Iran blocks Tor; Tor releases same-day fix

The short version: Tor relays and bridges should upgrade to Tor 0.2.2.33 or Tor 0.2.3.4-alpha so users in Iran can reach them again.

Yesterday morning (in our timezones — that evening, in Iran), Iran added a filter rule to their border routers that recognized Tor traffic and blocked it. Thanks to help from a variety of friends around the world, we quickly discovered how they were blocking it and released a new version of Tor that isn't blocked. Fortunately, the fix is on the relay side: that means once enough relays and bridges upgrade, the many tens of thousands of Tor users in Iran will resume being able to reach the Tor network, without needing to change their software.

How did the filter work technically? Tor tries to make its traffic look like a web browser talking to an https web server, but if you look carefully enough you can tell some differences. In this case, the characteristic of Tor's SSL handshake they looked at was the expiry time for our SSL session certificates: we rotate the session certificates every two hours, whereas normal SSL certificates you get from a certificate authority typically last a year or more. The fix was to simply write a larger expiration time on the certificates, so our certs have more plausible expiry times.

There are plenty of interesting discussion points from the research angle around how this arms race should be played. We're working on medium term and longer term solutions, but in the short term, there are other ways to filter Tor traffic like the one Iran used. Should we fix them all preemptively, meaning the next time they block us it will be through some more complex mechanism that's harder to figure out? Or should we leave things as they are, knowing there will be more blocking events but also knowing that we can solve them easily? Given that their last blocking attempt was in January 2011, I think it's smartest to collect some more data points first.

It's too early to have cool graphs showing a drop in users and then the users coming back a day or so later. I'll plan to add these graphs once things play out more. [Update: here is the graph as of Sept 16]

Anonymous

September 15, 2011

Permalink

We are providing tunneling solutions for VoIP in Iran, Oman, UAE and other countries (http://www.mizu-voip.com/Products/VoIPTunnel.aspx) and we had the same problems in the past, whether if we should fix all these preemptively or first wait to be blocked and act accordingly.
Our decision was to do what we can preemptively. As our best knowledge, we don't have anything which can be filtered and we use various methods to bypass all kind of filters using different transport methods like UDP, TCP, HTTP, socks 4,5 and http proxies on random ports and servers with strong RSA encryption (+ a few other encryption method)
Since we made all these, we are still blocked time to time (4 months ago last time), but now we can release a fix very quickly.
The main point is that you cannot predict all tricks. So my recommendation is to fix/change everything what you can do with less effort, and don't put too much effort to guess how it can be blocked, because that is almost unpredictable.
For example in one country the ISP have blocked all streams (both UDP and TCP) where the bandwidth usage was almost the same both way which is typical for VoIP. So we had to separate the up and down streams to separate connections. And this is just an example for a hard to predict blocking method. We have seen a lot of other interesting attempts.
Good luck!

Istvan Fenesi,
Mizutech SRL
istvan at mizu-voip.com

Anonymous

September 16, 2011

Permalink

Just a heads up to the devs.. (i don't know where to submit this)...
Palo Alto Networks Firewalls will detect and deny all TOR connections.
I haven't tested if the latest version will be blocked.
Will report back.

Regards

Anonymous

September 16, 2011

Permalink

Hi , Thanx and greeting from Syria:
I have seen some node that are located in Syria , Can you further investigate them , they look fishy as hell ,
and it is possible to configure my torcc to exclude Iran and Syria based nodes(the wicked friends lol) in the path(entry or exit)?

Anonymous

September 16, 2011

Permalink

"That's just great, you are posting new ways to for the authoritarians to block it, how wonderful.
And all to show how 'clever' you (think) you are."

The Iranian government - or more appropriately the state - run border routers. To do so you need experienced and competent staff, hence they will have thought of the same and more. Countries like China contract companies such as Cisco specifically to implement filtering mechanisms; you can be well assured they can invent much better than has been discussed here since they make most of the equipment in the first place.

If the Iranians haven't implemented better filtering, you can be sure it is not out of lack of competence, rather for other reasons.

I think your level of intelligence is demonstrably evident from your post.

-----

Regarding youtube videos, one could probably use a script such as youtube_dl proxied over Tor; once the video has been downloaded watch using, say, VLC. Not the most elegant solution but it (should) work.

Anonymous

September 16, 2011

Permalink

Ther is an other way to let people use Tor. If you have an older version of Tor (0.2.1.19 or ealier), you can configure Tor to operate is a publicly accessible proxy. This means that someone can simply change their browser settings to your IP adress, and whatever port you designate for Tor, and they will not need to hiave any software installed.

I have done this at times, to allow people to use Tor from their workplaces, where it might be blocked. Also very handy when PCs are locked down against insalling software, All you need to do change some configuration files. You would change it from 127.0.0.1 to the IP address on your PC, and then restart Tor. Then anyone on the Net can use your proxy to get no Tor without having to have the software installed.

Beware that you will need an older version of Tor, since the latest versions no longer support making Tor a publicly accessible proxy.

Woah. This is really bad advice -- first because it advocates using old and insecure versions of Tor, but also because these users will be making unencrypted unauthenticated connections from their computer to yours, meaning you (and anybody watching) get to learn (or modify!) the websites they ask for, read their traffic if it doesn't use https, etc. You are not letting them "use Tor" in any meaningful sense.

If you want to let somebody use your computer to bounce Tor traffic, you should configure your Tor to be a bridge, and have them configure their Tor to use you as their bridge. https://www.torproject.org/docs/bridges

Anonymous

September 16, 2011

Permalink

"OR ... you could simply switch to HTML5 playback ;)"

Smarty-pants ;-)

Anonymous

September 16, 2011

Permalink

Well, it's no Hans Rosling presentation, but interesting graph. ;-) And good work, keep it up.

Anonymous

September 18, 2011

Permalink

This is really great that you've enabled that many people to access internet again. After your post I've started a relay on my own debian box, with an intention to run it for quite a long period.

However, there is something I'm not sure I fully understand: what happens if Iran, or any other country that wants to block TOR, periodically downloads the list of all relays, that AFAIU publically available, and then blocks access to ALL those relays, country wide. How TOR deals with that kind of block?

Thanks in advance,
--Dima

They 'forgot' about/gave up on/gave in to China a long time ago, so now they just pretend like it/the problem doesn't exist anymore.

Today, for those of you not in the loop, it's all about IRAN (and other, similar, regimes they're at present especially focused on destabili... oops, better not go there!).

No. This addon works by creating a log file in your browser profile folder that stores information on what https sites you visit and when you visit them. Not the sort of thing you want to be using with Tor.

Anonymous

September 23, 2011

Permalink

Hello,

I'am using newest firefox (clean intall) after CA Identity breaks. I want to install new fresh secure TOR again (after cleaned previous) but I found my firefox say that this connection to https://www.torproject.org are untrusted. I'am using addon Ghostery and Https Everywhere and NoScript.

But if I connect to TOR blog, it was trusted (verified by GeoTrust, Inc.)

So how to secure connection to download TOR?

You should use Gmail and send the GetTor email address an email containing just the name of the bundle you need for your operating system. Ex: Windows-bundle

Anonymous

September 24, 2011

Permalink

islamic repuplic regime in iran has crashed agan tor new version it blocks pages

Anonymous

October 04, 2011

Permalink

Nice, accurate and to the point. Not everyone can provide information with proper flow. Good post. I am going to save the URL and will definitely visit again. Keep it up.
Logo Design Contests

Anonymous

October 04, 2011

Permalink

I completely agree with the above comment, the internet is with a doubt growing into the most important medium of communication across the globe and its due to sites like this that ideas are spreading so quickly.  
http://www.mightydesigners.com

Anonymous

October 14, 2011

Permalink

hi
i am tor user from iran and use tor alot
recently tor became very slow.
i have a 100KB/s connection and before this happend i could watch youtube with 100KB speed but now its restricted to 20kB at most .
maybe its based on restriction on https port speed?
this is for a week now.
any suggestion?
is there a way to make tor use another port like 80 so that iran goverment cant restreict its speed?

Interesting. I'm beginning to think that Iran has done something more subtle than simply blocking the Tor protocol, but instead is using DPI to recognize and throttle it.

That said, you might just be finding that Tor is overloaded these days and can't keep up with what you're trying to do over it. Tor has far too many users and far too few relays. Get your friends to help be relays! :)

In any case, changing the destination port probably isn't going to do any good. Your government uses the Nokia boxes they bought to do Deep Packet Inspection (DPI), which recognizes protocols like SSL no matter which port they use.

Anonymous

November 08, 2011

Permalink

Could it be that:
Internet-SSL MTM/Proxy -- check patterns -- Torclient

What happens with the SSL transmission sequence if "check patterns" layer answers this to IE/FF/OPERA without TOR
If the pattern is clear, what happens if the cleint is TOR
Is there somedifference in that challenge.

If that is the filter on the Iranian side it only needs to figureout a difference and can therefore fingerprint that the enduser is using TOR

Hmm just a thought...

Anonymous

November 08, 2011

Permalink

Dont print that last message about SSL handshare fingerprinting, if its possible to do it, Iran will probably be able to filter for all future.

Anonymous

November 24, 2011

Permalink

hello!

thanks tor!

i'm an iranian outlaw and i really need to get this anti proxy....

uh, could someone explain how can i download tor?

thanksssssss!

Anonymous

February 03, 2012

Permalink

Country tries to censor internet, internet uncensored within a day. Teach countries not to fuck around with internet: Success.

Iran government dun goofed

Anonymous

February 09, 2012

Permalink

Tor doesn't work from 9th of feb, it's been 2 days now, and i have the latest version what is the problem?

Anonymous

February 28, 2012

Permalink

All Syrian Protesters And free ones
Says thanks
Freeeeeeeeeeeeeeeeeeeeeeeedom

Anonymous

March 12, 2012

Permalink

Screw Iran. Focus on technology, not politics.

Technology trumps politics.