A tale of new censors - Vodafone UK, T-Mobile UK, O2 UK, and T-Mobile USA
The right to read is a fictional story but it warns of a future that has already started to arrive; it paints a picture where information is controlled with a heavy hand and simply reading, let alone speaking is an extremely dangerous activity. In the words of William Gibson, "The future is already here — it's just not very evenly distributed". Restrictions on the right to read though the Internet perfectly match this observation. A lot should be said about perceptions of censorship, and it is often thought that places like Syria or Iran are unique. Generally, people in the West hold that those countries obviously censor as is consistent with facts of life in a supposedly non-free country. This probably holds a lot of truth but it absolutely fails to address the core of the issue — these countries and those networks are not unique.
In fact, we find uncensored networks to almost be an abnormal state. The so-called free countries in the West often shape and tamper with network traffic. They often also log data and even collaborate with governments. Generally, people don't see evidence of this and as a result, they often perceive that their Internet connections aren't monitored or censored. These days are quickly coming to an end and while it sounds like hyperbole, here are examples in the United Kingdom and in the United States of America.
Recently it has come to our attention that our primary website is filtered by Vodafone in the UK, by 3 (three.co.uk) in the UK, by O2 in the UK, and by T-Mobile in the UK and the USA. It used to be the case that we only saw filtering and censorship events in places like Egypt, Syria, or Iran and now we're going to explore what those attacks look like in the context of the UK and the USA.
When a visitor uses a pre-paid account on the T-Mobile USA network and attempts to visit http://www.torproject.org/, they are redirected to a block page. This is enabled by default without user's affirmative consent and only savvy privileged users may even attempt to disable this censorship. There is an informational page about the T-Mobile censorship system and it explains that this censorship may be disabled. We've heard reports that attempts to disable the censorship are not always successful and this certainly doesn't bode well for an easy and censorship-free Internet experience.
The T-Mobile USA network censorship appears to be simple to bypass: it appears to only trigger when a client sends Host: torproject.org on TCP port 80 and visitors that use HTTPS will probably not notice or be obviously impacted by their censorship.
This kind of censorship raises all kinds of interesting questions. I suspect it raises US legal and social questions as well. The Tor Project is a registered 501c3 non-profit corporation in the state of Massachusetts, and the block was experienced in California. Does this count as interfering with interstate commerce? What duty of care does T-Mobile USA have when it relies on systems or infrastructure funded by the public? What duty of care do they have as a common carrier?
Similarly, when a user on the UK Vodafone network visits http://www.torproject.org/ they are greeted by a block page as well. You can visit this block page without directly using their networks. Detecting their filters is straightforward and we see tampering at the sixth hop.
Here is a tcptraceroute to TCP port 80 of torproject.org from an Ubuntu machine connected to the Internet via Vodafone UK:
- <br />
- Tracing the path to <a href="http://www.torproject.org" rel="nofollow">www.torproject.org</a> (220.127.116.11) on TCP port 80 (www), 30 hops max<br />
- 1 192.168.1.1 2.379 ms 1.011 ms 1.313 ms<br />
- 2 10.252.225.61 90.998 ms 133.672 ms 95.963 ms<br />
- 3 10.252.224.186 78.865 ms 91.722 ms 91.415 ms<br />
- 4 * * *<br />
- 5 10.203.64.130 88.502 ms 73.259 ms 80.765 ms<br />
- 6 <a href="http://www.torproject.org" rel="nofollow">www.torproject.org</a> (18.104.22.168) [open] 77.927 ms 152.599 ms 96.399 ms<br />
Here is a normal traceroute to torproject.org from an Ubuntu machine connected to the internet via Vodafone UK:
- <br />
- traceroute to <a href="http://www.torproject.org" rel="nofollow">www.torproject.org</a> (22.214.171.124), 30 hops max, 60 byte packets<br />
- 1 192.168.1.1 (192.168.1.1) 9.669 ms 9.583 ms 9.460 ms<br />
- 2 10.252.225.61 (10.252.225.61) 98.084 ms 98.046 ms 98.224 ms<br />
- 3 10.252.224.219 (10.252.224.219) 98.760 ms 109.326 ms 109.261 ms<br />
- 4 host203.msm.che.vodafone (10.203.64.154) 109.087 ms 127.554 ms 127.426 ms<br />
- 5 * * *<br />
- 6 * * *<br />
- 7 * * *<br />
- 8 * * *<br />
- 9 126.96.36.199 (188.8.131.52) 180.920 ms 180.692 ms 180.652 ms<br />
- 10 184.108.40.206 (220.127.116.11) 180.659 ms 180.473 ms *<br />
- 11 18.104.22.168 (22.214.171.124) 260.480 ms * 126.96.36.199 (188.8.131.52) 152.107 ms<br />
- 12 184.108.40.206 (220.127.116.11) 152.265 ms 152.099 ms 151.808 ms<br />
- 13 18.104.22.168 (22.214.171.124) 151.453 ms 151.124 ms 126.96.36.199 (188.8.131.52) 151.129 ms<br />
- 14 vin-145-254-19-130.arcor-ip.net (184.108.40.206) 157.978 ms vin-145-254-19-126.arcor-ip.net (220.127.116.11) 119.699 ms 129.820 ms<br />
- 15 te3-1-vix-iec-c2.ix.sil.at (18.104.22.168) 129.999 ms 136.314 ms 136.338 ms<br />
- 16 22.214.171.124 (126.96.36.199) 136.033 ms 135.826 ms 135.666 ms<br />
- 17 <a href="http://www.torproject.org" rel="nofollow">www.torproject.org</a> (188.8.131.52) 151.282 ms 118.185 ms 114.603 ms<br />
We've additionally found that pre-paid T-Mobile UK accounts also experience censorship that is similar to T-Mobile USA. Detection of their filter is possible with some of the techniques that I've demonstrated, and it is quite trivial to see that TCP port 80 and 443 are treated in a special way.
Here is a tcptraceroute to TCP port 80 of torproject.org from an Ubuntu machine connected to the Internet via T-Mobile UK:
- <br />
- Tracing the path to torproject.org (184.108.40.206) on TCP port 80 (www), 30 hops max<br />
- 1 * * *<br />
- 2 10.126.241.49 305.721 ms 429.908 ms 449.875 ms<br />
- 3 10.70.16.221 480.031 ms 339.890 ms 429.951 ms<br />
- 4 10.70.17.87 480.447 ms 449.365 ms 439.979 ms<br />
- 5 vescum.torproject.org (220.127.116.11) [open] 459.935 ms 659.964 ms 449.849 ms<br />
Here is a tcptraceroute to TCP port 443 of torproject.org from an Ubuntu machine connected to the Internet via T-Mobile UK:
- <br />
- Tracing the path to torproject.org (18.104.22.168) on TCP port 443 (https), 30 hops max<br />
- 1 * * *<br />
- 2 10.126.241.53 357.474 ms 360.016 ms 389.772 ms<br />
- 3 10.70.16.217 490.136 ms 409.878 ms 359.945 ms<br />
- 4 10.70.17.87 469.956 ms 489.883 ms 389.868 ms<br />
- 5 <a href="http://www.torproject.org" rel="nofollow">www.torproject.org</a> (22.214.171.124) 410.024 ms 420.494 ms 399.888 ms<br />
- 6 10.70.17.66 389.470 ms 429.923 ms 339.861 ms<br />
- 7 10.70.16.50 430.002 ms 349.850 ms 450.012 ms<br />
- 8 10.70.17.103 339.900 ms 389.836 ms 390.031 ms<br />
- 9 126.96.36.199 369.851 ms * 924.522 ms<br />
- 10 10.126.168.218 420.035 ms 379.878 ms 409.968 ms<br />
- 11 xe-1-3-2-19.lon10.ip4.tinet.net (188.8.131.52) 469.942 ms 480.002 ms 499.940 ms<br />
- 12 xe-5-3-0.vie20.ip4.tinet.net (184.108.40.206) 399.851 ms 379.892 ms 379.929 ms<br />
- 13 silver-server-gw.ip4.tinet.net (220.127.116.11) 419.899 ms 479.926 ms 449.923 ms<br />
- 14 <a href="http://www.torproject.org" rel="nofollow">www.torproject.org</a> (18.104.22.168) 389.925 ms 449.789 ms 549.993 ms<br />
- 15 <a href="http://www.torproject.org" rel="nofollow">www.torproject.org</a> (22.214.171.124) [open] 419.869 ms 469.997 ms 479.839 ms<br />
Compare with a normal traceroute to torproject.org from an Ubuntu machine connected to the Internet via T-Mobile UK:
- <br />
- traceroute to torproject.org (126.96.36.199), 30 hops max, 60 byte packets<br />
- 1 * * *<br />
- 2 10.126.241.49 (10.126.241.49) 99.671 ms 99.856 ms 159.584 ms<br />
- 3 10.70.16.221 (10.70.16.221) 179.672 ms 190.046 ms 159.760 ms<br />
- 4 10.70.16.50 (10.70.16.50) 190.250 ms 179.356 ms 90.611 ms<br />
- 5 10.70.17.103 (10.70.17.103) 90.565 ms 110.275 ms 90.508 ms<br />
- 6 188.8.131.52 (184.108.40.206) 110.476 ms 110.449 ms 110.391 ms<br />
- 7 10.126.168.214 (10.126.168.214) 70.022 ms 70.062 ms 60.303 ms<br />
- 8 xe-1-3-2-19.lon10.ip4.tinet.net (220.127.116.11) 60.322 ms 69.380 ms 69.383 ms<br />
- 9 * * *<br />
- 10 limelight-lon-gw.ip4.tinet.net (18.104.22.168) 59.798 ms 60.535 ms 179.659 ms<br />
- 11 tge11-1.fr4.lga.llnw.net (22.214.171.124) 240.999 ms 221.715 ms 221.191 ms<br />
- 12 tge14-4.fr4.ord.llnw.net (126.96.36.199) 230.570 ms 229.966 ms 210.814 ms<br />
- 13 tge7-1.fr3.ord.llnw.net (188.8.131.52) 210.575 ms 200.446 ms 199.453 ms<br />
- 14 ve8.fr3.ord4.llnw.net (184.108.40.206) 169.521 ms 148.181 ms 168.037 ms<br />
- 15 cymru.tge6-3.fr3.ord4.llnw.net (220.127.116.11) 248.264 ms 229.474 ms 249.066 ms<br />
- 16 vescum.torproject.org (18.104.22.168) 249.289 ms 249.234 ms 259.448 ms<br />
In the examples above we see that T-Mobile UK treats TCP port 80 in a special manner and effectively stops users from reaching our web site. This is an attack against users who attempt to connect to our infrastructure. This attack, while primitive, demonstrates an active and malicious action on the part of the above named Internet providers.
We've additionally seen reports of the UK O2 network blocking connections to http://www.torproject.org/ in exactly the same way that Vodafone UK blocks access. The O2 filter has been covered in the popular media in the recent past and we're sad to hear that they've decided to include Tor's website in their race to the bottom.
In all the above cases we do not see DNS tampering but rather outright Man-In-The-Middle attacks against connections to our web server. These censorship systems do not currently implement a Man-In-The-Middle attack against the SSL services offered by our web server. It is not much of a stretch of the imagination to think that such an action may be a future plan; we've seen it elsewhere.
Current users of the Tor network are not impacted by this filtering, but these networks are attempting to deny new users the ability to start using Tor without extensive efforts. You can view their filter page without using their service; the exact block page is also available externally. It appears that it is possible for users to disable this censorship by providing a credit card as a proof of age. This is not exactly a privacy-friendly tactic. The O2 Twitter account contacted me and said they were willing to review their censorship policy for torproject.org but they did not offer to remove the censorship entirely.
This trend of providing partially censored Internet in what we all think of as free countries is alarming. Are we supposed to look the other way because the mobile Internet isn't the same as the "real" Internet? Should we worry that Vodafone's capabilities and behavior here remind us of what they did in Egypt last year? It would seem that the war over network neutrality is far from won.
(Investigation and research thanks go to Andrew Lewman, Steven Murdoch and Runa Sandvik of the Tor Project, SiNA of RedTeam LLC, Jim Killock, Lee Maguire, Peter Bradwell of the Open Rights Group and their project blocked.org.uk and Richard Clayton from the University of Cambridge.)