Iran blocks Tor; Tor releases same-day fix

The short version: Tor relays and bridges should upgrade to Tor 0.2.2.33 or Tor 0.2.3.4-alpha so users in Iran can reach them again.

Yesterday morning (in our timezones — that evening, in Iran), Iran added a filter rule to their border routers that recognized Tor traffic and blocked it. Thanks to help from a variety of friends around the world, we quickly discovered how they were blocking it and released a new version of Tor that isn't blocked. Fortunately, the fix is on the relay side: that means once enough relays and bridges upgrade, the many tens of thousands of Tor users in Iran will resume being able to reach the Tor network, without needing to change their software.

How did the filter work technically? Tor tries to make its traffic look like a web browser talking to an https web server, but if you look carefully enough you can tell some differences. In this case, the characteristic of Tor's SSL handshake they looked at was the expiry time for our SSL session certificates: we rotate the session certificates every two hours, whereas normal SSL certificates you get from a certificate authority typically last a year or more. The fix was to simply write a larger expiration time on the certificates, so our certs have more plausible expiry times.

There are plenty of interesting discussion points from the research angle around how this arms race should be played. We're working on medium term and longer term solutions, but in the short term, there are other ways to filter Tor traffic like the one Iran used. Should we fix them all preemptively, meaning the next time they block us it will be through some more complex mechanism that's harder to figure out? Or should we leave things as they are, knowing there will be more blocking events but also knowing that we can solve them easily? Given that their last blocking attempt was in January 2011, I think it's smartest to collect some more data points first.

It's too early to have cool graphs showing a drop in users and then the users coming back a day or so later. I'll plan to add these graphs once things play out more. [Update: here is the graph as of Sept 16]

Anon

September 15, 2011

Permalink

We are providing tunneling solutions for VoIP in Iran, Oman, UAE and other countries (http://www.mizu-voip.com/Products/VoIPTunnel.aspx) and we had the same problems in the past, whether if we should fix all these preemptively or first wait to be blocked and act accordingly.
Our decision was to do what we can preemptively. As our best knowledge, we don't have anything which can be filtered and we use various methods to bypass all kind of filters using different transport methods like UDP, TCP, HTTP, socks 4,5 and http proxies on random ports and servers with strong RSA encryption (+ a few other encryption method)
Since we made all these, we are still blocked time to time (4 months ago last time), but now we can release a fix very quickly.
The main point is that you cannot predict all tricks. So my recommendation is to fix/change everything what you can do with less effort, and don't put too much effort to guess how it can be blocked, because that is almost unpredictable.
For example in one country the ISP have blocked all streams (both UDP and TCP) where the bandwidth usage was almost the same both way which is typical for VoIP. So we had to separate the up and down streams to separate connections. And this is just an example for a hard to predict blocking method. We have seen a lot of other interesting attempts.
Good luck!

Istvan Fenesi,
Mizutech SRL
istvan at mizu-voip.com

Anon

September 16, 2011

Permalink

Just a heads up to the devs.. (i don't know where to submit this)...
Palo Alto Networks Firewalls will detect and deny all TOR connections.
I haven't tested if the latest version will be blocked.
Will report back.

Regards

Anon

September 16, 2011

Permalink

Hi , Thanx and greeting from Syria:
I have seen some node that are located in Syria , Can you further investigate them , they look fishy as hell ,
and it is possible to configure my torcc to exclude Iran and Syria based nodes(the wicked friends lol) in the path(entry or exit)?

Anon

September 16, 2011

Permalink

"That's just great, you are posting new ways to for the authoritarians to block it, how wonderful.
And all to show how 'clever' you (think) you are."

The Iranian government - or more appropriately the state - run border routers. To do so you need experienced and competent staff, hence they will have thought of the same and more. Countries like China contract companies such as Cisco specifically to implement filtering mechanisms; you can be well assured they can invent much better than has been discussed here since they make most of the equipment in the first place.

If the Iranians haven't implemented better filtering, you can be sure it is not out of lack of competence, rather for other reasons.

I think your level of intelligence is demonstrably evident from your post.

-----

Regarding youtube videos, one could probably use a script such as youtube_dl proxied over Tor; once the video has been downloaded watch using, say, VLC. Not the most elegant solution but it (should) work.

Anon

September 16, 2011

Permalink

Ther is an other way to let people use Tor. If you have an older version of Tor (0.2.1.19 or ealier), you can configure Tor to operate is a publicly accessible proxy. This means that someone can simply change their browser settings to your IP adress, and whatever port you designate for Tor, and they will not need to hiave any software installed.

I have done this at times, to allow people to use Tor from their workplaces, where it might be blocked. Also very handy when PCs are locked down against insalling software, All you need to do change some configuration files. You would change it from 127.0.0.1 to the IP address on your PC, and then restart Tor. Then anyone on the Net can use your proxy to get no Tor without having to have the software installed.

Beware that you will need an older version of Tor, since the latest versions no longer support making Tor a publicly accessible proxy.

Woah. This is really bad advice -- first because it advocates using old and insecure versions of Tor, but also because these users will be making unencrypted unauthenticated connections from their computer to yours, meaning you (and anybody watching) get to learn (or modify!) the websites they ask for, read their traffic if it doesn't use https, etc. You are not letting them "use Tor" in any meaningful sense.

If you want to let somebody use your computer to bounce Tor traffic, you should configure your Tor to be a bridge, and have them configure their Tor to use you as their bridge. https://www.torproject.org/docs/bridges

Anon

September 16, 2011

Permalink

GO iran !! from spain freeland!!!

thank you for solving yesterday problem in iran

how can i watch the movies when i use tor browser ?

"OR ... you could simply switch to HTML5 playback ;)"

Smarty-pants ;-)

Well, it's no Hans Rosling presentation, but interesting graph. ;-) And good work, keep it up.

Here's the first meaningful graph, showing usage in Iran through Sept 15:
https://metrics.torproject.org/users.html?graph=direct-users&start=2011…
The red dot shows a statistically significant drop in usage relative to 7 days earlier.

https://check.torproject.org/cgi-bin/TorBulkExitList.py
Why this service not work more than month? Many ppl use toyr for trolling screming and othes suxxx thin

Our tor bulk exit list service is being overloaded by jerks. We have it on the todo list to write one that's harder to overload, but it'll be another month or so at this rate.

This is really great that you've enabled that many people to access internet again. After your post I've started a relay on my own debian box, with an intention to run it for quite a long period.

However, there is something I'm not sure I fully understand: what happens if Iran, or any other country that wants to block TOR, periodically downloads the list of all relays, that AFAIU publically available, and then blocks access to ALL those relays, country wide. How TOR deals with that kind of block?

Thanks in advance,
--Dima

Thank you!

Don't forget China

They 'forgot' about/gave up on/gave in to China a long time ago, so now they just pretend like it/the problem doesn't exist anymore.

Today, for those of you not in the loop, it's all about IRAN (and other, similar, regimes they're at present especially focused on destabili... oops, better not go there!).

No kidding. We haven't forgotten about China. Our user and bridge stats there don't look good these days.

China's censorship regime is a much tougher nut to crack. We're working on some longer-term plans that will let us play the arms race at that level. See for example https://blog.torproject.org/blog/strategies-getting-more-bridge-address…

It's been 16 months...

Any word on the vulnerability in SSL that was publicized this week? Does this affect Tor?

http://informationweek.com/news/security/vulnerabilities/231601759

No. This addon works by creating a log file in your browser profile folder that stores information on what https sites you visit and when you visit them. Not the sort of thing you want to be using with Tor.

Hello,

I'am using newest firefox (clean intall) after CA Identity breaks. I want to install new fresh secure TOR again (after cleaned previous) but I found my firefox say that this connection to https://www.torproject.org are untrusted. I'am using addon Ghostery and Https Everywhere and NoScript.

But if I connect to TOR blog, it was trusted (verified by GeoTrust, Inc.)

So how to secure connection to download TOR?

You should use Gmail and send the GetTor email address an email containing just the name of the bundle you need for your operating system. Ex: Windows-bundle

islamic repuplic regime in iran has crashed agan tor new version it blocks pages

Really? Any more details? We haven't heard this from anybody else, so I assume you're having problems using it correctly, rather than that there's a government-wide blocking event again.

I was very problem with Flash Player in the tor,please help me

tanx for you suppporg l want new tor farsi

Nice, accurate and to the point. Not everyone can provide information with proper flow. Good post. I am going to save the URL and will definitely visit again. Keep it up.
Logo Design Contests

I completely agree with the above comment, the internet is with a doubt growing into the most important medium of communication across the globe and its due to sites like this that ideas are spreading so quickly.  
http://www.mightydesigners.com

hi
i am tor user from iran and use tor alot
recently tor became very slow.
i have a 100KB/s connection and before this happend i could watch youtube with 100KB speed but now its restricted to 20kB at most .
maybe its based on restriction on https port speed?
this is for a week now.
any suggestion?
is there a way to make tor use another port like 80 so that iran goverment cant restreict its speed?

Interesting. I'm beginning to think that Iran has done something more subtle than simply blocking the Tor protocol, but instead is using DPI to recognize and throttle it.

That said, you might just be finding that Tor is overloaded these days and can't keep up with what you're trying to do over it. Tor has far too many users and far too few relays. Get your friends to help be relays! :)

In any case, changing the destination port probably isn't going to do any good. Your government uses the Nokia boxes they bought to do Deep Packet Inspection (DPI), which recognizes protocols like SSL no matter which port they use.

Could it be that:
Internet-SSL MTM/Proxy -- check patterns -- Torclient

What happens with the SSL transmission sequence if "check patterns" layer answers this to IE/FF/OPERA without TOR
If the pattern is clear, what happens if the cleint is TOR
Is there somedifference in that challenge.

If that is the filter on the Iranian side it only needs to figureout a difference and can therefore fingerprint that the enduser is using TOR

Hmm just a thought...

Dont print that last message about SSL handshare fingerprinting, if its possible to do it, Iran will probably be able to filter for all future.

hello!

thanks tor!

i'm an iranian outlaw and i really need to get this anti proxy....

uh, could someone explain how can i download tor?

thanksssssss!

Thank you very very much tor team
Help us to get freedom

Country tries to censor internet, internet uncensored within a day. Teach countries not to fuck around with internet: Success.

Iran government dun goofed

Tor doesn't work from 9th of feb, it's been 2 days now, and i have the latest version what is the problem?

Thanks a lot! Continue to help iranian people please!

All Syrian Protesters
and free ones
Say Thank u

All Syrian Protesters And free ones
Says thanks
Freeeeeeeeeeeeeeeeeeeeeeeedom

Screw Iran. Focus on technology, not politics.

Technology trumps politics.