Hacker News new | past | comments | ask | show | jobs | submit login
Iran Shuts Down Major Websites and Https Protocol
399 points by Sara70 on Feb 10, 2012 | hide | past | favorite | 146 comments
I'm writing this to report the serious troubles we have regarding accessing Internet in Iran at the moment. Since Thursday Iranian government has shutted down the https protocol which has caused almost all google services (gmail, and google.com itself) to become inaccessible. Almost all websites that reply on Google APIs (like wolfram alpha) won't work. Accessing to any website that replies on https (just imaging how many websites use this protocol, from Arch Wiki to bank websites). Also accessing many proxies is also impossible. There are almost no official reports on this and with many websites and my email accounts restricted I can just confirm this based on my own and friends experience. I have just found one report here:


The reason for this horrible shutdown is that the Iranian regime celebrates 1979 Islamic revolution tomorrow.

I just wanted to let you guys know about this. If you have any solution regarding bypassing this restriction please help!

I haven't checked yet whether they're using layer 7 filtering or just blocking ports, but assuming it was a lame combination of the two, you can try tunneling through HTTP on port 80.

Download proxytunnel and follow this guide to set up Apache (or whatever server you prefer) to http proxy ssh connections to port 22: http://dag.wieers.com/howto/ssh-http-tunneling/

Then run ssh with proxytunnel as the ProxyCommand (as shown in the guide). It will make a plaintext HTTP connection, request a CONNECT yoursite.com:22, and if they aren't inspecting "too deep" you should be able to get an ssh connection.

If that doesn't work there's always icmp tunneling (hans), dns tunneling (iodine), and various other options. See if you can make a udp connection over port 53 to a remote host and transmit non-DNS packets; if they aren't intercepting DNS traffic, just make an openvpn udp connection over port 53 for your tunnel.

I actually have a whole paper on circumventing captive portals and firewalls and a crappy tool to probe them if anyone wants it.

Oh yeah, and if anyone in Iran wants to test it you can use my vps to test. 'ssh -o ProxyCommand="proxytunnel -p syw4e.info:80 -d syw4e.info:22" -v'. See if it does an SSH handshake. If it does, you can use this tunneling method. Also try the icmp/dns/openvpn, though. To see if DNS is not being intercepted, run 'dig +short www.google.com @syw4e.info' (or 'nslookup www.google.com syw4e.info' from windows). If it returns "", you were communicating directly with my nameserver and you should be able to tunnel openvpn to a remote box on port 53.

I'll have to find the paper and clean it up a bit, but e-mail me and i'll send it when I find it and i'll post it on here. It's not amazing or anything, mostly just a talk with references to tools and articles and common flaws in captive portals.

I would love to read that paper.

Link? :)

I live in Iran.

The fact about the shut down is correct. I would also add that secure connection to servers inside Iran is possible. I've tried some, and they work. But trying to connect to services like Github and PivotalTracker, which we relay on in our starup, results in no response.

Also I will note that the ssh protocol is the same. I can ssh into my university machine (inside Iran) but I can't access my rackspace VPS with ssh for example.

One thing to add is that `Sara70` creator of this thread, mentions some non-related reason for this (The reason for this horrible shutdown is that the Iranian regime celebrates 1979 Islamic revolution tomorrow.) which is wrong.

Here nobody officially said anything about this. But as this shutdown is getting more attention in the media, I suspect this issue to get resolved soon.

>One thing to add is that `Sara70` creator of this thread, mentions some non-related reason for this (The reason for this horrible shutdown is that the Iranian regime celebrates 1979 Islamic revolution tomorrow.) which is wrong.

How do you know this?

I ask the same. How does she know this?

I know this because, this trend (shutting down secure network protocols) started on and off, like 1 year ago.

As I understand it, that was slowing down (like 10x) of SSL, not disabling it completely. It could have simply been a live test of the mechanism they're using right now, and they could be deploying the mechanism right now because of the anniversary. (Or because of Kim Jong-Un's death ;-)

Are you inside Iran right now?


I'm grateful for the Tunisian revolution. Internet Censorship (including ports disable) is at 0. The court justice has ordered to censor a few pages (because of some reasons) but the Global Internet provider in the country did not accept. The head of this agency is also working that the law prohibits any kind of censorship for any reasons. He was responsible for censoring content in the Ben Ali era, but he now thinks that it just doesn't make sense.

The problem is, with the people (in the court or the gov.) who don't understand how the Internet works.

I'm not seeing much bad news coming out of Tunisia post revolution. I'm tempted to visit it.

It's relatively stable. Politically, it's fine. Economically it is struggling, but not much. Prices for tourists should be reduced as Andy mentioned since it's the recession for hotels and agencies.

Internet is pretty slow (I use a 3G which runs on around 1Mb/sec and costs around $20/month), the infrastructure is poor, the people are either struggling or confused how all these structural problems could get solved.

Not a great place to be in, honestly. If you are in Europe and looking for some Sun, then may be it's a deal for you considering the cost.

If you happen to make a travel, I added my phone number. I'm moving to the capital this summer, and if I happened to purchase a car, I'll take you in a free drive around the capital and Hammamet.

I did last October, from the UK. Cracking price.

The one main memory I have is leaving my iPhone, with my hotel room key-card inside the case, in a Taxi.

The driver searched for me for 30 minutes to return it. Great people, and I love the barter culture.

TOR has a blog post up about exactly what they've been able to determine about what Iran is doing:


Regarding HTTPS, it appears they detect and disrupt the SSL handshake.

For those who can't access TOR's site, it may be useful to quote their post in full:

“Over the past two days we've been hearing from, and working with, a number of Iranians having difficulty using Tor from inside Iran. It seems the Iranian government has ramped up censorship in three ways: deep packet inspection (dpi) of SSL traffic, selective blocking of IP Address and TCP port combinations, and some keyword filtering. For instance, they have partially blocked access to Tor's website, torproject.org, via IP address (such as and port 443 (which is the HTTPS port). The third level of blocking is by keywords, such as searching for the word 'tor' via regular, non-encrypted search engine websites.

The blocks on SSL are not complete and not nationwide. Where blocking is in place, initial investigations show they are identifying the beginning of the SSL handshake and simply interrupting the handshake. We continue to research and investigate solutions with the assumption that SSL will eventually be blocked nationwide inside Iran. Our goal is to defeat their dpi signatures and allow tor to work by default.

The Iran Media Program has posted their thoughts on what is happening from a journalist's perspective.

So far, it seems the majority of Tor users are not affected by these blocks. Iran is still the #2 country based on direct usage, https://metrics.torproject.org/users.html?graph=direct-users.... This number is on the decline, however.

More details to follow as we have them.”

“Update 2011-02-10 18:05 UTC: We are working on making our obfuscating proxy more stable and easier to deploy. If you can compile code, following these directions will help. We're also working on Amazon EC2 instances of obfsproxy for point and click deployment.”

“these directions” links to an email from Jacob Appelbaum:


“ [tor-talk] Help users in Iran reach the internet

Fri Feb 10 11:41:50 UTC 2012


In the last 48 hours a major campaign of filtering has started in Iran - it started slow and now appears to be that nearly all SSL/TLS traffic is blocked on a few major Iranian ISPs. Details are rather rough but we're working on some solutions - we've long had an ace up our sleeves for this exact moment in the arms race but it's perhaps come while the User Interface edges are a bit rough still.

Here's the deal - we need people to run Tor bridges but a special kind of Tor bridge, one that does a kind of traffic camouflaging - we call it an obfuscated bridge. It's not easy to set up just yet because we were not ready to deploy this for everyone yet; it lacks a lot of analysis and it might even only last for a few days at the rate the arms race is progressing, if you could call it progress.

There are highly technical instructions here: https://www.torproject.org/projects/obfsproxy-instructions.h...

Currently if you run such a bridge, you'll either need to manually tell us (via email to tor-assistants at torproject.org ) about it or you'll need to share these bridges with people you want to help directly. It's a pain and we're working on it.

Here's a bug report where we're working around the clock to get stuff going in a user friendly manner: https://trac.torproject.org/projects/tor/ticket/5009#comment...

This kind of help is not for the technically faint of heart but it's absolutely needed for people in Iran, right now. It's likely that more than ~50,000 - ~60,000 Tor users may drop offline.

Watch this graph for an idea of the censorship impact of directly connecting Tor users: https://metrics.torproject.org/users.html?graph=direct-users...

Here's the same graph but for Tor bridge users in Iran: https://metrics.torproject.org/users.html?graph=bridge-users...

We're working on easy to use client software and if you're in Iran or need one desperately, please email help at rt.torproject.org. We'll try to get you a working obfsproxy bridge address and working client software.

All the best, Jacob ”

FYI, Jacob Applebaum just asked[1] people to set up TOR bridges using a new protocol called obfsproxy[2].

1: https://twitter.com/#!/ioerror/status/167922546807812096 2: https://www.torproject.org/projects/obfsproxy-instructions.h...

I would be willing to set up a bridge but how can we get the bridge IPs to those who need them?

See https://lists.torproject.org/pipermail/tor-talk/2012-Februar...

Currently if you run such a bridge, you'll either need to manually tell us (via email to tor-assistants at torproject.org ) about it or you'll need to share these bridges with people you want to help directly. It's a pain and we're working on it.

Would a TOR exit relay be better than a bridge?

In general, yes. In this specific scenario, without the obfsproxy bridges, people in Iran may not be able to connect to TOR at all, in which case an exit node won't help them very much.

This is why good old analogue amateur or personal radio should still be a powerful force for people who are rebelling against their governments and corporate overlords.

The Internet is easy to kill, as are digital cell-based radio networks. Proper amateur radio is not.

Jamming is not that effective over a large area before anyone suggests that.

but it's easy to triangulate the broadcaster and take measures (imprison, torture, kill).

I lived through the communist era in Poland. Amateur radio stations were banned and prosecuted (you would go to jail), even possession of a CB radio was a crime. Things may be similar in Iran.

It's not that easy and there are simple anti-triangulation countermeasures you can use. It's possible to drop decoy transmitters/relays, which are easy enough to knock up and are cheap. You can also use refraction to "bounce" HF radio waves off the ionosphere to mask the source. You can scramble the signals. You can disguise the signals as legitimate but include carrier data. There are lots of ways of hiding what you are doing.

As usual, if you don't take precautions, that will happen.

Pirate radio stations were and still are common in the UK, particularly around London. They move around regularly and broadcast for short periods so it's hard to trace or predict a location.

The same conditions apply here.

Umm, you make it look like a trivial problem to solve, which IMHO is not the case when you take the fact you can risk life in prison or death in to the account. I'm from ex-communism country - where a lot of successful broadcastings happened, nevertheless, they got always identified at the end of the day - and then, guess what happened. When you are facing such restrictive conditions, even signal itself is good cause to get you in trouble - no matter whether the information carried is understood/sniffed or not, bounced or not. Anti-triangulation measures you are talking about have IMHO no practical use as long as anyone on the other side is using mobile radio signal detectors. Or if you know about real world application - I'd love to learn about it. Cheers

It's not trivial - but it's not unsurmountable.

Regarding triangulation, it's about finding the source. The source is hard to track reliably if it moves, especially away from the detection devices or rapidly out of range. Try tracking a broadcast source from a vehicle driving around you in a circle. If it's omnidirectional you'd have to be in the line of sight. If there is interference across the band, selectivity of the RDF recievers is compromised. Radio direction finding is surprisingly painful.

Hint: The anti-triangulation measures are actively used on Clansman radio sets.

Do you have more resources on that? Occasionally I think about the problem of censorship and free speech and wonder how to enable occupied people to report their plight. So far I could not think of a solution, because I assumed any kind of broadcasting would make the broadcaster an easy target. So what you say interests me (to be fair I am not building anything at the moment, and I am not a hardware person - yet).

Yes. You need to look up "Electronic Countermeasures". There are plenty of chunks of real info out there on it. Pretty much any form of it is plainly described despite the usual expectation that it's top secret or classified. There are handy forms of point to point encryption which can be easily used on paper and via voice as well. Nice read here on it: http://users.telenet.be/d.rijmenants/en/onetimepad.htm

Also, remember the general rule is that if the broadcaster can become a target, so can the oppressor.

When I finished my EE qual, I actually ended up working as an engineer for one of the more nefarious defense contractors. After about 2 years, I realised that what I was working on was engineering devices to watch people, to keep secrets and kill people. So I gave them the finger. My morals have kept me thinking about this for the last 20 years.

I came to the conclusion some time ago that I would not work to build devices to harm or spy upon people until it became a matter of doing so or being irresponsible to my family.

Rather work at a Taco Bell than write a censorship program.

A onetime pad would be a good example of something I would not like to have on me if got grabbed by some oppressive regime. That is the kind of problem I mean.

Tor is not a solution, because it could be found on your computer.

Radiowaves - I don't know, I would also expect them to be easily detectable, but I'll look it up.

A one time pad can be easily hidden amongst other text i.e. a book printing with some rules applied (third letter of every alternate sentence).

I think I saw this on Max Headroom.

I would guess that Internet without HTTPS and SSL is much more traceable than a radio. Also if the authorities don't know there is encrypted radio communication going on they would have hard time finding out about it

I'd imagine that in principle, any wireless communication with simple technology and therefore little infrastructure is still more robust than complex, wired technology with high infrastructure needs.

Sure, but it's uncommon and traceable, which means that if it becomes widely used by dissidents, that would be an excellent way of tracking them.

The internet may be easy to disable but to kill it is another ball game

Bits of it are easy to kill (at country level at least).

They control the physical network. As long as they have that control they will be able to do what they want. The only way to deal with these fuckers (not just Iran) is to start using collectively Ipsec or something similar. All SSL movement is just the beginning. I'm sure every big service will try to encrypt it's traffic more and more to protect itself from governments that try to criminalize their users.

Forcing countries like China, Iran and US to go into dark ages if they don't use the new all encrypted networks.

It's a shame that we are so paranoid as a species that we need to do that, but I don't see any other way.

I know this is extreme, but I don't want to see the freedom I enjoy right now taken away by these obsolete power hungry entities.

>Forcing countries like China, Iran and US to go into dark ages if they don't use the new all encrypted networks.

The problem is some governments would be perfectly happy with that. In fact for the most repressive ones it's long term goal.

China wants to create a separate internet for Chinese users and they're half way there. They have their own local censored versions of Google, Twitter and Facebook. Soon most internet users in China won't care if the rest of the internet disappears. Likewise for Iran, except they have been more open about it [1].

[1] http://online.wsj.com/article/SB1000142405274870488940457627...

Maybe but they'll lose the productivity gains from networked organizations and communities. China can grow a long way without those gains, but they'll eventually hit a wall.

>Maybe but they'll lose the productivity gains from networked organizations and communities

Absolutely but the effect will be not be huge in my opinion because of the language differences. All my Chinese friends here in the EU still use mainly Chinese language website, most of which are based in China, especially the social networking ones.

Companies aren't going to manage inventory, customer relations or finance over open channels. So they'd reduce the gains from networking their own internal communications.

They could try to mitigate by rationing secure channels, or allowing them with backdoors, but this still sacrifices the spontaneous creativity of a truly open system.

You make a good point. It certainly would discourage or kill small businesses but, as you suggest, I'm sure larger more powerful ones will get special treatment (native ones particularly so). Considering China was willing to let Google leave the country it appears that the balance of power is shifting already.

I think that on the Internet TLS and SSL are fast approaching their sell-by dates [1].

We can do secure comms over HTTP - all it takes is a binary protocol like TLV, encrypting that, and implementing a well thought through approach to key management. Ideally something derived from the Needham-Schroeder protocol, but if we take on some lessons from PGP and the like, using timestamps instead of nonces.

The Internet is just a piece of wire - what travels across it is up to us. This goes back to the idea of building platforms rather than applications.

Maybe my ramblings here are a bit too much up in the clouds, but I think I'm going to build something that does secure comms over HTTP...

[1] Iran notwithstanding, the recent TrustWave snooping story shows that SSL is even losing its usefulness inside organisations! If you're interested, the story is here:


Deep packet inspection allows you to block any well known protocol.

TLV (http://en.wikipedia.org/wiki/Type-length-value) isn't recognisable as a protocol. It is something you'd have to hand-roll, i.e. serialize to. The resulting byte array would be encrypted using anything you like (I'm using RSACryptoServiceProvider), so it'd be unrecognisable to DPI.

Not being familiar with specific DPI implementations I would imagine if such filtering was white list -based then anything unrecognisable would be blocked?

The obvious workaround is to uuencode your TLV data and then wrap it in <HTML><PRE></PRE></HTML>. If it's properly formatted HTML, and the body isn't recognizable as, say, a ZIP file, DPI will pass it.

Granted, someone could do entropy detection, and e.g. pass only things that look statistically like valid English/Persian/etc. text. But that needs more compute power, and can be worked around as well using statistical methods similar to Huffman coding.

It'd be awesome to hear from someone with product experience.

My experience of DPI is limited to Tenix diodes (which are white-list based, and are more focused around stripping malicious code by converting known objects to another format, eg .jpg to .png and back, or Word to PDF and back), or McAfee's Secure Web (used to be Web Washer), which does URL filtering, SSL scanning, etc. Also white list based.

The DPI in the product I work on is blacklist- and standards-based. i.e. it involves actually parsing most common formats, making sure that they are valid documents with no out-of-bounds values that could cause e.g. buffer overflows, and blacklisting known attacks.

FWIW our product can do this very quickly (we sell a 1U which can inspect 8 Gb/s).

That sucks, in Pakistan they're banning websites left and right, most of the websites can be accessed with Proxy but I have to use VPN just to upload files now. It's not only the porn websites they're banning, websites like pastebin etc. are getting axed as well.

In short, if any website goes against their stupid and yes effed up ideals they will ban it. The ISP's can't do anything because they're forced to comply.

Forget ACTA or SOPA, these idiots just do whatever they wish.

Moreover, SSH has stopped working, too. But, finally I found a way to circumvent it. A simple twist in the client side, could simply bypass the filtering.

I wrote a simple script to do this, and I would like to share it with all of my countrymen:


To use it, just replace ssh command with issh like this:

issh user@hostname [other-ssh-options]

Ironically, I can't access your script (it's https!). I'd be thankful if you could just copy/paste it here.


Where is the link to the required changes? Binaries = scary. Also, an SSL link doesn't seem useful?

I took a look at it. It's not a binary. It's a python file (easily readable) that acts as a wrapper for ssh. Extract the contents of the tar.gz[1] for example to see it. It's great if it works because it apparently doesn't need changes to the remote ssh server.

[1] https://launchpad.net/~mohammad-sepent/+archive/ppa/+files/i...

Edit: Non SSL link: http://ppa.launchpad.net/mohammad-sepent/ppa/ubuntu/pool/mai...

Thanks for digging into this.

To install it under ubuntu:

sudo add-apt-repository ppa:mohammad-sepent/ppa

sudo apt-get update

sudo apt-get install issh

For other distros you can grab the .deb or the source package from the given link.

Almost all websites that worth visiting are either blocked by Iranian government or by US export laws (SourceForge, Google Code, ...) so people rely heavily on VPNs and proxies. One of the most used proxies is YourFreedom[1] that offers a special service for Iranian people (a free 512 kbps socks proxy). It sounds great, but unfortunately they have been compromised. About 10 months ago, I contacted them (they didn't respond, which makes me a little worried).

It looks like Iranian government uses a transparent proxy, so all connections to ems01.your-freedom.de (ems01 through ems24) first redirect to iran.ir and then go to YF's servers!

(YF is blocked right now, so I can't re-do this test right now. These images are from my email to YF 10 months ago)



A page accessed without a VPN/proxy: http://www.imeezo.com/v/images/98155525346546936123.png

The same page, but with a VPN: http://www.imeezo.com/v/images/30239946359511647325.png

In the third image, the response is from iran.ir's transparent proxy, not YF servers...

[1] your-freedom.de

I am really passionate about this problem. We are currently working on the VPN solution for consumers and I could dedicate some of our servers for this to develop a VPN that would work when governments shut down encrypted connections. where should we start? it it even feasible to do a secured tunnel hidden in normal traffic undetected?

Undetected is the hard part; I'm not sure anyone currently has the cpu horsepower to analyze all traffic, but encrypted information has a high degree of entropy that is hard to hide even steganographically.


You can tunnel anything over anything. You'd just start with a generic URI to negotiate the secure connection before sending the real requests/responses.

Yes - Already looking at this HTTP tunnel (http://www.nocrew.org/software/httptunnel.html) that someone else posted here.

I am wondering whether this approach is better than the one someone else suggested - connecting to a streaming server (like OnLive) - I guess streaming server could be made more undetectable, but more expensive to run

If you can't believe that governments are using deep packet inspection and block access to popular sites have a look at the 28C3 talk How governments have tried to block Tor - http://www.youtube.com/watch?v=DX46Qv_b7F4 it covers different governments and how they tried to block access to the TOR network

And here I was, about to ask HN to force SSL on the login page..

Please... don't. I have enough trouble with GitHub right now. Those guys enforce SSL not only on login page, but on all pages - yesterday it took me 2 hours to clone a github project (that was only 30k).

So its time to grab our steganography handbooks and build a cute little animal picture channel patch for open ssh.

We Chinese use VPN or SSH port forwarding.

They drop all encrypted connections. Which means you cant even make a VPN or SSH connection.

Which basically means you need to do encryption in a manner that doesn't look like encryption, inside of something that's unencrypted. For example over DNS, inside of HTTP, or other protocols designed for moving code like RPC.

Maybe embed the cipher text in files for images, video or music?

Are there any solutions for web browsing like Onlive (http://www.onlive.co.uk/) does for video gaming? It would be significantly harder for them to datamine a video stream..

That is actually how the iOS Flash players like iSwifter and Photon works. It's just a video stream (seen from weird MPEG-compression artifacts) to a Linux VM running Firefox.

So would this not be ideal for getting through government censors?

My impression is that it could be ideal - but it needs much more bandwidth on the client side, as well as server side - making it expensive to run

But perhaps for sites which are static (in animation) and not interactive like gmail and other email systems it may perform well.

Realise ALL encryption handshake are blocked but Maybe this might work.


You do need a server on the 'outside' though. (oh bugger, github uses https)

Hello! You can use encrypted Secure SMS for Android. The app is free, and available at: https://market.android.com/details?id=com.atomcloud.metrobud...

The instruction manual is at: http://web.atomcloud.com/apps/metrobuddy-secure-sms

the app needs no licensing, so can be passed from phone to phone via SD card. Good Luck!

Is it possible to bypass their physical network altogether? For example, is satellite Internet available/legal over Iran?

Satellite dishes are illegal in Iran.

Most posts here are about tunneling, which is akin to whacking a mole and not a solution.

The only solution is in space, or a mesh net run by citizens, http://www.reddit.com/r/darknetplan/

Maybe http://m.gmail.com ?

What about ssh tunneling over an alternate port?

Gosh I cannot believe governments that do this to their people.

I wonder if they are ironically using American engineered equipment and software to do the block too.

> I wonder if they are ironically using American engineered equipment and software to do the block too.

What exactly would be the irony of it? Iran doesn't forbid buying US products and services, it's the other way around.

They drop ALL encrypted connections. You cannot even make a normal ssh connection, since they drop the connection during handshake. (SSH has been disabled for a few months)

What about ssh over port 80? I realize that would have to be set up in advance from outside the country, but the question is are they using port numbers to aid in their filtering or deep packet inspection?

If they are dropping all encrypted connections, it doesn't matter what port you use for ssh, it'll be dropped.

How do they know it's encrypted? I mean would they block something that looks like gibberish but was plain text over port 80?

I like that idea. You could encode a block of octets with plain words. "\xC3\x08\x00\x23\xFA" would then actually travel on the wire as "Was named prefer to use the other especially in, every cast a chuckle on neithout getting. Into useful informash speech makes removing a featuring a move or usage actual considered!", and be decoded back at the other end. You'd have to use common words so it looks as innocuous as possible.

I doubt you'd need to go to such lengths, otherwise you wouldn't be able to transmit binary data such as images, either.


That is why I asked the question.

They drop all secure connections. For security reasons, I had to access a VPS on port 33 (instead of 22), and in the past couple months I've been unable to do so.

That's an interesting data point, but port 33 is rarely used so deep packet inspection is still relatively cheap. I'd really like someone to test on port 80, then I'd believe that it's 100% coverage with deep packet inspection.

They have to be using ports. Deep packet inspection is far too expensive to do on a massive scale.

Maybe http://m.gmail.com ?

If they are blocking https traffic, they are almost certainly intercepting and scanning http traffic (lots of countries do this, e.g. lots of UK ISPs did this to censor wikipedia).

So, even if you were to be able to access gmail over http, you probably don't want to. :)

What parts of Wikipedia did they censor? Quite interested in that.

The article Virgin Killer was blocked for four days because of "child pornography".



Thanks for the info!

I'm guessing it's this case he's referring to: http://www.theregister.co.uk/2008/12/07/brit_isps_censor_wik...

I guess wikileaks, not wikipedia

Nope wikipedia. Over 'Child porn' images

Do SOCKS proxies work at all? One can test if they work. Xroxy.org is a good place to start. Email me at admin(at)alkasir.com to send you free socks proxy servers for testing.

No, they don't.

But thanks for the offer.

I've tested this as of today (2/10) and have technical details of exactly what filtering is going on, and what isn't.

tl;dr: Iran gov't is the actor, not ISPs; filtering most but not all SSL in a couple different ways; specific targeting of privacy tools & Google.

See here (will be updating it soon w/ more): https://plus.google.com/u/0/103112149634414554669/posts/PT3e...

Is Tor still working?

I used to use Tor with firefox before but with my internet connection it was very slow.

Sadly from what I know, that's because of the lack of nodes. But you can volunteer!


Would it be possible to DDoS the deep-packet-inspecting routers with fake SSL handshake requests, or some partial part of it? Sort of like a TCP-SYN attack at the SSL level, and force them to give up DPI?

In other words, if we know that they are cutting off the handshake at the ServerKeyExchange phase, for example, couldn't we generate large amount fake SSL traffic that stops one step before that, cause the router to hang?

That would only work if the filter was an endpoint. The filter isn't making SSL connections, so it doesn't care if the other side stops mid-transaction. All it has to do is look at the headers and drop packets with the target SSL handshake header.

The invasion of Iran has been planned for many years. The occupation of the two countries immediately to the west and east of Iran were preliminary steps in the same long term military campaign.

I assume that this level of internet censorship will go away because it is playing into the hands of Western imperial propagandists who are working hard to "justify" or motivate the next major invasion.

Does anyone know how they "shut down https"?

They drop all encrypted connections. This means no https, no IMAP over TLS and no SSH connections. (Im in Iran)

So where would one find SSL over http implementation? You know, you send your usual POST to a proxy, only the body would be an actual request. Whole handshake could probably be done like this. Not even the proxy would (wouldn't have to) know the content. Encrypted body could be translated to valid XML for extra effect.

I was just googling this and it looks like http://www.nocrew.org/software/httptunnel.html could handle that use case. (Another interesting idea I saw was to steg the data in cat pictures sent normally. I'm not sure if cat pictures are as big in Iran as in the US though such that even user-level analysis wouldn't be too suspicious if there's a ton of cats.)

I see three problems. The first one is that the Iranians would have to have their own JPEG images to sit in an "uploads" directory on the client, since what you're proposing is a very broad-scale steganography attack. (Or else we'd need a procedural way to generate a great number of images which look indistinguishable from real traffic that you might want to send. In any case we risk that the censors block image uploads and form POSTs.)

Second is, I'm not sure anyone has yet connected steganography with public-key cryptography, but it really does have to be done that way for plausible deniability, otherwise you can just look inside the packets. So, inside the first JPEG linked from index.html there is steganographically hidden a 2048-bit RSA public key, and communication consists of uploading steganographic requests of the form encrypt(public_key, shared_key) | encrypt(shared_key, request). The first segment, the server knows should be 2048 bits = 256 bytes long. My bsencode project (https://github.com/drostie/bsencode) might be useful for formatting the data-to-be-encrypted; you need to transmit something like 32 bytes for a key, 16 bytes for a nonce, 32 bytes of predictable plain text so that the server knows that the request is intentional, perhaps 16 bytes of unrelated randomness just to give the RSA packet some extra entropy, and perhaps we could already specify some aspects of the protocol and intended query in the header as well. The 256 bytes would be plenty to contain an entire handshake.

However, you would have to think long and hard about how the public key is encoded, since it's a two-part data structure and either part -- or the glue -- could "leak" the fact to an adversary able to do basic data-processing that there is an RSA key hiding in plain sight. Also the access pattern might leak this info -- how many places do you know which are important enough that Iranian citizens should have access to them, but follow a predictable pattern of "download HTML, download image, upload image"? The last part is the unique part; uploading images and lots of text is relatively uncommon.

The third problem that I see is the interaction problem: Iran can guess at steganography by its access pattern, lots of large HTTP uploads followed by HTTP downloads -- but it can then confirm the guess by sending its own requests to the same server and validating that it gets valid responses back. So you can target the system by simply trying to use it.

This last problem is much harder, I think. One obvious solution is to only handle one client at a time -- but that is dangerous because it paves the way for denial of service attacks from the government; they just take download of index.html followed by a GET request for a JPEG and try to send their own steganographic request, tying that server up with respect to real traffic.

Mounting a good steganographic attack against the people who run the communications infrastructure is going to be very difficult indeed.

What you think of is a covert channel [1]. There is a bunch of them, bu check out iodine [2]

[1] http://en.wikipedia.org/wiki/Covert_channel [2] http://code.kryo.se/iodine/

I personally use ProxyTunnel which does the same for SSH. There are other ways for bypassing their filter, but nothing that would work for everyone.

How do they distinguish an encrypted connection from a non-encrypted connection? How do they know those indecipherable bits are an encrypted message vs. a part of an image or video? I suspect they just block domains and IPs and common ports or they sniff for common handshakes and key exchanges and kill those.

It works at different levels. First, they try to drop the connection during handshake (which is NOT encrypted yet). This works effectively. SSH has been taken down using this technique for a few months.

They also shape the bandwidth of encrypted connections. My guess is that they use something like L7 to guess the type-of-connection using different patterns.

Headers are encrypted too. Easy to decide I guess.

Is it just by port, or do they detect SSL traffic at any port, and then block it?

They have packet inspection and detect encrypted traffic on any port.

So it sounds like you need a tool that adds low-entropy content to encrypted traffic to make it appear as if it's unencrypted?

What unencrypted protocols are allowed / common?

Is their filtering on a per TCP port basis? Or more advanced packet inspection?

I guess they block all SSL connections, or all least all those targetting unknown (non governement-approved) hosts.

Probably means port 443 is blocked.

Way more sophisticated than that. See http://news.ycombinator.com/item?id=3575269

Typically Deep packet inspection. http://www.youtube.com/watch?v=DX46Qv_b7F4 covers techniques different governments are using and the countermeasures deployed by tor

All the companies who provide censorship knows hows to Iran should be banned for ever.

To download Hotspot Shield, TOR or Ultrasurft

Visit http://www.unblocker.co.nr or http://www.proxysoftwares.co.nr

Shutting down the borders in advance of military action. They don't want sensitive data getting out.

Any update from Iranian users on the current situation? Are the blockages still in force? I covered this issue for Ars Technica on Friday: http://arst.ch/sg1 and would like to be able to provide an update. Thanks.

Would running through a socat tunnel (http://freecode.com/projects/socat) defeat the DPI?

If yes, you could setup a tunnel on port 80 and then run openvpn through it.

I did this for a friend in China and it worked.

Pure speculation here, but would it be possible to use some kind of exotic Content-encoding HTTP header to avoid the DPI checks?

Of course it would also have to be implemented on the server-side but that's another problem.


Just let you know that I used that when I'm in "not-really-freedom-friendly-country" =)


Slow but works =)

Can you get a virtual server with SSH running on port 80?

As it so happens, I've spent the last day trying to break in through the technical restrictions of a regime from the outside. There is a country with a very oppressive government that prevents outsiders from observing them. It's a tiny island monarchy that doesn't matter much in the grand scheme of things, but you may have heard of them; it's called the "United Kingdom" or "Great Britain" or whatever.

If you don't live within their control, they don't want you to see the propaganda they put out on their "British Broadcasting Corporation" (BBC) television stations and web site. Needless to say, there are ways around their entirely pointless technical restrictions.

(Note_To_Self: As somewhat dyslectic person, I'll never forgive patio11 for nick-naming his product "BCC").

I would like to say that by-passing government sanctioned Internet restrictions is simple and easy, but it's not true. Doing it safely can be impossible at times, and considering the rather severe punishments for getting caught (i.e. death), it may not be the smartest choice you could make. If you want to take your chances, there are often technically possible ways to by-pass the restrictions. It's not easy, and it may not be entirely safe, but usually, it is technically possible.

There are free solutions out there like Tor ("The Onion Router" https://www.torproject.org/), but they mostly suck. If you don't believe me, then just try using them. The other problem with the free solutions is a lot of government filtering knows about them and adjusts accordingly (when possible). There is also a lot of monitoring an profiling done on the traffic on the free solutions like Tor since the traffic is interesting.

If you need a solution that sucks less, you'll need to pay for it. As much as many would like to believe otherwise, bandwidth and servers are not free, so when a service is unable to support itself through advertising, then you'll need to pay for it. The commercial VPN vendors are more reliable and have far better security, privacy and performance than the free alternatives.

I've been a paying customer of https://www.tunnelr.com for over a year, and really enjoy their service. I'm on friendly terms through email with the two founders, Daniel and Jared, so I'm probably guilty of some sock puppetry or fanboyism. They also run the "devio.us" free shell provider service which is very impressive.

The thing to realize is the people responsible for controlling the network you are on and enforcing the restrictions probably have a way out of their own. It could be that their "day job" gives them access to the "other" side of their censorship filters, or possibly they've left a few holes here and there that they can use to by-pass their own filtering system. If the latter, it's probably done with a VPN of some sort.

In the case of a good commercial service like tunnelr.com, you don't need to worry too much about figuring out where things were left open.

Typically, if UDP traffic is found going to port 53, most people expect it to be DNS lookups from client systems. Again typically, if TCP traffic is going to port 53, most people expect it to be DNS lookups done by DNS servers. Of course, if you see TCP traffic going to port 80, you'd expect it to be going to a web server...

The common expectations are not "wrong" in most situations, but these expectations can be wrong if things are configured differently.

In the case of good VPN services, things are configured differently!

For example, I can use TCP and connect to port 80 but establish a SSH connection, or use UDP and connect to port 53 but establish an OpenVPN connection.

This kind of trickery will not fool filters with the capacity to do "Deep Packet Inspection" ("DPI" e.g. protocol profiling), but the vast majority of filtering tech out there can't do deep packet inspection all of the time. It requires too much computation to be effective on fully saturated links, so it slows things down terribly. There are a few products out there that can do DPI at "wire-line" speeds, but they are hellishly expensive and fairly difficult to manage properly.

BTW, if you go the SSH route, check out dsocks by Dug Song. It runs on most UNIX systems, on MacOS, and on MS-Windows through cygwin.

EDIT: I totally forgot about countless the payment options you have available in Iran (i.e. none). If that's an issue for you, contact me privately (email address is in my HN profile).

> If you don't live within their control, they don't want you to see the propaganda they put out on their "British Broadcasting Corporation" (BBC) television stations and web site.

You mean you don't pay for the TV license since you're not in the UK and you complain that you can't watch their tv? Shocking...

I really don't understand your approach to this - propaganda? restrictions of a regime? very oppressive? There are some things I disagree with in the UK, but you're trying to watch a TV channel they want to get paid for. It's that simple - there's no point in dragging politics into this one. I'm definitely against silly country filtering using geoip on services that don't allow other means of access, but in the context of what's happening in other countries, let's not call it "oppressive", please.

But DPI is used in Iran and just using different ports does _not_ help

Do you have any supporting data for your statement?

I'm not trying to be an ass by asking; I'm actually curious, but testing it myself (American) is not particularly smart.

Anyhow, if DPI is in place and at wire-speed (rare, but would cover everything), then the answer is obvious; ssh over http. It can be done with gothard [1] and corkscrew [2].

[1] http://www.nazgul.ch/dev.html [2] http://www.agroman.net/corkscrew/

Only from the TOR guys:

- https://blog.torproject.org/blog/iran-blocks-tor-tor-release... Iran detects ssl parameters and block suspicious connections (they based it on the expiry time of the session certificates)

- http://www.telegraph.co.uk/news/worldnews/middleeast/iran/83...

- http://www.christopher-parsons.com/blog/technology/is-iran-n...

Btw. it is not only Iran running country wide DPI - have a look at http://www.youtube.com/watch?v=DX46Qv_b7F4 about the different techniques currently used to block/prevent access to VPNs/Tor etc.

(edit: added some additional links)

thank you!

Here's a presentation I gave a couple of years ago about research I performed to demonstrate exactly this:


> There are a few products out there that can do DPI at "wire-line" speeds, but they are hellishly expensive and fairly difficult to manage properly

True, but wouldn't you expect a repressive regime to be able to afford such equipment? The original post talks about Iran, which probably places more emphasis on blocking traffic than the UK.

aaawwwww mannn... :(

So no more online banking, no more credit cards? Whatever businesses they have are fucked, when it comes to secure communication.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact