Update on Internet censorship in Iran

Here's a quick update on what we're seeing from Tor clients in Iran. This is an update to https://blog.torproject.org/blog/new-blocking-activity-iran. It appears that one of the five Iranian ISPs is experimenting in blocking censorship circumvention tools; such as Tor, Freegate, Ultrasurf, and Hot Spot Shield. There have been reports that this update to censorship technologies was coming soon, https://www.azadcyber.info/articles/1560.

Previously, we had data suggesting that ssl-connections were being throttled or experiencing a forced reduced-throughput. It seems this is no longer the case. A simple IP address access list is used to stop access to the public Tor nodes, as well as many Tor bridges. An example of this blocklist on the Iranian Tor users:

and

We are seeing success in users choosing to configure their Tor clients to use a socks or https proxy and then connecting to the public Tor network. The trick here is that Iranian tor users now look to be coming from wherever the open proxy is located. A few volunteers in Europe and SE Asia have setup proxy servers restricted to Iranian IP space.

On a more technical level, here's what we were seeing last week for ssl manipulation, https://blog.torproject.org/files/https-traffic-flow.txt. What's interesting is the tor-server to client communication is with a TTL of 40. The TLSv1 Encrypted Alert is from the tor-server, except the TTL is 39. Unless the tor-server suddenly jumped one hop further from the client, something intercepted the connection and injected that packet on behalf of the tor-server.

This week we're seeing straight IP blocking after the ssl handshake starts, https://blog.torproject.org/files/ip-blocking.txt. In both cases, this is to the same tor bridge from the same tor client as before.

In a short few months, Iran has vastly improved the sophistication of their censorship technologies. Right now, the best option is to use tor through open socks/https proxies. A risk is the open proxies can see you are using tor, but cannot see the traffic passing through the open proxy, for everything is wrapped in layers of encryption by Tor. However, it appears the Iranian Potato Wall can detect Tor or not in any case by analyzing the traffic on the wire. We have reports this is true for other circumvention tools as well.

I thank the many people that have taken risks to share data with us.

Anonymous

January 24, 2011

Permalink

I am using Neda Ghostar Saba Net. A month ago there was so much problem with the internet connection to the ISP but now its alright. I suspect this is the ISP that is experimenting with these methods. The other one is Pars Network I think which is the same.
a very interesting thing is that the ips that were shown in https://bridges.torproject.org/ were different from inside Iran and indeed the bridges website was not filtered. When I checked the bridge website using other anti filtering methods, the ips were different...

Anonymous

January 24, 2011

Permalink

If the government of Iran can identify encrypted traffic belonging to Tor versus other encrypted traffic, that's a serious problem for Iranians using Tor. Not only can users not have access to the Tor network, but they've broadcast themselves as users of "subversive" technology -- ripe for repercussions.

My advice to Iranians is to stay far away from Tor until this issue is resolved properly. Speaking of which -- why is there no talk of all this on the or-dev mailing list? Is the fact that Tor users can be identified so casually by random governments not considered an important enough issue?

In fact, I'd advise Iranians to stay away from Tor entirely. This issue was never even on Tor's radar until Iran deployed this new firewall. Pitiful. What assurances do users have that Tor is investing in research of future and unknown attacks against its network? The traffic fingerprinting attack cash cow has been generous (hundreds of papers rehashing the same results -- we get it), but it's time to move on to less trivial research, don't you think? The Iranian government seems to think so.

We've known about this attack for years. In fact, there are far easier ways to identify Tor on the wire than the methods Iran is using. This shows that trying to guess which attack will be successful isn't worth the effort (same as trying to predict a black swan event). Having plans to respond to successful attacks is where the effort lies, and where our research is focused.

As for or-dev, I don't know why others didn't bring it up years ago. However, we can now discuss it in the open, see http://archives.seul.org/or/dev/Jan-2011/msg00029.html for a start. We expected many "enterprise security" companies to figure this out 5-6 years ago, however none did. Or at least, none deployed their attacks in their products. We've said repeatedly that we're trying to have an arms race as slow as possible. A fine question is whether to deploy every countermeasure possible at once to blow everyone out of the water, or wait for a successful attack and respond to just that one.

The good thing is that Tor is at first an anonymity network, second a circumvention tool. If Tor is temporarily blocked, then use a technology that isn't blocked and run Tor over it to protect your traffic from snooping by the lower technology (vpns, proxies, etc).

The anonymous network communications field as a whole is small. Please join and help further the field.

Anonymous

January 24, 2011

Permalink

Tor is at least open and honest about what it does, how it does it, and its failings. I don't see any other circumvention tools doing this. Sure, temporary setbacks happen. Even if China shuts off the Internet, I worry about tracking, human flesh search, and everything else. See http://donttrack.us/

Anonymous

January 25, 2011

Permalink

As you know, governments in iran, sudan,... unable to block torproject.org. i think it's because torproject.org uses ssl (security socket layer) technology to encrypt data between user and server.

So why not using this technology to bypass internet censorship?

For instance, Torproject.org creates a page with a text input, users type the web address in that input then a php script appends that url at the end of torproject.org domain, like the way google does in search result. the tor server loads that page, encrypts it using ssl and sends it to the user browser and the browser decrypts it.

What's your opinion?

It is utterly trivial to block torproject.org. That they don't do so is likely to be purposeful, eg, so they can monitor who then continues to access it, and what they are saying, if not specifically who said it.

Bare in mind that everything said here will be read.

Anonymous

January 25, 2011

Permalink

یاحسین میرحسین

for mirhossein mousavi

Anonymous

January 27, 2011

Permalink

TOR still not working in iran it sounds iran great firewall has beat us IT technology

The 0.2.2.22-alpha shows major improvements in comparison to the previous versions. Unlike the others in which my bandwidth graph showed no data reception, I received some data using this version. The only defect is that it sticks at the "Establishing a Tor circuit" level, and the data reception is not continuous. It tends to go on and off.

Anonymous

January 27, 2011

Permalink

OFF TOPIC.

Why have you disabled comments on other blog posts like new releases? Do you not care for feedback anymore?

We care, but don't have time to sift through the 7000:1 ratio of spam to user comments. We don't have, nor want, a web forum. People who need support should email tor-assistants, not post comments from blog posts 3 years ago.

Where is the link for Tor-assistants then? I don't see it mentioned anywhere from the front page. It's not mentioned in the Tor package docs either.

7000:1/3 years -- get real, phobos.

It's right here, https://www.torproject.org/about/contact.html.en. We get roughly 7000 spam comments per 1 actual comment. Making our CAPTCHA too difficult ends up driving away people, but not spam bots. So we leave an easy CAPTCHA and deal with the spam on select posts.

Spam bots and users alike post comments to any blog post they happen to find via a search engine; even if the comment is totally irrelevant to the post.

Anonymous

January 28, 2011

Permalink

HI
I HAVE DOWNLOADED TOR 0.2.2.22 FROM YOUR WEBSITE FOR SEVERAL TIMES BUT I CAN NOT INSTALL IT CORRECTLY IT DOES NOT WORK.I AM IN IRAN AND I NEED TO CONNECT TO TOR NETWORK.

PLEASE HELP US!!!!

Anonymous

January 28, 2011

Permalink

I have a suggestion
tor developer can develop a PHP proxy (ip tunneling): client version and server version.
every body can upload server version in free php host or buy php host for himselfe. they can use this proxy to connect to tor network!

Anonymous

January 28, 2011

Permalink

my tor did hang on handshake with directory server, but then when I used tor with fechdirinfoearly, I could connect. I've been using 2.2.20 alpha.

Anonymous

January 29, 2011

Permalink

connection from iran v 0.2.1.29 connection stablishment took about an hour.it is very strange because i could not even connect with bridges for about 20 days.
is it safe?

Anonymous

January 30, 2011

Permalink

We would like to test some iranian filter bypass techniques using multiple AET (Advanced Evasion Techniques) at TCP level.

We think that there are very strong way to put anti-detection system just by tweaking at Layer3 the stuff, requiring the counterpart (iranian censorship systems) to install X100 hardware to be able to detect it.

Is there any availability of a linux box IN IRAN to install our stuff and TOR (prior than 0.2.2.22-alpha) and make some tests for 1-2 days?

Pls contact privacyresearch at infosecurity.ch as we would like to experiment ability of bypass but don't have access to a linux box in iran.

Privacy Research Team (and TOR exit node maintainer)

Anonymous

February 02, 2011

Permalink

I just stumbled upon your blog after reading your blog posts wanted to say thanks.i highly appreciate the blogger for doing this effort.

Anonymous

February 10, 2011

Permalink

I've been connected via tor 0.2.2.21 from Iran-Mashhad.(ISP: ictشرکت مخابرات ایران)
It seems that the problem is resolved.
Does TOR confirm this?

Anonymous

February 10, 2011

Permalink

it seems the problem resolved in recent days. I can connect via tor 0.2.2.21 in Iran. Does Tor confirm this?
Tor writes:@...However, it appears the Iranian Potato Wall can detect Tor or not in any case by analyzing the traffic on the wire. We have reports this is true for other circumvention tools as well.@ DOES IT MEAN THAT USING TOR IS NO LONGER SAFE IN IRAN?

We made a change on the relay and bridge side that makes Tor work in Iran again:
http://archives.seul.org/or/talk/Jan-2011/msg00305.html
I don't expect this change will make things work forever, but it will buy us some more time for a better solution.

And no, one of the features of Tor's design is that while sometimes they can *block* it, that doesn't make it unsafe to use it whether they are blocking it or not.

(But remember that Tor's main security goal is to prevent somebody watching you from learning what you're doing online. There are still ways they could learn that you are using Tor -- just not what websites you're going to. This risk is present for all circumvention tools. Whether this risk is dangerous for you depends on your situation.)

Anonymous

February 11, 2011

Permalink

From your reply (here and somewhere in this page), I get that it is just Tor 0.2.2.22 that can work now. So I must mention that I could connect via portable Tor 0.2.2.21 and installable Tor 0.2.1.28-Polipo version on linux (that never been upgrated) as well.

Anonymous

May 30, 2011

Permalink

Dear assistants of tor

Thank you for delivering tor software
I live in Iran,Tehran
I use farsi version of tor(I earn it by sending an email : tor-browser-bundle to gettor+fa @ torproject.org)
but i can't watch streams on you tube and other similr websites
so i enable plugins on Tor Usage in torbutton Options but i can't watch streams yet
I use vidalia version 0.2.10 and tor version 0.2.1.30, and i can't download and install new version of tor , may you send it to my email inbox?
By the way i want to use my own firefox or IE9,can i?

Anonymous

November 24, 2011

Permalink

iranians can buy endless socks5 and vpn's from elitevpn or vip72 and other providers to watch youtube junk. don't bother streaming through tor

an enterprising local iranian could buy a vps, make his own proxy and sell it to other local ppl for use