Tor and Censorship 2012

Transcript

1. Tor and Censorship Come i gorverni hanno censurato Tor e

   come i pacchetti vengono liberati.

2. $ whoami • Arturo `hellais` Filastò • Tor Project hacker

   • Random GlobaLeaks Developer • I develop Free Software for Freedom

3. Surveillance • Censorship is a subset of surveillance • If

   you are censoring something you are surveilling everything

4. “The Net interprets censorship as damage and routes around it.”

   - John Gilmore; TIME magazine (6 December 1993)

5. What is Internet Filtering? • Is a form of non

   democratic oppression on people • It allows those in power to subvert reality

6. FilterNet • It’s a distortion of what is in reality

   the internet. • Follows the subjectiveness of the authorities • This does not help humanity

7. There is no just censorship. • Internet filtering is happening

   in China, Iran, Syria, but also in Italy, UK, Netherlands. • The only solution to what is considered by some wrong information is more information.

8. Tor and Censorship • Tor is born as anonymity tool

   • Censorship circumvention was a side effect

9. Brief Timeline of Tor Censorship • 2002 - The Source

   code for Tor is released • 2006, April - Thailand - DNS Filtering of tpo • 2006, Websense/netfilter - Block Tor based on Tor GET requests • 2007, Iran, Saudi - Blocks Tor thanks to Websense • 2009, Iran throttles SSL • 2009, Tunisia - Smartfilter to block all expect 443, 80 • 2009, China blocks public relays • 2009, Tor bridges are introduced • 2010, China starts collecting and blocking bridges • 2011, Iran by DPI on DH parameter in SSL • 2011, Egypt selected targetted sites for blocking • 2011, Lybia, throttling to limit use • 2011, Syria, DPI on Tor’s TLS renegotiation and killed connections • 2011, Iran DPI on SSL and TLS certificate timeline For more details on these events see, “How governments have tried to block Tor”

10. What has happened in the past months? • 9 February

    2012, Iran total SSL blockage • 2012, China proactive censorship evolutions • February - March 2012, Kazakhstan • 22 May 2012, Ethiopia • 25 June 2012, UAE, Tor blocking via DPI

11. Iran SSL Blockage • Deep packet inspection (DPI) of SSL

    traffic • Selective blocking of IP Address and TCP port combinations • Some keyword filtering • Not nationwide, certain areas no SSL traffic. • February 2012, First real world deployment of obfsproxy

12. Iran SSL Blockage

13. China evolutions • Blocking Techniques • IP Blocking (layer 3)

    • IP:Port blocking (layer 4) • RST based filtering (layer 4, active, easy circumvention) • HTTP blocking (layer 5) • Detection techniques • Active probing of *every* SSL connection (speaking Tor protocol) • Tor fingerprints for TLS Helo • Philip Winter, Fabio Pietrosanti worked on understanding active chinese probing.

14. February - March 2012 Kazakhstan • In response to protests

    in Zhanaozen • Previously • IP address blocking • DNS based blocking • DPI SSL blocking • JSC KazTransCom starts blocking SSL traffic based on client key exchange • Some businesses affected (no SSL, no IPSEC, no PPTP, no certain VPNs) • Obfsproxy used

15. February - March 2012 Kazakhstan

16. 22 May 2012 Ethiopia • Stateless DPI looking for Tor

    TLS Server Hello • Research conducted by phw, naif • Patch for bridge #6045

17. 22 May 2012 Ethiopia

18. 25 June 2012 UAE • The Emirates Telecommunications Corporation, also

    known as Etisalat, started blocking Tor using DPI • Evasion trough • Special patch for bridges that removed fingerprint • Obfsproxy

19. What we are doing? • Help people access information Anonymously

    (Tor) • Help people circumvent censorship (Tor, Tor Bridges) • Measure Internet filtering in the world (OONI-Probe) • Help people speak freely and anonymously (Tor Hidden Services, APAF)

20. OONI • Open Observatory of Network interference • Provide a

    methodology and framework • Strong focus on Openness

21. Why OONI? • A lot of tools exist, but are

    either: • Closed source • Closed methodologies • Closed data • OONI is to be: • Free Software • using Open and described methodologies • publishing all the collected data with Open License

22. Open Methodologies • This means that the research is reproducible

    • People seeing the results can evaluate the accuracy of the testing strategy

23. Free Software • Free software for freedom • Means that

    anybody can base their censorship research on OONI • This allows code reuse and knowledge sharing • https://gitweb.torproject.org/ooni-probe.git

24. Open Data • This allows people to independently verify the

    results • Open License (Creative Commons by Attribution) • People will independently draw their conclusions based on the *data* • Data driven journalism, Political Science studies, Anti-Censorship activism.

25. What it detects • It’s goals is to detect: •

    Network filtering (“Is my network traffic being tampered with?”) • Content restrictions (“What is being blocked?”) • Filtering technique (“How is it being blocked?”, “What software are they using?”)

26. OONI Architecture 1/2

27. OONI Architecture 2/2

28. OONIB • Distributed backend for: • Assist in running of

    certain tests • Two way traceroute • Echo server • DNS server • HTTP server • Control Channel • Collect reports from probes

29. OONI-probe • The actual measurement tool • Includes the core

    of the test logic • Takes an input and performs measurements on the test network • It can run the test on the local network or send it to a remote Node (SOCKS, OONIProxy, PlanetLab, etc.)

30. Reports

31. Test Categorization •Traffic manipulation • “Is there surveillance, of what

    kind?” •Content blocking • “Is there censorship?” • “What is being censored?”

32. Traffic Manipulation examples • Two way traceroute If there is

    a difference between an inbound traceroute and an outbound traceroute for certain source and destination ports this may be an indication of traffic being routed to interception de- vices. • Header field manipulation By varying the capitalization and adding certain headers to layer 7 protocols it is possible to detect on the receiving end if the traffic has been tampered with.

33. Content Blocking examples • HTTP Host This involves changing the

    Host header field of an HTTP request to that of the site one wishes to check for censorship. • DNS lookup This involves doing a DNS lookup for the in question hostname. If the lookup result does not match the expected result the site is marked as being censored. • Keyword filtering This involves sending an receiving data that contains certain keywords and matching for censorship. It is possible to use bisection method to understand what subset of keywords are triggering the filter. • HTTP scan This involves doing a full connection to the in question site. If the content does not match the expected result then a censored flag is raised. • Traceroute This involves doing TCP, UDP, ICMP traceroute for certain destination addresses if there are discrepancies in the paths with locations in the vicinities then a censorship flag is raised. • RST packet detection This involves attempting to con- nect to a certain destination and checking if the client gets back a RST packet.

34. Implementation details • Written in Python • Based on twisted

    • Provides scapy twisted integration • Is currently a prototype. • Expect problems and to need to have to use the source • Please kill bugs • Parts of OONIB implemented, no remote reporting, OONI- probe runs only locally

35. Recent impact T-Mobile USA

36. None

37. Recent Impact Handara Palestine • Blockage of politically oriented websites

38. Future • Keep hacking on OONI • Finish the architecture

    specification • Get a beta release of OONI for December 2012. • Perform measurements in all the world.

39. Come hack with us :) • https://www.torproject.org/ • #tor, #tor-dev,

    #ooni irc.oftc.net • https://ooni.nu/ • https://gitweb.torproject.org/ooni-probe.git
40. None

41. Thank you for your attention! • [email protected] • 0x150FE210 46E5

    EF37 DE26 4EA6 8DCF 53EA E3A2 1297 150F E210 • twitter: @hellais