
ProtonMail blocked by Vodafone Turkey - stockmania
https://protonmail.com/blog/turkey-online-censorship-bypass/
======
qwerty456127
In just so many countries (including those many people never know are in too)
the state-led war on privacy and communication freedom is getting hotter and
hotter. Some countries do it openly, some manage to look liberal until you
look closer. Just try to start marketing a proprietary privacy-oriented
messenger app or something like that and the intelligence guys will emerge
promptly at your doorstep, demanding you to bake a backdoor in. Sad but true.
I don't really know how are we (the people, who value privacy of themselves
and of the others) going to win this war while keeping legal, it's an open
challenge so far...

~~~
Spooky23
Technolgoists need to remember that tech is nothing without law.

~~~
natvert
Lawyers and law makers need to remember technology will continually outpace
them. Both in execution of ideas and in value creation.

~~~
DomreiRoam
Lots of our technology cannot work without the support of a complex society
and I think you can't have that without court and some kind of rules. We are
interdependent.

------
DyslexicAtheist
(x) Don't use public DNS such as google (or the DNS provided by your ISP such
as Vodafone). Look for an anonymous non-logging service preferably outside
Turkey

(x) Tor is is one of many layers for anonymity to circumvent blocking. Don't
"just" install the tor-browser or tor-proxy on your system but run tails from
a clean machine. If you know what you're doing you might want to help others
by isolating whole networks using PORTALofPi to guarantee no DNS-leaks. Pro-
Tip: build a LEDE based device and share your design with the community so
others can benefit and give you input (because you will make mistakes).

(x) Don't use mobile internet if you don't know what you're doing (those who
know what they're doing don't use mobile phones for critical comms)

(x) Use burner phones with anonymous SIM cards and aggressive hardware based
compartmentalization. Check this article for good OpSec/compartmentalization
tips (second half of the article after the discussion on browsers that looks
dated).

(x) Despite popular claim VPNs don't give you anonymity. They shift the trust
from your ISP to the VPN. If you pay for a VPN service by credit card consider
what the payment provider knows about you.

see [https://www.linkedin.com/pulse/vodafone-blocks-protonmail-
tu...](https://www.linkedin.com/pulse/vodafone-blocks-protonmail-turkey-
joachim-bauernberger/)

~~~
gruez
>Look for an anonymous non-logging service preferably outside Turkey

what's the point? DNS isn't encrypted, so it's trivial to log/intercept your
queries.

~~~
PTRFRLL
You could run DNSCrypt and use a server that supports it:

[https://servers.opennic.org/](https://servers.opennic.org/)

------
rocky1138
A totalitarian government blocking a service is a good sign they are unable to
break its security and thus use it as a surveillance tool. It's a great
advertisement for ProtonMail.

~~~
gukov
Unable to break its security or the service's owners are not cooperating.

~~~
jerrre
Unable to break its security AND the service's owners are not cooperating
maybe even

------
azureel
A small note (though it may be unrelated), some ip address ranges are not
accessible from Vodafone TR (3G/4G) connections.

216.239.36.219 <\- For example this address returns "HTTP 504" from Vodafone.
There are some other addresses like this which happen to be around, randomly.

So it may be a misconfiguration on Vodafone TR Network, routers or such thing.
Sample curl output below.

    
    
      $ time curl -vki 216.239.36.219
      * rebuilt url to: 216.239.36.219/
      * trying 216.239.36.219...
      * connected to 216.239.36.219 (216.239.36.219) port 80 (#0)
      > get / http/1.1
      > host: 216.239.36.219
      > user-agent: curl/7.47.0
      > accept: */*
      > 
      < http/1.1 504 gateway time-out
      http/1.1 504 gateway time-out
      < server: webproxy/1.0 pre-alpha
      server: webproxy/1.0 pre-alpha
      < date: mon, 08 may 2017 07:04:23 gmt
      date: mon, 08 may 2017 07:04:23 gmt
      < content-length: 0
      content-length: 0
      < connection: keep-alive
      connection: keep-alive
      
      < 
      * connection #0 to host 216.239.36.219 left intact
      
      real 0m10.909s
      user 0m0.012s
      sys 0m0.004s
      $ curl -vki http://84.19.190.203/
      * trying 84.19.190.203...
      * connected to 84.19.190.203 (84.19.190.203) port 80 (#0)
      > get / http/1.1
      > host: 84.19.190.203
      > user-agent: curl/7.47.0
      > accept: */*
      > 
      < http/1.1 504 gateway time-out
      http/1.1 504 gateway time-out
      < server: webproxy/1.0 pre-alpha
      server: webproxy/1.0 pre-alpha
      < date: mon, 08 may 2017 07:56:58 gmt
      date: mon, 08 may 2017 07:56:58 gmt
      < content-length: 0
      content-length: 0
      < connection: keep-alive
      connection: keep-alive
      
      < 
      * connection #0 to host 84.19.190.203 left intact
      $

------
ransom1538
They recommend ProtonVPN. Does anyone know the legal ramifications of using a
vpn with shared exit nodes? EG: A 'crack' squad of computer crime
investigators in Jackson Mississippi track illegally uploaded content to a
forum originating from ip address [39.21.2.32] (which is a VPN exit node).
Unbeknownst to you that is _YOUR_ exit node now.

[https://www.eff.org/deeplinks/2016/09/digital-equivalent-
rum...](https://www.eff.org/deeplinks/2016/09/digital-equivalent-rumor-should-
never-lead-police-raid)

~~~
nukeop
Why would that be any different to getting assigned somebody's previous IP
address by DHCP? It's non-incriminating because it can be demonstrated you
didn't control that IP during the time illegal content was uploaded.

~~~
ransom1538
True. But my general ISP dhcp'ed ip address doesn't change much AND when it
does I have decent odds someone (who would do illegal uploads) wouldn't be
dumb enough to do it over a non-VPNed line.

------
tyingq
I lived in Izmir in the 90's, and the vibe was actually fairly liberal. The
locals seemed to feel pretty free, optimistic, and not overly worried about
their government. Sad to see things regressing so much.

~~~
BLKNSLVR
Everywhere is regressing at the moment. Brexit, US protectionism, China's a
dictatorship again.

It's like none of the 'leaders of the world' have read any history. Or they
have, and are arrogant enough to think 'that won't happen now that I'M in
charge'.

~~~
tyingq
Sure, but Turkey is a little different. It's going from, for some people _" no
issues, I'm influential and popular, if perhaps a little controversial"_, to
suddenly _" I'm in jail now, for probably months"_.

~~~
def_true_false
This is not a recent thing. Turkey has been topping the incarcerated
journalists per capita list for years.

------
tsax
Forgive me for this n00b question, but what do you get with ProtonMail (with
respect to security) that you don't get with, say, gmail?

~~~
protonmail
ProtonMail team here. Here is our assessment about how ProtonMail compares to
Gmail from the security/privacy perspective:
[https://protonmail.com/blog/protonmail-vs-gmail-
security/](https://protonmail.com/blog/protonmail-vs-gmail-security/)

~~~
bogomipz
>"No tracking and logging Google records literally every action done by its
users. This includes your IP address, every search that you do, which emails
you open, which websites you visit, and much more. ProtonMail takes the
opposite approach and by default, does not monitor or record user activity,
not even IP addresses."

Has this been verified by an independent third party?

Also how do you determine there's an issue with with IP prefixes in AS 15897
Vodaphone Turkey[1], if you don't log IP addresses?

[1] [https://bgpview.io/asn/15897](https://bgpview.io/asn/15897)

~~~
Erlich_Bachman
> Has this been verified by an independent third party?

For one thing, it seems to have been verified by the Turkish government, seing
how gmail is not blocked, and protonmail is ;)

------
pedrocr
They couldn't have paid for better advertising than this.

------
gkya
Seemingly this is nothing to do with the government, as controlling through
the website of the insitution where there's a form to check if a given domain
is blocked [1], it tells me that there are "no blocks on this domain", i.e.
protonmail.com. You can try instead wikipedia.org to see what it looks like
when a domain is blocked.

[1]
[http://internet.btk.gov.tr/sitesorgu/](http://internet.btk.gov.tr/sitesorgu/)

------
giancarlostoro
Another public DNS is available from the IPredator.se guys as well. Forgot
what page on their site they had it under though. They also run some tor
nodes. They're one of my favorite VPN services. The staff is very welcoming on
their IRC server too.

------
bogomipz
>"Our support team first became aware of connectivity problems for Turkish
ProtonMail users starting on Tuesday. After further investigation, we
determined that protonmail.com was unreachable for both Vodafone Turkey mobile
and fixed line users. Since then, we have also received some sporadic reports
from users of other Turkish ISPs. At one point, the issue was prevalent in
every single major city in Turkey. After investigating the issue along with
members of the ProtonMail community in Turkey, we have confirmed this is a
government-ordered block rather than a technical glitch. Internet censorship
in Turkey tends to be fluid so the situation is constantly evolving"

Vodaphone like every major ISP has a NOC. Did Prontomail reach out to the ISP
to see if it was a routing issue?

I don't see that mentioned above anywhere in the investigation methodology.
How did you confirm that it was a "government-ordered block" if you only
worked with "members of the ProtonMail community'?

~~~
protonmail
ProtonMail is quite prevalent in Turkey and there are actually ProtonMail
users who work within Vodafone Turkey, and that is how we got the
confirmation.

~~~
bogomipz
So did you also contact their NOC via the handle listed for them in their RIPE
routing registry entry? That's the normal protocol.

Just because there's "ProtonMail users who work within Vodafone Turkey"
doesn't mean they have enable level access on Vodaphone's routers.

------
jgrid007
Things are getting worse in Turkey, but I don't think it's worth to block this
service: Most of Protonmail users are familiar with VPN, TOR...

~~~
owly
I disagree. I’ve recommended ProtonMail to many novice users and helped them
get setup. It is so simple that I suspect many less technical users are using
it in countries with oppressive regimes.

~~~
luxpir
Aren't you actually agreeing?

He's saying they'll use tunneling to get around the block so they can carry on
using it.

~~~
croshan
No, he's saying that some (possibly many) users know how to use the service,
but not VPNs or TOR. Therefore, they are easily blocked, compared to advanced
users.

~~~
luxpir
Oh OK, they were disagreeing with the last part, not the main point. They both
at least agree it shouldn't be blocked...

------
Aissen
It's time. Browser should integrate hardened-DNS features. TLS 1.3 is just a
stepping stone. Local DNS resolver, DNSSEC, DNS over DTLS/HTTPS/QUIC (pick
one) and of course, Tor.

------
fouc
The picture of the monitor displaying traceroute with dirt clinging to the
screen and some finger smudges and the reflection of the photographer is
pretty hilarious.

------
jerheinze
To get the Tor Browser try to download it from the official Github repository:
[https://github.com/thetorproject/gettorbrowser](https://github.com/thetorproject/gettorbrowser)
Then use meek-amazon as a pluggable transport which should work.

~~~
qwerty456127
AFAIK the fact of TOR usage is rather easy to detect. AFAIK (from some news
here on HN) you can get SWATed and arrested for a mere suspicion (e.g a false
positive by an automated traffic analysis system) of using an end-to-end
encrypting messenger or even Twitter in Turkey. I doubt it is legal and safe
to use TOR in such countries. We need something that is harder to detect on
the client ISP side.

~~~
walrus01
it is by no means foolproof and won't get around a deep packet inspection/flow
analysis system, but this is why obfsproxy exists:

[https://www.google.com/search?q=obfsproxy+tor&ie=utf-8&oe=ut...](https://www.google.com/search?q=obfsproxy+tor&ie=utf-8&oe=utf-8&client=firefox-b-1)

~~~
jerheinze
But be sure not to use the default bundled obfs4 bridges, they're known.

------
Tepix
When I visited Egypt a three years ago I was using Vodafone to connect to my
mail server. They performed a MITM attack and stripped the STARTTLS from the
SMTP dialogue.

I had to switch to the legacy SSL port 465 for SMTP to use encryption.

------
genericacct
TBH vodafone blocks just about anything in italy. i have to click thre
warnings to download binaries from bitbucket for example. Their secure
browsing "service" is half a scam.

------
ekianjo
Why use protonmail instead of actual PGP that would never be blocked?

~~~
zaarn
Protonmail makes it easy. Even today using PGP Email is not something I would
trust the average computer user to pull off and pull it off _safely_

~~~
ekianjo
> Even today using PGP Email is not something I would trust the average
> computer user to pull off and pull it off safely

I'd argue it is not that complicated once you take the time to explain how it
works.

~~~
zaarn
If I have to explain it, it's already a lost cause. If you want any hope of
PGP being widespread, or any cryptosystem for that matter, you need to have it
being self-explanatory.

Someone at the age of 90 should be able to download the software, click a
"yes" button and secure their mail.

Secure E-Mail must be as DAU-proof as possible.

------
2aa07e2
Just a note to anybody who wants to try their free tier, they add a tapatalk-
like message in every e-mail you send ('this email was sent via protonmail' or
something in that nature), unless you pay.

It's not like the e-mail receivers couldn't already see the host, but I was
unaware of that when I was registering an account, so I'm calling that a dark
pattern.

At least it was easy to self-delete it afterwards.

~~~
tonyztan
It is just a default email signature that you can see in your compose window
and delete manually if you do not wish to pay.

~~~
2aa07e2
No, it is not. It is not related to the signature settings anymore.

~~~
tjomk
It is. They add it automatically on mobile but you can delete it. And it's
never on desktop. Just tried to send from both clients and didn't have any
extra added to the message.

~~~
2aa07e2
When was your account created? Mine was created in the previous 30 days.

I even had brought up the browser's dev tools and tried to disable that
setting but with no luck. It might had been a A/B test, or specific only to my
country, but the point remains that it was a separate setting than the
signature and it was impossible to disable it without paying. On desktop.

~~~
tonyztan
Are you still able to manually delete the added line from your email messages
at compose time?

~~~
2aa07e2
Thank you for sticking with me, I'll try to create a new account in a few
days. I don't rule out the possibility I am wrong about this.

------
medyadaily
Turkey is the largest prison for journalists they recently started a genocide
on Kurdish population in Syria in city of afrin and they are hugely cracking
down on anyone who is criticisizing their war on kurdish civilians.
Unfortunately they have extended their censorship outside turkey and even in
United States to get Kurdish accounts banned for criticizing erdogan's
government

------
_bohm
Probably impossible to tell, but I'm willing to bet this is related to the
fact that the YPG uses ProtonMail for communications.

~~~
protonmail
Is there actually a public source for this? We were not aware of this (but
then again, we know almost nothing about users)

~~~
_bohm
They YPG International communications page: [http://ypg-
international.org/contact/](http://ypg-international.org/contact/)

------
ssijak
For the love of everything, I can`t remember the name and can`t find/google
it, of a private mail service also from Switzerland. It had simpler marketing
and UX, maybe not even web clients and had some affiliate program and I think
the name started with "m". Help?

~~~
bogle
If we're starting a list of possible alternatives then Tutanota is good
(Germany IIRC).

------
kerberos84
What I don't understand is if it is a "government-ordered block", which
wouldn't be surprising, why is it limited to Vodafone users? I would expect
half-government hold TTNet and even Turkcell to block as well.

~~~
rowyourboat
It isn't limited to Vodafone. The original headline is "ProtonMail is being
blocked in Turkey. Here’s how to bypass Turkey’s online censorship."

~~~
kerberos84
I read the article not only the title. i would also recommend you to read the
article.

~~~
rowyourboat
I did read the article before answering you. I referred you to the original
headline because it better fits the article's contents, not because I stopped
reading there.

~~~
kerberos84
In the article they are stating that Vodafone users can not access to proton
services. They have written they have seen some complaints from other ISP
users as well but there is neither a statement nor a clue that it is blocked
by other ISPs as well. After all, the fact is that it is not blocked by other
ISPs only by Vodafone.

------
atomkarinca
the suggestions that are proposed are: \- use a vpn >> when protonmail is
unreachable, protonvpn is unreachable, too. so not so useful. \- switch dns >>
till when? till it`s not only a dns problem anymore. by the looks of it, it`s
not gonna take much time. \- use tor >> tor is blocked, too. so... yeah.

i guess when people in the us or europe think about censorship, then think of
this romantic blocking of some services, and if you`re tech-savvy enough, you
can bypass anything.

no you can`t (at least i can`t). it`s turkey now, it`s gonna be universal
tomorrow.

------
notaplumber
It should be blocked by all public mailing lists too, quite frankly. Its users
cannot be bothered configure the webmail properly and often send atrociously
formatted replies to threads.

------
philfrasty
Anyone know why they have this weird onion url „protonirockerxow.onion“? Kinda
hard to remember.

~~~
detaro
You can't just choose your onion url, since it's directly derived from your
key, and that's probably the best they found (if you want to have any choice
at all, you have to bruteforce try keys until you find one matching the
pattern, so everything more than choosing a few letters gets
difficult/expensive)

~~~
philfrasty
thanks so much for taking the time to explain!

------
aiCeivi9
So I wonder - does that have any negative impact on vodafone brand in other
countries?

------
JepZ
Actually, I am not sure if it wise to circumvent that block. I mean its
probably as easy as typing

    
    
      echo "8.8.8.8" > /etc/hosts
    

to a root shell, but since we know that in the past people have been send to
prison, just because some app on their phone requested an URL from the wrong
domain, I suspect that something similarly can happen to the people who try to
use Proton mail.

On the other hand, if everybody stops using those services, the surveillance
tyrants have won...

~~~
dsacco
_> but since we know that in the past people have been send to prison, just
because some app on their phone requested an URL from the wrong domain_

Do you have a citation? When did that happen?

~~~
batuhanw
It wasn't one big event that someone got arrested for using the app. It was,
civil polices were arresting anyone who uses crypto-message apps like ByLock.

We've seen cases where people sent to prison because they are wearing certain
T-short. Really.

edit links:

[https://www.theguardian.com/world/2017/sep/11/turks-
detained...](https://www.theguardian.com/world/2017/sep/11/turks-detained-
encrypted-bylock-messaging-app-human-rights-breached)

[https://www.huffingtonpost.com/mahir-zeynalov/turkish-
police...](https://www.huffingtonpost.com/mahir-zeynalov/turkish-police-say-
no-bas_b_13319222.html)

~~~
fyfy18
Here in Lithuania (EU) you can also get in trouble for wearing the wrong
t-shirt.

Nazi and Soviet symbols are banned from being shown in public, and you will
end up with a fine if caught with a t-shirt or bumper sticker. I believe it’s
the case in a few other post-Soviet countries as well.

~~~
azureel
Here in Turkey, you can get arrested for wearing the wrong t-shirt.
[https://www.google.com/search?q=hero+t+shirt+antalya+arreste...](https://www.google.com/search?q=hero+t+shirt+antalya+arrested&)

------
louithethrid
I sometimes wonder, wether paranoid dictatorships could not be fooled, by
automatically creating fake users in fake relationships, sending each other
conspiring comments and information. That way all those secret service snoops
could be kept busy chasing wild gooses, leaving the normal people they usually
harass into oppossition, to go on about there lives.

~~~
BLKNSLVR
So long as you're covering your tracks when creating these and using these
fake accounts. Covering your tracks by using all the tools that are outlawed
and detectable, thus putting a bigger target on your back.

If you're going to tickle the toes of dictatorially-run law enforcement, your
security had better be watertight.

~~~
bogle
It sounds like a lot of work but if you performed it from outside of the
jurisdiction you'd be safe. Not your friends and family inside, though, so
still better not to be identified.

------
hknc
I think they have not been blocked, rather they had an outage.

[https://twitter.com/ProtonMail/status/974167124892700673](https://twitter.com/ProtonMail/status/974167124892700673)

~~~
protonmail
There was a brief outage, but the block in Turkey is something entirely
different.

