Tor censorship 2012, OONI

Tor e la Censura
Come i gorverni hanno censurato Tor e come i
pacchetti vengono liberati.

Saturday, June 30, 12

$ whoami

• Arturo `hellais` Filastò
• Tor Project hacker
• Random GlobaLeaks Developer
• I develop Free Software for Freedom


Surveillance

• Censorship is a
subset of
surveillance
• If you are censoring
something you are
surveilling everything


“The Net interprets censorship as damage and
routes around it.”
- John Gilmore; TIME magazine (6
December 1993)


What is Internet
Filtering?
• Is a form of non
democratic
oppression on
people
• It allows those in
power to subvert
reality


FilterNet

• It’s a distortion of what is in reality the
internet.
• Follows the subjectiveness of the
authorities
• This does not help humanity


There is no just
censorship.
• Internet ﬁltering is happening in China,
Iran, Syria, but also in Italy, UK, Netherlands.
• The only solution to what is considered by
some wrong information is more
information.


Tor and Censorship

• Tor is born as
anonymity tool
• Censorship
circumvention
was a side effect


Brief Timeline of Tor
Censorship
• 2002 - The Source code for Tor is released
• 2006, April - Thailand - DNS Filtering of tpo
• 2006 - Websense/netfilter - Block Tor based on Tor GET requests
• 2007 - Iran, Saudi - Blocks Tor thanks to Websense
For more details on
• 2009, Iran throttles SSL these events see, “How
• 2009, Tunisia - Smartfilter to block all expect 443, 80 governments have tried
• 2009, China blocks public relays to block Tor”
• 2009 - Tor bridges are introduced
• 2010 - China starts collecting and blocking bridges
• 2011 - Iran by DPI on DH parameter in SSL
• 2011 - Egypt selected targetted sites for blocking
• 2011 - Lybia, throttling to limit use
• 2011 - Syria, DPI on Tor’s TLS renegotiation and killed connections
• 2011 - Iran DPI on SSL and TLS certificate timeline


What has happened in
the past months?
• 9 February 2012, Iran total SSL blockage
• 2012, China proactive censorship
evolutions
• February - March 2012, Kazakhstan
• 22 May 2012, Ethiopia
• 25 June 2012, UAE, Tor blocking via DPI

Iran SSL Blockage
• Deep packet inspection (DPI) of SSL traffic
• Selective blocking of IP Address and TCP
port combinations
• Some keyword filtering
• Not nationwide, certain areas no SSL traffic.
• February 2012, First real world deployment
of obfsproxy


Iran SSL Blockage


China evolutions
• Blocking Techniques
• IP Blocking (layer 3)
• IP:Port blocking (layer 4)
• RST based ﬁltering (layer 4, active, easy circumvention)
• HTTP blocking (layer 5)
• Detection techniques
• Active probing of *every* SSL connection (speaking Tor protocol)
• Tor ﬁngerprints for TLS Helo
• Philip Winter, Fabio Pietrosanti worked on understanding active
chinese probing.


February - March 2012
Kazakhstan
• In response to protests in Zhanaozen
• Previously
• IP address blocking
• DNS based blocking
• DPI SSL blocking
• JSC KazTransCom starts blocking SSL trafﬁc based on client
key exchange
• Some businesses affected (no SSL, no IPSEC, no PPTP, no
certain VPNs)
• Obfsproxy used


February - March 2012
Kazakhstan


22 May 2012
Ethiopia

• Stateless DPI looking for Tor TLS Server
Helo
• Research conducted by phw, naif
• Patch for bridge #6045


22 May 2012
Ethiopia


25 June 2012
UAE
• The Emirates Telecommunications
Corporation, also known as Etisalat, started
blocking Tor using DPI
• Evasion trough
• Special patch for bridges that removed
ﬁngerprint
• Obfsproxy

What we are doing?
• Help people access information
Anonymously (Tor)
• Help people circumvent censorship (Tor, Tor
Bridges)
• Measure Internet ﬁltering in the world
(OONI-Probe)
• Help people speak freely and anonymously
(Tor Hidden Services, APAF)


OONI

• Open Observatory of Network
interference
• Provide a methodology and framework
• Strong focus on Openness


Why OONI?
• A lot of tools exist, but are either:
• Closed source
• Closed methodologies
• Closed data
• OONI is to be:
• Free Software
• using Open and described methodologies
• publishing all the collected data with Open License


Open Methodologies

• This means that the research is
reproducible
• People seeing the results can evaluate the
accuracy of the testing strategy


Free Software
• Free software for freedom
• Means that anybody can base their
censorship research on OONI
• This allows code reuse and knowledge
sharing
• https://gitweb.torproject.org/ooni-probe.git


Open Data
• This allows people to independently verify
the results
• Open License (Creative Commons by
Attribution)
• People will independently draw their
conclusions based on the *data*
• Data driven journalism, Political Science
studies, Anti-Censorship activism.


What it detects
• It’s goals is to detect:
• Network ﬁltering (“Is my network trafﬁc
being tampered with?”)
• Content restrictions (“What is being
blocked?”)
• Filtering technique (“How is it being
blocked?”, “What software are they
using?”)


OONI Architecture 1/2


OONI Architecture 2/2


OONIB
• Distributed backend for:
• Assist in running of certain tests
• Two way traceroute
• Echo server
• DNS server
• HTTP server
• Control Channel
• Collect reports from probes


OONI-probe
• The actual measurement tool
• Includes the core of the test logic
• Takes an input and performs measurements
on the test network
• It can run the test on the local network or
send it to a remote Node (SOCKS,
OONIProxy, PlanetLab, etc.)


Reports


Test Categorization

• Trafﬁc manipulation
• “Is there surveillance, of what kind?”
• Content blocking
• “Is there censorship?”
• “What is being censored?”


Traffic Manipulation
examples
• Two way traceroute If there is a difference
between an inbound traceroute and an outbound
traceroute for certain source and destination
ports this may be an indication of traffic being
routed to interception de- vices.
• Header field manipulation By varying the
capitalization and adding certain headers to layer 7
protocols it is possible to detect on the receiving
end if the traffic has been tampered with.


Content Blocking
examples
• HTTP Host This involves changing the Host header field of an HTTP request to
that of the site one wishes to check for censorship.
• DNS lookup This involves doing a DNS lookup for the in question hostname. If
the lookup result does not match the expected result the site is marked as being
censored.
• Keyword filtering This involves sending an receiving data that contains certain
keywords and matching for censorship. It is possible to use bisection method to
understand what subset of keywords are triggering the filter.
• HTTP scan This involves doing a full connection to the in question site. If the
content does not match the expected result then a censored flag is raised.
• Traceroute This involves doing TCP, UDP, ICMP traceroute for certain destination
addresses if there are discrepancies in the paths with locations in the vicinities then
a censorship flag is raised.
• RST packet detection This involves attempting to con- nect to a certain
destination and checking if the client gets back a RST packet.


Implementation details
• Written in Python
• Based on twisted
• Provides scapy twisted
integration
• Is currently a prototype.
• Expect problems and to need
to have to use the source
• Please kill bugs
• Parts of OONIB implemented,
no remote reporting, OONI-
probe runs only locally


Recent impact
T-Mobile USA


Recent Impact
Handara Palestine

• Blockage of politically
oriented websites


Future

• Keep hacking on OONI
• Finish the architecture speciﬁcation
• Get a beta release of OONI for December
2012.
• Perform measurements in all the world.


Come hack with us :)

• https://www.torproject.org/
• #tor, #tor-dev, #ooni irc.oftc.net
• https://ooni.nu/
• https://gitweb.torproject.org/ooni-probe.git


Thank you for your
attention!
• art@torproject.org
• 0x150FE210
46E5 EF37 DE26 4EA6 8DCF
53EA E3A2 1297 150F E210
• twitter: @hellais


Tor censorship 2012, OONI

Recommandé

Recommandé

Contenu connexe

Dernier

Dernier (20)

En vedette

En vedette (20)

Tor censorship 2012, OONI