Tor censorship 2012, OONI

Tor e la CensuraCome i gorverni hanno censurato Tor e come i

pacchetti vengono liberati.

Saturday, June 30, 12

$ whoami

• Arturo `hellais` Filastò

• Tor Project hacker

• Random GlobaLeaks Developer

• I develop Free Software for Freedom


Surveillance

• Censorship is a subset of surveillance

• If you are censoring something you are surveilling everything


“The Net interprets censorship as damage and routes around it.”

- John Gilmore; TIME magazine (6 December 1993)


What is Internet Filtering?

• Is a form of non democratic oppression on people

• It allows those in power to subvert reality


FilterNet

• It’s a distortion of what is in reality the internet.

• Follows the subjectiveness of the authorities

• This does not help humanity


There is no just censorship.

• Internet filtering is happening in China, Iran, Syria, but also in Italy, UK, Netherlands.

• The only solution to what is considered by some wrong information is more information.


Tor and Censorship

• Tor is born as anonymity tool

• Censorship circumvention was a side effect


Brief Timeline of Tor Censorship

• 2002 - The Source code for Tor is released

• 2006, April - Thailand - DNS Filtering of tpo

• 2006 - Websense/netfilter - Block Tor based on Tor GET requests

• 2007 - Iran, Saudi - Blocks Tor thanks to Websense

• 2009, Iran throttles SSL

• 2009, Tunisia - Smartfilter to block all expect 443, 80

• 2009, China blocks public relays

• 2009 - Tor bridges are introduced

• 2010 - China starts collecting and blocking bridges

• 2011 - Iran by DPI on DH parameter in SSL

• 2011 - Egypt selected targetted sites for blocking

• 2011 - Lybia, throttling to limit use

• 2011 - Syria, DPI on Tor’s TLS renegotiation and killed connections

• 2011 - Iran DPI on SSL and TLS certificate timeline

For more details on these events see, “How governments have tried

to block Tor”


What has happened in the past months?

• 9 February 2012, Iran total SSL blockage

• 2012, China proactive censorship evolutions

• February - March 2012, Kazakhstan

• 22 May 2012, Ethiopia

• 25 June 2012, UAE, Tor blocking via DPI


Iran SSL Blockage

• Deep packet inspection (DPI) of SSL traffic

• Selective blocking of IP Address and TCP port combinations

• Some keyword filtering

• Not nationwide, certain areas no SSL traffic.

• February 2012, First real world deployment of obfsproxy


Iran SSL Blockage


China evolutions• Blocking Techniques

• IP Blocking (layer 3)

• IP:Port blocking (layer 4)

• RST based filtering (layer 4, active, easy circumvention)

• HTTP blocking (layer 5)

• Detection techniques

• Active probing of *every* SSL connection (speaking Tor protocol)

• Tor fingerprints for TLS Helo

• Philip Winter, Fabio Pietrosanti worked on understanding active chinese probing.


February - March 2012Kazakhstan

• In response to protests in Zhanaozen

• Previously

• IP address blocking

• DNS based blocking

• DPI SSL blocking

• JSC KazTransCom starts blocking SSL traffic based on client key exchange

• Some businesses affected (no SSL, no IPSEC, no PPTP, no certain VPNs)

• Obfsproxy used


February - March 2012Kazakhstan


22 May 2012Ethiopia

• Stateless DPI looking for Tor TLS Server Helo

• Research conducted by phw, naif

• Patch for bridge #6045


22 May 2012Ethiopia


25 June 2012UAE

• The Emirates Telecommunications Corporation, also known as Etisalat, started blocking Tor using DPI

• Evasion trough

• Special patch for bridges that removed fingerprint

• Obfsproxy


What we are doing?

• Help people access information Anonymously (Tor)

• Help people circumvent censorship (Tor, Tor Bridges)

• Measure Internet filtering in the world (OONI-Probe)

• Help people speak freely and anonymously (Tor Hidden Services, APAF)


OONI

• Open Observatory of Network interference

• Provide a methodology and framework

• Strong focus on Openness


Why OONI?• A lot of tools exist, but are either:

• Closed source

• Closed methodologies

• Closed data

• OONI is to be:

• Free Software

• using Open and described methodologies

• publishing all the collected data with Open License


Open Methodologies

• This means that the research is reproducible

• People seeing the results can evaluate the accuracy of the testing strategy


Free Software

• Free software for freedom

• Means that anybody can base their censorship research on OONI

• This allows code reuse and knowledge sharing

• https://gitweb.torproject.org/ooni-probe.git


https://gitweb.torproject.org/ooni-probe.git


Open Data

• This allows people to independently verify the results

• Open License (Creative Commons by Attribution)

• People will independently draw their conclusions based on the *data*

• Data driven journalism, Political Science studies, Anti-Censorship activism.


What it detects

• It’s goals is to detect:

• Network filtering (“Is my network traffic being tampered with?”)

• Content restrictions (“What is being blocked?”)

• Filtering technique (“How is it being blocked?”, “What software are they using?”)


OONI Architecture 1/2


OONI Architecture 2/2


OONIB• Distributed backend for:

• Assist in running of certain tests

• Two way traceroute

• Echo server

• DNS server

• HTTP server

• Control Channel

• Collect reports from probes


OONI-probe

• The actual measurement tool

• Includes the core of the test logic

• Takes an input and performs measurements on the test network

• It can run the test on the local network or send it to a remote Node (SOCKS, OONIProxy, PlanetLab, etc.)


Reports


Test Categorization

•Traffic manipulation

• “Is there surveillance, of what kind?”

•Content blocking

• “Is there censorship?”

• “What is being censored?”


Traffic Manipulation examples

• Two way traceroute If there is a difference between an inbound traceroute and an outbound traceroute for certain source and destination ports this may be an indication of traffic being routed to interception de- vices.

• Header field manipulation By varying the capitalization and adding certain headers to layer 7 protocols it is possible to detect on the receiving end if the traffic has been tampered with.


Content Blocking examples

• HTTP Host This involves changing the Host header field of an HTTP request to that of the site one wishes to check for censorship.

• DNS lookup This involves doing a DNS lookup for the in question hostname. If the lookup result does not match the expected result the site is marked as being censored.

• Keyword filtering This involves sending an receiving data that contains certain keywords and matching for censorship. It is possible to use bisection method to understand what subset of keywords are triggering the filter.

• HTTP scan This involves doing a full connection to the in question site. If the content does not match the expected result then a censored flag is raised.

• Traceroute This involves doing TCP, UDP, ICMP traceroute for certain destination addresses if there are discrepancies in the paths with locations in the vicinities then a censorship flag is raised.

• RST packet detection This involves attempting to con- nect to a certain destination and checking if the client gets back a RST packet.


Implementation details• Written in Python

• Based on twisted

• Provides scapy twisted integration

• Is currently a prototype.

• Expect problems and to need to have to use the source

• Please kill bugs

• Parts of OONIB implemented, no remote reporting, OONI-probe runs only locally


Recent impact T-Mobile USA


Recent ImpactHandara Palestine

• Blockage of politically oriented websites


Future

• Keep hacking on OONI

• Finish the architecture specification

• Get a beta release of OONI for December 2012.

• Perform measurements in all the world.


Come hack with us :)

• https://www.torproject.org/

• #tor, #tor-dev, #ooni irc.oftc.net

• https://ooni.nu/

• https://gitweb.torproject.org/ooni-probe.git


https://www.torproject.org

https://www.torproject.org

https://ooni.nu

https://ooni.nu



Thank you for your attention!

• [email protected]

• 0x150FE210 46E5 EF37 DE26 4EA6 8DCF 53EA E3A2 1297 150F E210

• twitter: @hellais


mailto:[email protected]

mailto:[email protected]

20


21


Tor censorship 2012, OONI

Technology

Transcript of Tor censorship 2012, OONI