2012 in review: Tor and the censorship arms race - 44CON 2012

Transcript

1. 2012 in review: Tor and the censorship arms race /

   Runa A. Sandvik / [email protected] / @runasand

2. Today, we’re going to look at how Tor is being

   blocked and censored around the world.

3. In the beginning...

4. “Tor is free software and an open network that helps

   you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security known as traffic analysis.”

5. History • Originally designed, implemented, and deployed as a third-generation

   onion routing project of the U.S. Naval Research Laboratory • Developed for the primary purpose of protecting government communications • The source code was released in 2002, the design paper was published in 2004

6. How Tor works

7. None
8. None

9. The arms race begins...

10. Indicators • Increase in downloads of the Tor Browser Bundle:

    https://webstats.torproject.org/ • Anomaly-based censorship-detection system: https://metrics.torproject.org/ • Unblocking of the Tor Project website • Increase in emails sent to the Tor help desk at [email protected]

11. 2006 - 2009 (1) • Thailand (2006): DNS filtering of

    torproject.org • Smartfilter/Websense (2006): Tor used HTTP for fetching directory info, cut all HTTP GET requests for “/tor/...” • Iran (2009): throttled SSL traffic, got Tor for free because it looked like Firefox +Apache

12. 2006 - 2009 (2) • Tunisia (2009): blocked all but

    port 80+443, could also block port 443 especially for you • China (2009): blocked all public relays and enumerated one of the bridge buckets

13. Since then...

14. Between 2010 and 2012 • Tunisia: from 800 to 1,000

    • Egypt: from 600 to 1,500 • Syria: from 600 to 15,000 • Iran: from 7,000 to 40,000 • All countries: from 200,000 to 500,000

15. China (October 2011) • Directory authorities, public relays, and bridges

    have been blocked for a while • GFW will identify a Tor connection, initiate active scanning, attempt to establish a Tor connection with the destination host and, if successful, block the IP:port. • Private bridges are blocked as soon as a user in China connects

16. UK and US (January 2012) • The HTTP version of

    the Tor Project website, along with other legitimate sites, was found to be filtered by a number of mobile operators • Vodafone, Three, O2, and T-Mobile in the UK, as well as T-Mobile in the US • See http://ooni.nu/, the Tor Project blog, and the Mobile Internet Censorship report by the Open Rights Group for details

17. Iran (February 2012) • DPI on SSL DH modulus (Jan

    2011), DPI on SSL certificate expiration time (Sept 2011) • Iranian government ramped up censorship in three ways: deep packet inspection of SSL traffic, selective blocking of IP addresses, and some keyword filtering • Preparing for a “halal” Internet, first phase of this project will be rolled out in the beginning of September
18. None

19. Kazakhstan (February 2012) • Target SSL-based protocols for blocking; Tor,

    IPsec, PPT-based technologies, and some SSL-based VPNs • Fingerprints Tor on the TLS client cipher list in the ClientHello record, parts of the Tor TLS server record, and probably more • Will want to reanalyze the data we have from this blocking event
20. None

21. Ethiopia (May 2012) • In the beginning, DPI devices were

    only looking for Tor TLS server hellos sent by relays or bridges to Tor clients • Since the middle of July, DPI devices are also looking for TLS client hellos as sent by Tor clients < version 0.2.3.17-beta
22. None
23. None

24. UAE (June 2012) • The Emirates Telecommunications Corporation, also known

    as Etisalat, started blocking Tor using DPI on June 25 2012 • We are still analyzing the data from this blocking event • Tor bridges with a patch that removes 0x0039 from SERVER_CIPHER_LIST seem to work, so does Obfsproxy
25. None

26. The Philippines (May 2012) • We have only heard from

    one user in the Philippines, he was able to successfully connect to Tor without using a bridge • We have no other data about this blocking event, apart from the metrics user graph
27. None

28. Jordan (June 2012) • User in Jordan reported seeing a

    fake certificate for torproject.org • Assumed to be similar to the DigiNotar and Comodo incidents, turned out not to be the case

29. Cyberoam SSL CA

30. CVE-2012-3372 • Cyberoam UTM device with malware scan • All

    devices share the same CA certificate • Hence the same private key • Any Cyberoam device can intercept traffic from any other

31. Documentation, tools, and solutions

32. Public key pinning - Chrome • Certificate chain for torproject.org

    must now include a whitelisted public key • Self-signed certificate will display a warning, incorrect certificate will fail hard • XP prior to SP3 will have issues with SHA256 signed certificates, including the one for torproject.org

33. Censorship Wiki • Collect information about the status of blocking

    events around the world, circumvention research, useful tools, etc • Contains information about all the blocking events I have covered today, minus Wireshark network captures • https://trac.torproject.org/projects/tor/ wiki/doc/OONI/censorshipwiki

34. Obfsproxy • Rolled out in February 2012 • Makes it

    easier to change how Tor traffic looks on the network, requires volunteers to set up special bridges • FlashProxy, StegoTorus, SkypeMorph, Dust • https://www.torproject.org/projects/ obfsproxy.html.en

35. ooni-probe • A part of the Open Observatory of Network

    Interference project • Can be used to collect high-quality data about Internet censorship and surveillance • Will eventually be able to determine how different DPI devices are blocking Tor

36. Questions? • [email protected] and tor- [email protected] • IRC: #tor and

    #tor-dev on irc.oftc.net • Twitter: @torproject, @runasand • [email protected]