[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] [Report] Investigating TLS blocking in India


Today OONI and India's Centre for Internet & Society (CIS) published a
joint report investigating TLS blocking in India.

You can read the report here: https://ooni.org/post/2020-tls-blocking-india/

This investigation sought to understand whether there were cases of TLS
blocking that were not only caused by the value of the Server Name
Indication (SNI) field in the ClientHello TLS message, but also by the
destination IP address. This was part of our efforts to expand our SNI
blocking methodology (discussed here:

To this end, we wrote and ran a series of experiements (that will
eventually be integrated into the OONI Probe measurement engine) to
measure the blocking of four domains (facebook.com, google.com,
collegehumor.com, and pornhub.com) on three popular Indian ISPs: ACT
Fibernet (fixed line), Bharti Airtel, and Reliance Jio (mobile).

We recorded SNI-based blocking on both Bharti Airtel and Reliance Jio.
We also discovered that Reliance Jio blocks TLS traffic not just based
on the SNI value, but also on the web server involved with the TLS

We also noticed that ACT Fibernet’s DNS resolver directs users towards
servers owned by ACT Fibernet itself. Such servers caused the TLS
handshake to fail, but the root cause of censorship was the DNS.

We also found that one of the tested endpoints (for
collegehumor.com:443) does not allow establishing a TCP connection from
several vantage points and control measurements. Yet, in Reliance Jio,
we saw cases where the connections to such endpoints completed
successfully and a timeout occured during the TLS handshake. This is
likely caused by some kind of proxy that terminates the TCP connection
and performs the TLS handshake.

Please share our research with your networks:


~ OONI team.

Maria Xynou
Research & Partnerships Director
Open Observatory of Network Interference (OONI)
PGP Key Fingerprint: 2DC8 AFB6 CA11 B552 1081 FBDE 2131 B3BE 70CA 417E

Attachment: signature.asc
Description: OpenPGP digital signature

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to