/Default/Local Storage/" on the text box and press OK if you are using any Linux distribution.
    Only feed user ( no bi-directional channel supported) can also use Firefox as the default browser. In such case if automactic profile discovery fails, do the following depending on your operation system.
    • "C:\Users\< YOUR USER NAME >\AppData\Roaming\Mozilla\Firefox\Profiles" directory and select the active profile if you are using Windows OS.
    • "~/.mozilla/firefox/ directory and select the active profile if you are using any Linux distribution.
  4. After this, the main window of the application will appear. On the top, there is a text box where we already have put the public key of CoverUp server.

  5. Click the button "Set Server PK".

  6. Click the button "Start Polling" at the bottom left corner. After clicking it will turn to "Stop Polling" and there will be an animation at the left side confirming the polling process is executing. This indicates that the program tries to fetch droplets from Chrome's permanent storage.

  7. You can also see the current polling state and error messages by going to "Settings" → "Show Polling Window menu".

  8. This will open a new window named "Database polling" showing the polling information. You can also close this window. To stop the polling, click on the "Stop Polling" button at the bottom left corner of the main window.

  9. Click "Load Table" button which loads the list of feed data available from the CoverUp server along with the details. The source gives the identifier of the JavaScript code which communicates with the CoverUp server. We have now place two text data on the CoverUp server for testing purpose which are visible on the screen-shot.

  10. Clicking on the "Go" button on any of the table rows will open a new window which shows the assembled droplets of the feed fountain. Click on the "Assemble" button (2nd from the left). In case you have collected insufficient droplets in your local storage, it will show you that there are not enough droplets. Otherwise you will see a message box lke the one displayed in the screen-shot. The message box also provides information such as how many droplets are there on the local storage and how many were utilized to reassemble the data.

  11. Shows the assembled feed data.

  12. To view the old feed stored in yoor system, go to cool stuff → feed viewer

Back to top

Messenger Application

  1. Both the chat application in interactive browsing depend on the Chromium browser extension. The communication between the application and the extension is executed via native messaging. This requires some initial setup: First, restart the External Java Application in the mode BROWSER_NATIVE_MESSAGE instead of BROWSER_CHROME. Second, install the required NativeMessaging files. To automate this process go to settings → Native Messaging Setup. On Windows, this will prompt you to select the python.exe file. On Linux, you need python installed (and accessible in a directory listed in the corresponding $PATH environment vaiable) which should be a part of the default configuration of most Linux distributions.

  2. Go to the menu bar at the top, select "Cool stuff" → "Messenger"

  3. Selecting the "Messenger" will open the chatting window.

  4. To set up the chatting, we need to first understand how the chatting infrastructure works. Open the file APP_DATA which is located where the NinjaPumpkin<platform>.jar is located. Navigate to the "chat" directory. "KeyFile.key" is already generated by the application which is your credential containing your public address, public key and private key. Keep this file secure. Without this file any chat directed to you would be irrecoverable. Provide the public key to the people to who want to send messages to you. "PkList.txt" is a empty file where you have to provide the public keys of the people you want to chat with. "LOGS" contains older chat in plain text as a backup.

  5. This is a snapshot of "pkList.txt". The public keys generated by the CoverUp application are encoded in Base64 format. You can add a new public key by putting it into the text field named "remote public key" and press the button "Add Remote PK". Alternatively you can add a new public key in the file "pkList.txt", each in a new line.

  6. This is a snapshot of your key file in JSON format. address is your public address, sk and pk are your private and public key respectively. Keep this file as a backup in a separate location. You should give the pk to the people whom you want to chat with.

  7. Now go to the chat application, there is a drop down menu which lists all the public keys in your list including unlisted public keys where you received at least one chat. Switch to different addresses to record chat.

  8. Select an address, write in the text box located at the bottom, when you write, the app will also track how much you are writing (marked on the top). Currently we send 512 characters in chat outgoing packets.

  9. Hit the dispatch button. In case the browser extension is not running it will show you an error message.

Back to top

Interactive Browsing Mode

  1. First Press the button "Dump Table" button at the main window (2nd from the right most button). This will save a copy of the fountain table on the CoverUp application's local storage for interactive browsing purpose. Then go to the top menu button "Cool Stuff → Covert Browsing. For Mac OS/X users a separate jar file is provided for the interactive browsing (download from Here)

  2. A new window will open which will invoke a native instance of the default web browser of the operating system you are using.

  3. Click the button "Load Covert site Tree" which will load the the covert site map (over view of the interactive website delivered by CoverUp server in a tree like data structure). The root node of the tree will appear (ROOT) on the panel right below the previously mentioned button.

  4. Clicking on "ROOT" will expand the entire tree. In the test version we only kept 9 documents under the main directory which forms a single level tree. Note that on the first instance all the nodes will be colored as red which denotes that there are no interactive data available on the local storage of the CoverUp application installation.

  5. Clicking on one of the nodes (marked in red) will add to the list of request to be dispatched. Which is shown on the top right corner(highlighted).

  6. You can also modify your selection of web pages by clicking the "Modify" button. Which will bring a new window where you can delete a web page request by clicking on it and select the "Delete" button.

  7. After that press the "Dispatch" button which will communicate with the Chrome CoverUp extension and send the selected web page request. In case the chrome extension is not running, it may send an error message shown in the screen-shot.

  8. When you start receiving interactive browsing data, you will see some of the red nodes turned black on the next startup of the browsing window. One such example is shown in the screen-shot.

  9. Clicking on the node will render the page.

Back to top
Back to top