tor censorship 2012, ooni
DESCRIPTION
A summary of Tor Censorship in the first half of 2012 and the OONI project.Talk given at Hackmeeting 0x0F 2012 in L'Aquila.TRANSCRIPT
Tor e la CensuraCome i gorverni hanno censurato Tor e come i
pacchetti vengono liberati.
Saturday, June 30, 12
$ whoami
• Arturo `hellais` Filastò
• Tor Project hacker
• Random GlobaLeaks Developer
• I develop Free Software for Freedom
Saturday, June 30, 12
Surveillance
• Censorship is a subset of surveillance
• If you are censoring something you are surveilling everything
Saturday, June 30, 12
“The Net interprets censorship as damage and routes around it.”
- John Gilmore; TIME magazine (6 December 1993)
Saturday, June 30, 12
What is Internet Filtering?
• Is a form of non democratic oppression on people
• It allows those in power to subvert reality
Saturday, June 30, 12
FilterNet
• It’s a distortion of what is in reality the internet.
• Follows the subjectiveness of the authorities
• This does not help humanity
Saturday, June 30, 12
There is no just censorship.
• Internet filtering is happening in China, Iran, Syria, but also in Italy, UK, Netherlands.
• The only solution to what is considered by some wrong information is more information.
Saturday, June 30, 12
Tor and Censorship
• Tor is born as anonymity tool
• Censorship circumvention was a side effect
Saturday, June 30, 12
Brief Timeline of Tor Censorship
• 2002 - The Source code for Tor is released
• 2006, April - Thailand - DNS Filtering of tpo
• 2006 - Websense/netfilter - Block Tor based on Tor GET requests
• 2007 - Iran, Saudi - Blocks Tor thanks to Websense
• 2009, Iran throttles SSL
• 2009, Tunisia - Smartfilter to block all expect 443, 80
• 2009, China blocks public relays
• 2009 - Tor bridges are introduced
• 2010 - China starts collecting and blocking bridges
• 2011 - Iran by DPI on DH parameter in SSL
• 2011 - Egypt selected targetted sites for blocking
• 2011 - Lybia, throttling to limit use
• 2011 - Syria, DPI on Tor’s TLS renegotiation and killed connections
• 2011 - Iran DPI on SSL and TLS certificate timeline
For more details on these events see, “How governments have tried
to block Tor”
Saturday, June 30, 12
What has happened in the past months?
• 9 February 2012, Iran total SSL blockage
• 2012, China proactive censorship evolutions
• February - March 2012, Kazakhstan
• 22 May 2012, Ethiopia
• 25 June 2012, UAE, Tor blocking via DPI
Saturday, June 30, 12
Iran SSL Blockage
• Deep packet inspection (DPI) of SSL traffic
• Selective blocking of IP Address and TCP port combinations
• Some keyword filtering
• Not nationwide, certain areas no SSL traffic.
• February 2012, First real world deployment of obfsproxy
Saturday, June 30, 12
Iran SSL Blockage
Saturday, June 30, 12
China evolutions• Blocking Techniques
• IP Blocking (layer 3)
• IP:Port blocking (layer 4)
• RST based filtering (layer 4, active, easy circumvention)
• HTTP blocking (layer 5)
• Detection techniques
• Active probing of *every* SSL connection (speaking Tor protocol)
• Tor fingerprints for TLS Helo
• Philip Winter, Fabio Pietrosanti worked on understanding active chinese probing.
Saturday, June 30, 12
February - March 2012Kazakhstan
• In response to protests in Zhanaozen
• Previously
• IP address blocking
• DNS based blocking
• DPI SSL blocking
• JSC KazTransCom starts blocking SSL traffic based on client key exchange
• Some businesses affected (no SSL, no IPSEC, no PPTP, no certain VPNs)
• Obfsproxy used
Saturday, June 30, 12
February - March 2012Kazakhstan
Saturday, June 30, 12
22 May 2012Ethiopia
• Stateless DPI looking for Tor TLS Server Helo
• Research conducted by phw, naif
• Patch for bridge #6045
Saturday, June 30, 12
22 May 2012Ethiopia
Saturday, June 30, 12
25 June 2012UAE
• The Emirates Telecommunications Corporation, also known as Etisalat, started blocking Tor using DPI
• Evasion trough
• Special patch for bridges that removed fingerprint
• Obfsproxy
Saturday, June 30, 12
What we are doing?
• Help people access information Anonymously (Tor)
• Help people circumvent censorship (Tor, Tor Bridges)
• Measure Internet filtering in the world (OONI-Probe)
• Help people speak freely and anonymously (Tor Hidden Services, APAF)
Saturday, June 30, 12
OONI
• Open Observatory of Network interference
• Provide a methodology and framework
• Strong focus on Openness
Saturday, June 30, 12
Why OONI?• A lot of tools exist, but are either:
• Closed source
• Closed methodologies
• Closed data
• OONI is to be:
• Free Software
• using Open and described methodologies
• publishing all the collected data with Open License
Saturday, June 30, 12
Open Methodologies
• This means that the research is reproducible
• People seeing the results can evaluate the accuracy of the testing strategy
Saturday, June 30, 12
Free Software
• Free software for freedom
• Means that anybody can base their censorship research on OONI
• This allows code reuse and knowledge sharing
• https://gitweb.torproject.org/ooni-probe.git
Saturday, June 30, 12
Open Data
• This allows people to independently verify the results
• Open License (Creative Commons by Attribution)
• People will independently draw their conclusions based on the *data*
• Data driven journalism, Political Science studies, Anti-Censorship activism.
Saturday, June 30, 12
What it detects
• It’s goals is to detect:
• Network filtering (“Is my network traffic being tampered with?”)
• Content restrictions (“What is being blocked?”)
• Filtering technique (“How is it being blocked?”, “What software are they using?”)
Saturday, June 30, 12
OONI Architecture 1/2
Saturday, June 30, 12
OONI Architecture 2/2
Saturday, June 30, 12
OONIB• Distributed backend for:
• Assist in running of certain tests
• Two way traceroute
• Echo server
• DNS server
• HTTP server
• Control Channel
• Collect reports from probes
Saturday, June 30, 12
OONI-probe
• The actual measurement tool
• Includes the core of the test logic
• Takes an input and performs measurements on the test network
• It can run the test on the local network or send it to a remote Node (SOCKS, OONIProxy, PlanetLab, etc.)
Saturday, June 30, 12
Reports
Saturday, June 30, 12
Test Categorization
•Traffic manipulation
• “Is there surveillance, of what kind?”
•Content blocking
• “Is there censorship?”
• “What is being censored?”
Saturday, June 30, 12
Traffic Manipulation examples
• Two way traceroute If there is a difference between an inbound traceroute and an outbound traceroute for certain source and destination ports this may be an indication of traffic being routed to interception de- vices.
• Header field manipulation By varying the capitalization and adding certain headers to layer 7 protocols it is possible to detect on the receiving end if the traffic has been tampered with.
Saturday, June 30, 12
Content Blocking examples
• HTTP Host This involves changing the Host header field of an HTTP request to that of the site one wishes to check for censorship.
• DNS lookup This involves doing a DNS lookup for the in question hostname. If the lookup result does not match the expected result the site is marked as being censored.
• Keyword filtering This involves sending an receiving data that contains certain keywords and matching for censorship. It is possible to use bisection method to understand what subset of keywords are triggering the filter.
• HTTP scan This involves doing a full connection to the in question site. If the content does not match the expected result then a censored flag is raised.
• Traceroute This involves doing TCP, UDP, ICMP traceroute for certain destination addresses if there are discrepancies in the paths with locations in the vicinities then a censorship flag is raised.
• RST packet detection This involves attempting to con- nect to a certain destination and checking if the client gets back a RST packet.
Saturday, June 30, 12
Implementation details• Written in Python
• Based on twisted
• Provides scapy twisted integration
• Is currently a prototype.
• Expect problems and to need to have to use the source
• Please kill bugs
• Parts of OONIB implemented, no remote reporting, OONI-probe runs only locally
Saturday, June 30, 12
Recent impact T-Mobile USA
Saturday, June 30, 12
Saturday, June 30, 12
Recent ImpactHandara Palestine
• Blockage of politically oriented websites
Saturday, June 30, 12
Future
• Keep hacking on OONI
• Finish the architecture specification
• Get a beta release of OONI for December 2012.
• Perform measurements in all the world.
Saturday, June 30, 12
Come hack with us :)
• https://www.torproject.org/
• #tor, #tor-dev, #ooni irc.oftc.net
• https://ooni.nu/
• https://gitweb.torproject.org/ooni-probe.git
Saturday, June 30, 12
Saturday, June 30, 12
Thank you for your attention!
• 0x150FE210 46E5 EF37 DE26 4EA6 8DCF 53EA E3A2 1297 150F E210
• twitter: @hellais
Saturday, June 30, 12
20
Saturday, June 30, 12
21
Saturday, June 30, 12