
Iran Shuts Down Major Websites and Https Protocol - Sara70
I'm writing this to report the serious troubles we have regarding accessing Internet in Iran at the moment. Since Thursday Iranian government has shutted down the https protocol which has caused almost all google services (gmail, and google.com itself) to become inaccessible. Almost all websites that reply on Google APIs (like wolfram alpha) won't work. Accessing to any website that replies on https (just imaging how many websites use this protocol, from Arch Wiki to bank websites). Also accessing many proxies is also impossible.
There are almost no official reports on this and with many websites and my email accounts restricted I can just confirm this based on my own and friends experience. I have just found one report here:<p>http://kabirnews.com/iran-shut-down-gmail-google-yahoo-and-sites-using-https-protocol/202/<p>The reason for this horrible shutdown is that the Iranian regime celebrates 1979 Islamic revolution tomorrow.<p>I just wanted to let you guys know about this. If you have any solution regarding bypassing this restriction please help!
======
peterwwillis
I haven't checked yet whether they're using layer 7 filtering or just blocking
ports, but assuming it was a lame combination of the two, you can try
tunneling through HTTP on port 80.

Download proxytunnel and follow this guide to set up Apache (or whatever
server you prefer) to http proxy ssh connections to port 22:
<http://dag.wieers.com/howto/ssh-http-tunneling/>

Then run ssh with proxytunnel as the ProxyCommand (as shown in the guide). It
will make a plaintext HTTP connection, request a CONNECT yoursite.com:22, and
if they aren't inspecting "too deep" you should be able to get an ssh
connection.

If that doesn't work there's always icmp tunneling (hans), dns tunneling
(iodine), and various other options. See if you can make a udp connection over
port 53 to a remote host and transmit non-DNS packets; if they aren't
intercepting DNS traffic, just make an openvpn udp connection over port 53 for
your tunnel.

I actually have a whole paper on circumventing captive portals and firewalls
and a crappy tool to probe them if anyone wants it.

~~~
imajes
Link? :)

~~~
peterwwillis
Here you go:
[http://opensourceandhackystuff.blogspot.com/2012/02/captive-...](http://opensourceandhackystuff.blogspot.com/2012/02/captive-
portal-security-part-1.html)

------
ya3r
I live in Iran.

The fact about the shut down is correct. I would also add that secure
connection to servers inside Iran is possible. I've tried some, and they work.
But trying to connect to services like Github and PivotalTracker, which we
relay on in our starup, results in no response.

Also I will note that the ssh protocol is the same. I can ssh into my
university machine (inside Iran) but I can't access my rackspace VPS with ssh
for example.

One thing to add is that `Sara70` creator of this thread, mentions some non-
related reason for this (The reason for this horrible shutdown is that the
Iranian regime celebrates 1979 Islamic revolution tomorrow.) which is wrong.

Here nobody officially said anything about this. But as this shutdown is
getting more attention in the media, I suspect this issue to get resolved
soon.

~~~
aaronblohowiak
>One thing to add is that `Sara70` creator of this thread, mentions some non-
related reason for this (The reason for this horrible shutdown is that the
Iranian regime celebrates 1979 Islamic revolution tomorrow.) which is wrong.

How do you know this?

~~~
ya3r
I ask the same. How does she know this?

I know this because, this trend (shutting down secure network protocols)
started on and off, like 1 year ago.

~~~
cjbprime
As I understand it, that was slowing down (like 10x) of SSL, not disabling it
completely. It could have simply been a live test of the mechanism they're
using right now, and they could be deploying the mechanism right now because
of the anniversary. (Or because of Kim Jong-Un's death ;-)

------
csomar
I'm grateful for the Tunisian revolution. Internet Censorship (including ports
disable) is at 0. The court justice has ordered to censor a few pages (because
of some reasons) but the Global Internet provider in the country did not
accept. The head of this agency is also working that the law prohibits any
kind of censorship for any reasons. He was responsible for censoring content
in the Ben Ali era, but he now thinks that it just doesn't make sense.

The problem is, with the people (in the court or the gov.) who don't
understand how the Internet works.

~~~
kokey
I'm not seeing much bad news coming out of Tunisia post revolution. I'm
tempted to visit it.

~~~
csomar
It's relatively stable. Politically, it's fine. Economically it is struggling,
but not much. Prices for tourists should be reduced as Andy mentioned since
it's the recession for hotels and agencies.

Internet is pretty slow (I use a 3G which runs on around 1Mb/sec and costs
around $20/month), the infrastructure is poor, the people are either
struggling or confused how all these structural problems could get solved.

Not a great place to be in, honestly. If you are in Europe and looking for
some Sun, then may be it's a deal for you considering the cost.

If you happen to make a travel, I added my phone number. I'm moving to the
capital this summer, and if I happened to purchase a car, I'll take you in a
free drive around the capital and Hammamet.

------
charlieok
TOR has a blog post up about exactly what they've been able to determine about
what Iran is doing:

[https://blog.torproject.org/blog/iran-partially-blocks-
encry...](https://blog.torproject.org/blog/iran-partially-blocks-encrypted-
network-traffic)

Regarding HTTPS, it appears they detect and disrupt the SSL handshake.

For those who can't access TOR's site, it may be useful to quote their post in
full:

“Over the past two days we've been hearing from, and working with, a number of
Iranians having difficulty using Tor from inside Iran. It seems the Iranian
government has ramped up censorship in three ways: deep packet inspection
(dpi) of SSL traffic, selective blocking of IP Address and TCP port
combinations, and some keyword filtering. For instance, they have partially
blocked access to Tor's website, torproject.org, via IP address (such as
86.59.30.36) and port 443 (which is the HTTPS port). The third level of
blocking is by keywords, such as searching for the word 'tor' via regular,
non-encrypted search engine websites.

The blocks on SSL are not complete and not nationwide. Where blocking is in
place, initial investigations show they are identifying the beginning of the
SSL handshake and simply interrupting the handshake. We continue to research
and investigate solutions with the assumption that SSL will eventually be
blocked nationwide inside Iran. Our goal is to defeat their dpi signatures and
allow tor to work by default.

The Iran Media Program has posted their thoughts on what is happening from a
journalist's perspective.

So far, it seems the majority of Tor users are not affected by these blocks.
Iran is still the #2 country based on direct usage,
[https://metrics.torproject.org/users.html?graph=direct-
users...](https://metrics.torproject.org/users.html?graph=direct-
users&country=ir#...). This number is on the decline, however.

More details to follow as we have them.”

~~~
charlieok
“Update 2011-02-10 18:05 UTC: We are working on making our obfuscating proxy
more stable and easier to deploy. If you can compile code, following these
directions will help. We're also working on Amazon EC2 instances of obfsproxy
for point and click deployment.”

“these directions” links to an email from Jacob Appelbaum:

[https://lists.torproject.org/pipermail/tor-
talk/2012-Februar...](https://lists.torproject.org/pipermail/tor-
talk/2012-February/023070.html)

“ [tor-talk] Help users in Iran reach the internet

Fri Feb 10 11:41:50 UTC 2012

Hi,

In the last 48 hours a major campaign of filtering has started in Iran - it
started slow and now appears to be that nearly all SSL/TLS traffic is blocked
on a few major Iranian ISPs. Details are rather rough but we're working on
some solutions - we've long had an ace up our sleeves for this exact moment in
the arms race but it's perhaps come while the User Interface edges are a bit
rough still.

Here's the deal - we need people to run Tor bridges but a special kind of Tor
bridge, one that does a kind of traffic camouflaging - we call it an
obfuscated bridge. It's not easy to set up just yet because we were not ready
to deploy this for everyone yet; it lacks a lot of analysis and it might even
only last for a few days at the rate the arms race is progressing, if you
could call it progress.

There are highly technical instructions here:
[https://www.torproject.org/projects/obfsproxy-
instructions.h...](https://www.torproject.org/projects/obfsproxy-
instructions.html.en)

Currently if you run such a bridge, you'll either need to manually tell us
(via email to tor-assistants at torproject.org ) about it or you'll need to
share these bridges with people you want to help directly. It's a pain and
we're working on it.

Here's a bug report where we're working around the clock to get stuff going in
a user friendly manner:
[https://trac.torproject.org/projects/tor/ticket/5009#comment...](https://trac.torproject.org/projects/tor/ticket/5009#comment:17)

This kind of help is not for the technically faint of heart but it's
absolutely needed for people in Iran, right now. It's likely that more than
~50,000 - ~60,000 Tor users may drop offline.

Watch this graph for an idea of the censorship impact of directly connecting
Tor users: [https://metrics.torproject.org/users.html?graph=direct-
users...](https://metrics.torproject.org/users.html?graph=direct-
users&start=2011-11-12&end=2012-05-10&country=ir&events=on&dpi=72#direct-
users)

Here's the same graph but for Tor bridge users in Iran:
[https://metrics.torproject.org/users.html?graph=bridge-
users...](https://metrics.torproject.org/users.html?graph=bridge-
users&start=2011-11-12&end=2012-05-10&country=ir&dpi=72#bridge-users)

We're working on easy to use client software and if you're in Iran or need one
desperately, please email help at rt.torproject.org. We'll try to get you a
working obfsproxy bridge address and working client software.

All the best, Jacob ”

------
soult
FYI, Jacob Applebaum just asked[1] people to set up TOR bridges using a new
protocol called obfsproxy[2].

1: <https://twitter.com/#!/ioerror/status/167922546807812096> 2:
[https://www.torproject.org/projects/obfsproxy-
instructions.h...](https://www.torproject.org/projects/obfsproxy-
instructions.html.en)

~~~
oneofthose
I would be willing to set up a bridge but how can we get the bridge IPs to
those who need them?

~~~
tshtf
See [https://lists.torproject.org/pipermail/tor-
talk/2012-Februar...](https://lists.torproject.org/pipermail/tor-
talk/2012-February/023070.html)

 _Currently if you run such a bridge, you'll either need to manually tell us
(via email to tor-assistants at torproject.org ) about it or you'll need to
share these bridges with people you want to help directly. It's a pain and
we're working on it._

------
bwarp
This is why good old analogue amateur or personal radio should still be a
powerful force for people who are rebelling against their governments and
corporate overlords.

The Internet is easy to kill, as are digital cell-based radio networks. Proper
amateur radio is not.

Jamming is not that effective over a large area before anyone suggests that.

~~~
ajarmoniuk
but it's easy to triangulate the broadcaster and take measures (imprison,
torture, kill).

I lived through the communist era in Poland. Amateur radio stations were
banned and prosecuted (you would go to jail), even possession of a CB radio
was a crime. Things may be similar in Iran.

~~~
bwarp
It's not that easy and there are simple anti-triangulation countermeasures you
can use. It's possible to drop decoy transmitters/relays, which are easy
enough to knock up and are cheap. You can also use refraction to "bounce" HF
radio waves off the ionosphere to mask the source. You can scramble the
signals. You can disguise the signals as legitimate but include carrier data.
There are lots of ways of hiding what you are doing.

As usual, if you don't take precautions, that will happen.

Pirate radio stations were and still are common in the UK, particularly around
London. They move around regularly and broadcast for short periods so it's
hard to trace or predict a location.

The same conditions apply here.

~~~
wormik
Umm, you make it look like a trivial problem to solve, which IMHO is not the
case when you take the fact you can risk life in prison or death in to the
account. I'm from ex-communism country - where a lot of successful
broadcastings happened, nevertheless, they got always identified at the end of
the day - and then, guess what happened. When you are facing such restrictive
conditions, even signal itself is good cause to get you in trouble - no matter
whether the information carried is understood/sniffed or not, bounced or not.
Anti-triangulation measures you are talking about have IMHO no practical use
as long as anyone on the other side is using mobile radio signal detectors. Or
if you know about real world application - I'd love to learn about it. Cheers

~~~
bwarp
It's not trivial - but it's not unsurmountable.

Regarding triangulation, it's about finding the source. The source is hard to
track reliably if it moves, especially away from the detection devices or
rapidly out of range. Try tracking a broadcast source from a vehicle driving
around you in a circle. If it's omnidirectional you'd have to be in the line
of sight. If there is interference across the band, selectivity of the RDF
recievers is compromised. Radio direction finding is surprisingly painful.

Hint: The anti-triangulation measures are actively used on Clansman radio
sets.

------
humanfromearth
They control the physical network. As long as they have that control they will
be able to do what they want. The only way to deal with these fuckers (not
just Iran) is to start using collectively Ipsec or something similar. All SSL
movement is just the beginning. I'm sure every big service will try to encrypt
it's traffic more and more to protect itself from governments that try to
criminalize their users.

Forcing countries like China, Iran and US to go into dark ages if they don't
use the new all encrypted networks.

It's a shame that we are so paranoid as a species that we need to do that, but
I don't see any other way.

I know this is extreme, but I don't want to see the freedom I enjoy right now
taken away by these obsolete power hungry entities.

~~~
kiloaper
>Forcing countries like China, Iran and US to go into dark ages if they don't
use the new all encrypted networks.

The problem is some governments would be perfectly happy with that. In fact
for the most repressive ones it's long term goal.

China wants to create a separate internet for Chinese users and they're half
way there. They have their own local censored versions of Google, Twitter and
Facebook. Soon most internet users in China won't care if the rest of the
internet disappears. Likewise for Iran, except they have been more open about
it [1].

[1]
[http://online.wsj.com/article/SB1000142405274870488940457627...](http://online.wsj.com/article/SB10001424052748704889404576277391449002016.html)

~~~
chernevik
Maybe but they'll lose the productivity gains from networked organizations and
communities. China can grow a long way without those gains, but they'll
eventually hit a wall.

~~~
kiloaper
>Maybe but they'll lose the productivity gains from networked organizations
and communities

Absolutely but the effect will be not be huge in my opinion because of the
language differences. All my Chinese friends here in the EU still use mainly
Chinese language website, most of which are based in China, especially the
social networking ones.

~~~
chernevik
Companies aren't going to manage inventory, customer relations or finance over
open channels. So they'd reduce the gains from networking their own internal
communications.

They could try to mitigate by rationing secure channels, or allowing them with
backdoors, but this still sacrifices the spontaneous creativity of a truly
open system.

~~~
kiloaper
You make a good point. It certainly would discourage or kill small businesses
but, as you suggest, I'm sure larger more powerful ones will get special
treatment (native ones particularly so). Considering China was willing to let
Google leave the country it appears that the balance of power is shifting
already.

------
lorddfg
That sucks, in Pakistan they're banning websites left and right, most of the
websites can be accessed with Proxy but I have to use VPN just to upload files
now. It's not only the porn websites they're banning, websites like pastebin
etc. are getting axed as well.

In short, if any website goes against their stupid and yes effed up ideals
they will ban it. The ISP's can't do anything because they're forced to
comply.

Forget ACTA or SOPA, these idiots just do whatever they wish.

------
sepent
Moreover, SSH has stopped working, too. But, finally I found a way to
circumvent it. A simple twist in the client side, could simply bypass the
filtering.

I wrote a simple script to do this, and I would like to share it with all of
my countrymen:

[https://launchpad.net/~mohammad-
sepent/+archive/ppa/+package...](https://launchpad.net/~mohammad-
sepent/+archive/ppa/+packages)

To use it, just replace ssh command with issh like this:

issh user@hostname [other-ssh-options]

~~~
j_s
Where is the link to the required changes? Binaries = scary. Also, an SSL link
doesn't seem useful?

~~~
kiloaper
I took a look at it. It's not a binary. It's a python file (easily readable)
that acts as a wrapper for ssh. Extract the contents of the tar.gz[1] for
example to see it. It's great if it works because it apparently doesn't need
changes to the remote ssh server.

[1] [https://launchpad.net/~mohammad-
sepent/+archive/ppa/+files/i...](https://launchpad.net/~mohammad-
sepent/+archive/ppa/+files/issh_0.0.1.tar.gz)

Edit: Non SSL link: [http://ppa.launchpad.net/mohammad-
sepent/ppa/ubuntu/pool/mai...](http://ppa.launchpad.net/mohammad-
sepent/ppa/ubuntu/pool/main/i/issh/)

~~~
j_s
Thanks for digging into this.

------
pooriaazimi
Almost all websites that worth visiting are either blocked by Iranian
government or by US export laws (SourceForge, Google Code, ...) so people rely
heavily on VPNs and proxies. One of the most used proxies is YourFreedom[1]
that offers a special service for Iranian people (a free 512 kbps socks
proxy). It sounds great, but unfortunately they have been compromised. About
10 months ago, I contacted them (they didn't respond, which makes me a little
worried).

It looks like Iranian government uses a transparent proxy, so all connections
to ems01.your-freedom.de (ems01 through ems24) first redirect to iran.ir and
_then_ go to YF's servers!

 _(YF is blocked right now, so I can't re-do this test right now. These images
are from my email to YF 10 months ago)_

<http://www.imeezo.com/v/images/49229825994939115647.png>

<http://www.imeezo.com/v/images/46490363986030440278.png>

A page accessed without a VPN/proxy:
<http://www.imeezo.com/v/images/98155525346546936123.png>

The same page, but with a VPN:
<http://www.imeezo.com/v/images/30239946359511647325.png>

In the third image, the response is from iran.ir's transparent proxy, not YF
servers...

[1] your-freedom.de

------
forcer
I am really passionate about this problem. We are currently working on the VPN
solution for consumers and I could dedicate some of our servers for this to
develop a VPN that would work when governments shut down encrypted
connections. where should we start? it it even feasible to do a secured tunnel
hidden in normal traffic undetected?

~~~
jcromartie
You can tunnel anything over anything. You'd just start with a generic URI to
negotiate the secure connection before sending the real requests/responses.

~~~
forcer
Yes - Already looking at this HTTP tunnel
(<http://www.nocrew.org/software/httptunnel.html>) that someone else posted
here.

I am wondering whether this approach is better than the one someone else
suggested - connecting to a streaming server (like OnLive) - I guess streaming
server could be made more undetectable, but more expensive to run

------
mrud
If you can't believe that governments are using deep packet inspection and
block access to popular sites have a look at the 28C3 talk How governments
have tried to block Tor \- <http://www.youtube.com/watch?v=DX46Qv_b7F4> it
covers different governments and how they tried to block access to the TOR
network

------
dutchbrit
And here I was, about to ask HN to force SSL on the login page..

~~~
pooriaazimi
Please... don't. I have enough trouble with GitHub right now. Those guys
enforce SSL not only on login page, but on all pages - yesterday it took me 2
hours to clone a github project (that was only 30k).

------
tetha
So its time to grab our steganography handbooks and build a cute little animal
picture channel patch for open ssh.

------
zckevin
We Chinese use VPN or SSH port forwarding.

~~~
emilsedgh
They drop all encrypted connections. Which means you cant even make a VPN or
SSH connection.

~~~
kokey
Which basically means you need to do encryption in a manner that doesn't look
like encryption, inside of something that's unencrypted. For example over DNS,
inside of HTTP, or other protocols designed for moving code like RPC.

~~~
chernevik
Maybe embed the cipher text in files for images, video or music?

------
sycren
Are there any solutions for web browsing like Onlive
(<http://www.onlive.co.uk/>) does for video gaming? It would be significantly
harder for them to datamine a video stream..

~~~
kristofferR
That is actually how the iOS Flash players like iSwifter and Photon works.
It's just a video stream (seen from weird MPEG-compression artifacts) to a
Linux VM running Firefox.

~~~
sycren
So would this not be ideal for getting through government censors?

~~~
forcer
My impression is that it could be ideal - but it needs much more bandwidth on
the client side, as well as server side - making it expensive to run

~~~
sycren
But perhaps for sites which are static (in animation) and not interactive like
gmail and other email systems it may perform well.

------
teopeurt
Realise ALL encryption handshake are blocked but _Maybe_ this might work.

<https://github.com/stealth/sshttp>

You do need a server on the 'outside' though. (oh bugger, github uses https)

------
jetpackjello
Hello! You can use encrypted Secure SMS for Android. The app is free, and
available at:
[https://market.android.com/details?id=com.atomcloud.metrobud...](https://market.android.com/details?id=com.atomcloud.metrobuddy)

The instruction manual is at: <http://web.atomcloud.com/apps/metrobuddy-
secure-sms>

the app needs no licensing, so can be passed from phone to phone via SD card.
Good Luck!

------
deno
Is it possible to bypass their physical network altogether? For example, is
satellite Internet available/legal over Iran?

~~~
Strom
Satellite dishes are illegal in Iran.

------
wyck
Most posts here are about tunneling, which is akin to whacking a mole and not
a solution.

The only solution is in space, or a mesh net run by citizens,
<http://www.reddit.com/r/darknetplan/>

------
ck2
Maybe <http://m.gmail.com> ?

What about ssh tunneling over an alternate port?

Gosh I cannot believe governments that do this to their people.

I wonder if they are ironically using American engineered equipment and
software to do the block too.

~~~
emilsedgh
They drop ALL encrypted connections. You cannot even make a normal ssh
connection, since they drop the connection during handshake. (SSH has been
disabled for a few months)

~~~
dasil003
What about ssh over port 80? I realize that would have to be set up in advance
from outside the country, but the question is are they using port numbers to
aid in their filtering or deep packet inspection?

~~~
gsa
If they are dropping all encrypted connections, it doesn't matter what port
you use for ssh, it'll be dropped.

~~~
nkassis
How do they know it's encrypted? I mean would they block something that looks
like gibberish but was plain text over port 80?

~~~
Luyt
I like that idea. You could encode a block of octets with plain words.
"\xC3\x08\x00\x23\xFA" would then actually travel on the wire as "Was named
prefer to use the other especially in, every cast a chuckle on neithout
getting. Into useful informash speech makes removing a featuring a move or
usage actual considered!", and be decoded back at the other end. You'd have to
use common words so it looks as innocuous as possible.

~~~
morsch
I doubt you'd need to go to such lengths, otherwise you wouldn't be able to
transmit binary data such as images, either.

------
alkasir
Do SOCKS proxies work at all? One can test if they work. Xroxy.org is a good
place to start. Email me at admin(at)alkasir.com to send you free socks proxy
servers for testing.

~~~
pooriaazimi
No, they don't.

But thanks for the offer.

------
saizai
I've tested this as of today (2/10) and have technical details of exactly what
filtering is going on, and what isn't.

tl;dr: Iran gov't is the actor, not ISPs; filtering most but not all SSL in a
couple different ways; specific targeting of privacy tools & Google.

See here (will be updating it soon w/ more):
[https://plus.google.com/u/0/103112149634414554669/posts/PT3e...](https://plus.google.com/u/0/103112149634414554669/posts/PT3eEF4u415)

------
cicloid
Is Tor still working?

~~~
Sara70
I used to use Tor with firefox before but with my internet connection it was
very slow.

~~~
cicloid
Sadly from what I know, that's because of the lack of nodes. But you can
volunteer!

<https://www.torproject.org/getinvolved/volunteer.html.en>

------
i_love_rabbits
Would it be possible to DDoS the deep-packet-inspecting routers with fake SSL
handshake requests, or some partial part of it? Sort of like a TCP-SYN attack
at the SSL level, and force them to give up DPI?

In other words, if we know that they are cutting off the handshake at the
ServerKeyExchange phase, for example, couldn't we generate large amount fake
SSL traffic that stops one step before that, cause the router to hang?

~~~
vonmoltke
That would only work if the filter was an endpoint. The filter isn't making
SSL connections, so it doesn't care if the other side stops mid-transaction.
All it has to do is look at the headers and drop packets with the target SSL
handshake header.

------
ilaksh
The invasion of Iran has been planned for many years. The occupation of the
two countries immediately to the west and east of Iran were preliminary steps
in the same long term military campaign.

I assume that this level of internet censorship will go away because it is
playing into the hands of Western imperial propagandists who are working hard
to "justify" or motivate the next major invasion.

------
rd108
Does anyone know how they "shut down https"?

~~~
emilsedgh
They drop all encrypted connections. This means no https, no IMAP over TLS and
no SSH connections. (Im in Iran)

~~~
rplnt
So where would one find SSL over http implementation? You know, you send your
usual POST to a proxy, only the body would be an actual request. Whole
handshake could probably be done like this. Not even the proxy would (wouldn't
have to) know the content. Encrypted body could be translated to valid XML for
extra effect.

~~~
Jach
I was just googling this and it looks like
<http://www.nocrew.org/software/httptunnel.html> could handle that use case.
(Another interesting idea I saw was to steg the data in cat pictures sent
normally. I'm not sure if cat pictures are as big in Iran as in the US though
such that even user-level analysis wouldn't be too suspicious if there's a ton
of cats.)

~~~
drostie
I see three problems. The first one is that the Iranians would have to have
their own JPEG images to sit in an "uploads" directory on the client, since
what you're proposing is a very broad-scale steganography attack. (Or else
we'd need a procedural way to generate a great number of images which look
indistinguishable from real traffic that you might want to send. In any case
we risk that the censors block image uploads and form POSTs.)

Second is, I'm not sure anyone has yet connected steganography with public-key
cryptography, but it really does have to be done that way for plausible
deniability, otherwise you can just look inside the packets. So, inside the
first JPEG linked from index.html there is steganographically hidden a
2048-bit RSA public key, and communication consists of uploading
steganographic requests of the form encrypt(public_key, shared_key) |
encrypt(shared_key, request). The first segment, the server knows should be
2048 bits = 256 bytes long. My bsencode project
(<https://github.com/drostie/bsencode>) might be useful for formatting the
data-to-be-encrypted; you need to transmit something like 32 bytes for a key,
16 bytes for a nonce, 32 bytes of predictable plain text so that the server
knows that the request is intentional, perhaps 16 bytes of unrelated
randomness just to give the RSA packet some extra entropy, and perhaps we
could already specify some aspects of the protocol and intended query in the
header as well. The 256 bytes would be plenty to contain an entire handshake.

However, you would have to think long and hard about how the public key is
encoded, since it's a two-part data structure and either part -- or the glue
-- could "leak" the fact to an adversary able to do basic data-processing that
there is an RSA key hiding in plain sight. Also the access pattern might leak
this info -- how many places do you know which are important enough that
Iranian citizens should have access to them, but follow a predictable pattern
of "download HTML, download image, upload image"? The last part is the unique
part; uploading images and lots of text is relatively uncommon.

The third problem that I see is the interaction problem: Iran can guess at
steganography by its access pattern, lots of large HTTP uploads followed by
HTTP downloads -- but it can then _confirm_ the guess by sending its own
requests to the same server and validating that it gets valid responses back.
So you can target the system by simply trying to use it.

This last problem is much harder, I think. One obvious solution is to only
handle one client at a time -- but that is dangerous because it paves the way
for denial of service attacks from the government; they just take download of
index.html followed by a GET request for a JPEG and try to send their own
steganographic request, tying that server up with respect to real traffic.

Mounting a good steganographic attack against the people who run the
communications infrastructure is going to be very difficult indeed.

------
chrismt
All the companies who provide censorship knows hows to Iran should be banned
for ever.

To download Hotspot Shield, TOR or Ultrasurft

Visit <http://www.unblocker.co.nr> or <http://www.proxysoftwares.co.nr>

------
siculars
Shutting down the borders in advance of military action. They don't want
sensitive data getting out.

------
jbrodkin
Any update from Iranian users on the current situation? Are the blockages
still in force? I covered this issue for Ars Technica on Friday:
<http://arst.ch/sg1> and would like to be able to provide an update. Thanks.

------
corford
Would running through a socat tunnel (<http://freecode.com/projects/socat>)
defeat the DPI?

If yes, you could setup a tunnel on port 80 and then run openvpn through it.

I did this for a friend in China and it worked.

------
bbrizzi
Pure speculation here, but would it be possible to use some kind of exotic
Content-encoding HTTP header to avoid the DPI checks?

Of course it would also have to be implemented on the server-side but that's
another problem.

------
l0nk
Hi,

Just let you know that I used that when I'm in "not-really-freedom-friendly-
country" =)

<http://nihilex.com/obfuscated-openssh>

Slow but works =)

------
antihero
Can you get a virtual server with SSH running on port 80?

------
jcr
As it so happens, I've spent the last day trying to break in through the
technical restrictions of a regime from the outside. There is a country with a
very oppressive government that prevents outsiders from observing them. It's a
tiny island monarchy that doesn't matter much in the grand scheme of things,
but you may have heard of them; it's called the "United Kingdom" or "Great
Britain" or whatever.

If you don't live within their control, they don't want you to see the
propaganda they put out on their "British Broadcasting Corporation" (BBC)
television stations and web site. Needless to say, there are ways around their
entirely pointless technical restrictions.

(Note_To_Self: As somewhat dyslectic person, I'll never forgive patio11 for
nick-naming his product "BCC").

I would like to say that by-passing government sanctioned Internet
restrictions is simple and easy, but it's not true. Doing it safely can be
impossible at times, and considering the rather severe punishments for getting
caught (i.e. death), it may not be the smartest choice you could make. If you
want to take your chances, there are often technically possible ways to by-
pass the restrictions. It's not easy, and it may not be entirely safe, but
usually, it _is_ technically possible.

There are free solutions out there like Tor ("The Onion Router"
<https://www.torproject.org/>), but they mostly suck. If you don't believe me,
then just try using them. The other problem with the free solutions is a lot
of government filtering knows about them and adjusts accordingly (when
possible). There is also a lot of monitoring an profiling done on the traffic
on the free solutions like Tor since the traffic _is_ interesting.

If you need a solution that sucks less, you'll need to pay for it. As much as
many would like to believe otherwise, bandwidth and servers are not free, so
when a service is unable to support itself through advertising, then you'll
need to pay for it. The commercial VPN vendors are more reliable and have far
better security, privacy and performance than the free alternatives.

I've been a paying customer of <https://www.tunnelr.com> for over a year, and
really enjoy their service. I'm on friendly terms through email with the two
founders, Daniel and Jared, so I'm probably guilty of some sock puppetry or
fanboyism. They also run the "devio.us" free shell provider service which is
very impressive.

The thing to realize is the people responsible for controlling the network you
are on and enforcing the restrictions probably have a way out of their own. It
could be that their "day job" gives them access to the "other" side of their
censorship filters, or possibly they've left a few holes here and there that
they can use to by-pass their own filtering system. If the latter, it's
probably done with a VPN of some sort.

In the case of a good commercial service like tunnelr.com, you don't need to
worry too much about figuring out where things were left open.

Typically, if UDP traffic is found going to port 53, most people expect it to
be DNS lookups from client systems. Again typically, if TCP traffic is going
to port 53, most people expect it to be DNS lookups done by DNS servers. Of
course, if you see TCP traffic going to port 80, you'd expect it to be going
to a web server...

The common expectations are not "wrong" in most situations, but these
expectations _can_ be wrong if things are configured differently.

In the case of good VPN services, things are configured differently!

For example, I can use TCP and connect to port 80 but establish a SSH
connection, or use UDP and connect to port 53 but establish an OpenVPN
connection.

This kind of trickery will not fool filters with the capacity to do "Deep
Packet Inspection" ("DPI" e.g. protocol profiling), but the vast majority of
filtering tech out there can't do deep packet inspection all of the time. It
requires too much computation to be effective on fully saturated links, so it
slows things down terribly. There are a few products out there that can do DPI
at "wire-line" speeds, but they are hellishly expensive and fairly difficult
to manage properly.

BTW, if you go the SSH route, check out dsocks by Dug Song. It runs on most
UNIX systems, on MacOS, and on MS-Windows through cygwin.

EDIT: I totally forgot about countless the payment options you have available
in Iran (i.e. none). If that's an issue for you, contact me privately (email
address is in my HN profile).

~~~
mrud
But DPI is used in Iran and just using different ports does _not_ help

~~~
jcr
Do you have any supporting data for your statement?

I'm not trying to be an ass by asking; I'm actually curious, but testing it
myself (American) is not particularly smart.

Anyhow, if DPI is in place and at wire-speed (rare, but would cover
everything), then the answer is obvious; ssh over http. It can be done with
gothard [1] and corkscrew [2].

[1] <http://www.nazgul.ch/dev.html> [2] <http://www.agroman.net/corkscrew/>

~~~
mrud
Only from the TOR guys:

\- [https://blog.torproject.org/blog/iran-blocks-tor-tor-
release...](https://blog.torproject.org/blog/iran-blocks-tor-tor-releases-
same-day-fix) Iran detects ssl parameters and block suspicious connections
(they based it on the expiry time of the session certificates)

\-
[http://www.telegraph.co.uk/news/worldnews/middleeast/iran/83...](http://www.telegraph.co.uk/news/worldnews/middleeast/iran/8388484/Iran-
cracks-down-on-web-dissident-technology.html)

\- [http://www.christopher-parsons.com/blog/technology/is-
iran-n...](http://www.christopher-parsons.com/blog/technology/is-iran-now-
actually-using-deep-packet-inspection/)

Btw. it is not only Iran running country wide DPI - have a look at
<http://www.youtube.com/watch?v=DX46Qv_b7F4> about the different techniques
currently used to block/prevent access to VPNs/Tor etc.

(edit: added some additional links)

~~~
jcr
thank you!

------
jacklei
aaawwwww mannn... :(

------
rorrr
So no more online banking, no more credit cards? Whatever businesses they have
are fucked, when it comes to secure communication.

