[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #20348 [Metrics/Censorship analysis]: Allot Communications blocking of vanilla Tor, obfs4, and meek in Kazakhstan, starting 2016-06
#20348: Allot Communications blocking of vanilla Tor, obfs4, and meek in
Kazakhstan, starting 2016-06
-----------------------------------------+--------------------------
Reporter: dcf | Owner:
Type: project | Status: reopened
Priority: Medium | Milestone:
Component: Metrics/Censorship analysis | Version:
Severity: Normal | Resolution:
Keywords: censorship block kz | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-----------------------------------------+--------------------------
Comment (by dcf):
Replying to [comment:174 dcf]:
> Replying to [comment:159 dcf]:
> > Replying to [comment:156 cypherpunks]:
> > > Redirect generated by KZ box for blocked site:
> > > https://paste.debian.net/plainh/39d8508f
> > > (can't paste here for spam filter block)
> >
> > {{{
> > HTTP/1.1 302 Found\r\n
> > }}}
>
> kzblocked found a similar 302 redirect in a Stack Overflow question,
apparently from a www.google.co.in frontend server:
>
> https://stackoverflow.com/questions/29861189/302-found-response-for-
google-com
> {{{
> HTTP/1.1 302 Found
> Cache-Control: private
> Content-Type: text/html; charset=UTF-8
> Location: http://www.google.co.in/?gfe_rd=cr&ei=Uhw7Vbe6H_PI8Ae_qICIBA
> Content-Length: 261
> Date: Sat, 25 Apr 2015 04:47:14 GMT
> Server: GFE/2.0
> Alternate-Protocol: 80:quic,p=1
>
> <HTML><HEAD><meta http-equiv="content-type"
content="text/html;charset=utf-8">
> <TITLE>302 Moved</TITLE></HEAD><BODY>
> <H1>302 Moved</H1>
> The document has moved
> <A
HREF="http://www.google.co.in/?gfe_rd=cr&ei=Uhw7Vbe6H_PI8Ae_qICIBA";>here</A>.
> </BODY></HTML>
> }}}
>
> The header is rather different; also notice `302 Moved` rather than `302
Found` in the HTML body.
I thought that this google.co.in response was a fluke; but it seems to be
representative of Google's geolocation redirects. I just now captured one
for www.google.nl by requesting www.google.com through Tor:
{{{
(echo -n $'GET / HTTP/1.1\r\nHost: www.google.com\r\n\r\n'; cat) |
torsocks -i ncat --ssl -v www.google.com 443
}}}
The exact file: attachment:20170615-google.nl-302.http. Here it is with
whitespace visualized (including both `\n` and `\r\n` line endings):
{{{
HTTP/1.1 302 Found\r\n
Cache-Control: private\r\n
Content-Type: text/html; charset=UTF-8\r\n
Referrer-Policy: no-referrer\r\n
Location: https://www.google.nl/?gfe_rd=cr&ei=eyhDWYnWEIzHsAHJ3biIBw\r\n
Content-Length: 259\r\n
Date: Fri, 16 Jun 2017 00:38:19 GMT\r\n
Alt-Svc: quic=":443"; ma=2592000; v="38,37,36,35"\r\n
\r\n
<HTML><HEAD><meta http-equiv="content-type"
content="text/html;charset=utf-8">\n
<TITLE>302 Moved</TITLE></HEAD><BODY>\n
<H1>302 Moved</H1>\n
The document has moved\n
<A
HREF="https://www.google.nl/?gfe_rd=cr&ei=eyhDWYnWEIzHsAHJ3biIBw";>here</A>.\r\n
</BODY></HTML>\r\n
}}}
Now, this response is quite similar to the injected KZ censorship response
from comment:159, including whitespace and capitalization quirks, but
there are some differences. Here is a diff of the two responses.
{{{#!diff
--- Google 2017-06-15 17:39:18.799403353 -0700
+++ KZ 2017-06-15 17:39:47.215466524 -0700
@@ -1,15 +1,12 @@
HTTP/1.1 302 Found\r\n
-Cache-Control: private\r\n
+Content-Length: 210\r\n
+Location: http://92.63.88.128/?NTDzLZ\r\n
Content-Type: text/html; charset=UTF-8\r\n
-Referrer-Policy: no-referrer\r\n
-Location: https://www.google.nl/?gfe_rd=cr&ei=eyhDWYnWEIzHsAHJ3biIBw\r\n
-Content-Length: 259\r\n
-Date: Fri, 16 Jun 2017 00:38:19 GMT\r\n
-Alt-Svc: quic=":443"; ma=2592000; v="38,37,36,35"\r\n
\r\n
<HTML><HEAD><meta http-equiv="content-type"
content="text/html;charset=utf-8">\n
-<TITLE>302 Moved</TITLE></HEAD><BODY>\n
-<H1>302 Moved</H1>\n
+<TITLE>302 Found</TITLE></HEAD><BODY>\n
+<H1>302 Found</H1>\n
The document has moved\n
-<A
HREF="https://www.google.nl/?gfe_rd=cr&ei=eyhDWYnWEIzHsAHJ3biIBw";>here</A>.\r\n
+<A HREF="http://92.63.88.128/?NTDzLZ";>here</A>\n
</BODY></HTML>\r\n
+\r\n
}}}
The differences are:
1. Google uses `302 Found` in the status-line but `302 Moved` in the
body; KZ uses `302 Found` in both places.
2. The set of headers and their order are different. Google has `Content-
Type` before `Location` but KZ has it the other way around.
3. Google's `Content-Length` is correct while KZ's [[comment:202|is
wrong]].
4. Google says `here</A>.\r\n` while KZ says `here</A>\n` (removes the
dot and changes the line ending).
5. KZ ends with an additional `\r\n`.
It almost looks like the KZ firewall was trying to imitate the Google
redirect, but didn't quite succeed.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20348#comment:203>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs