[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #7141 [Censorship analysis]: How is Iran blocking Tor? (was: How is Pars Online blocking Tor?)
#7141: How is Iran blocking Tor?
------------------------------------------+---------------------------------
Reporter: phw | Owner: phw
Type: task | Status: new
Priority: normal | Milestone:
Component: Censorship analysis | Version:
Keywords: dpi, censorship, block, iran | Parent:
Points: | Actualpoints:
------------------------------------------+---------------------------------
Description changed by phw:
Old description:
> Some users reported that the Iranian ISP
> "[https://en.wikipedia.org/wiki/Pars_Online Pars Online]" is (partially?)
> blocking Tor.
>
> One user looked into it and believes that Tor is identified based on the
> server_name extension in the TLS client hello. It looks like DPI boxes
> extract the domain and do a DNS lookup for it. If the domain resolves and
> the relay/bridge is listening on port 443, the connection passes.
> Apparently, an omitted server_name or a server_name rewritten to
> `www.google.com` passed the filter.
>
> Obfsproxy seems to work.
>
> Some open questions:
>
> * Can we reproduce and verify the existing hypothesis?
> * Is this an attempt to only allow HTTPS and no other SSL/TLS-based
> protocols? Or is it targeting only Tor?
> * Can we modify [https://gitweb.torproject.org/brdgrd.git brdgrd] to
> evade the server_name extraction?
> * Is this type of block limited to Pars Online?
New description:
Note that currently it looks like there might be more than just one
filtering technique in place. The following was the initial report
describing one possible filtering technique and
[https://trac.torproject.org/projects/tor/ticket/7141#comment:7 this
comment] describes another technique.
----
Some users reported that the Iranian ISP
"[https://en.wikipedia.org/wiki/Pars_Online Pars Online]" is (partially?)
blocking Tor.
One user looked into it and believes that Tor is identified based on the
server_name extension in the TLS client hello. It looks like DPI boxes
extract the domain and do a DNS lookup for it. If the domain resolves and
the relay/bridge is listening on port 443, the connection passes.
Apparently, an omitted server_name or a server_name rewritten to
`www.google.com` passed the filter.
Obfsproxy seems to work.
Some open questions:
* Can we reproduce and verify the existing hypothesis?
* Is this an attempt to only allow HTTPS and no other SSL/TLS-based
protocols? Or is it targeting only Tor?
* Can we modify [https://gitweb.torproject.org/brdgrd.git brdgrd] to
evade the server_name extraction?
* Is this type of block limited to Pars Online?
--
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7141#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs