Iran Shuts Down Major Websites and Https Protocol
I'm writing this to report the serious troubles we have regarding accessing Internet in Iran at the moment. Since Thursday Iranian government has shutted down the https protocol which has caused almost all google services (gmail, and google.com itself) to become inaccessible. Almost all websites that reply on Google APIs (like wolfram alpha) won't work. Accessing to any website that replies on https (just imaging how many websites use this protocol, from Arch Wiki to bank websites). Also accessing many proxies is also impossible.
There are almost no official reports on this and with many websites and my email accounts restricted I can just confirm this based on my own and friends experience. I have just found one report here:
http://kabirnews.com/iran-shut-down-gmail-google-yahoo-and-sites-using-https-protocol/202/
The reason for this horrible shutdown is that the Iranian regime celebrates 1979 Islamic revolution tomorrow.
I just wanted to let you guys know about this. If you have any solution regarding bypassing this restriction please help!
150 comments
[ 1.7 ms ] story [ 251 ms ] threadhttps://www.torproject.org/getinvolved/volunteer.html.en
They also shape the bandwidth of encrypted connections. My guess is that they use something like L7 to guess the type-of-connection using different patterns.
Second is, I'm not sure anyone has yet connected steganography with public-key cryptography, but it really does have to be done that way for plausible deniability, otherwise you can just look inside the packets. So, inside the first JPEG linked from index.html there is steganographically hidden a 2048-bit RSA public key, and communication consists of uploading steganographic requests of the form encrypt(public_key, shared_key) | encrypt(shared_key, request). The first segment, the server knows should be 2048 bits = 256 bytes long. My bsencode project (https://github.com/drostie/bsencode) might be useful for formatting the data-to-be-encrypted; you need to transmit something like 32 bytes for a key, 16 bytes for a nonce, 32 bytes of predictable plain text so that the server knows that the request is intentional, perhaps 16 bytes of unrelated randomness just to give the RSA packet some extra entropy, and perhaps we could already specify some aspects of the protocol and intended query in the header as well. The 256 bytes would be plenty to contain an entire handshake.
However, you would have to think long and hard about how the public key is encoded, since it's a two-part data structure and either part -- or the glue -- could "leak" the fact to an adversary able to do basic data-processing that there is an RSA key hiding in plain sight. Also the access pattern might leak this info -- how many places do you know which are important enough that Iranian citizens should have access to them, but follow a predictable pattern of "download HTML, download image, upload image"? The last part is the unique part; uploading images and lots of text is relatively uncommon.
The third problem that I see is the interaction problem: Iran can guess at steganography by its access pattern, lots of large HTTP uploads followed by HTTP downloads -- but it can then confirm the guess by sending its own requests to the same server and validating that it gets valid responses back. So you can target the system by simply trying to use it.
This last problem is much harder, I think. One obvious solution is to only handle one client at a time -- but that is dangerous because it paves the way for denial of service attacks from the government; they just take download of index.html followed by a GET request for a JPEG and try to send their own steganographic request, tying that server up with respect to real traffic.
Mounting a good steganographic attack against the people who run the communications infrastructure is going to be very difficult indeed.
[1] http://en.wikipedia.org/wiki/Covert_channel [2] http://code.kryo.se/iodine/
What unencrypted protocols are allowed / common?
I am wondering whether this approach is better than the one someone else suggested - connecting to a streaming server (like OnLive) - I guess streaming server could be made more undetectable, but more expensive to run
http://en.wikipedia.org/wiki/Steganography_tools#Cryptograph...
What about ssh tunneling over an alternate port?
Gosh I cannot believe governments that do this to their people.
I wonder if they are ironically using American engineered equipment and software to do the block too.
That is why I asked the question.
What exactly would be the irony of it? Iran doesn't forbid buying US products and services, it's the other way around.
If they are blocking https traffic, they are almost certainly intercepting and scanning http traffic (lots of countries do this, e.g. lots of UK ISPs did this to censor wikipedia).
So, even if you were to be able to access gmail over http, you probably don't want to. :)
https://en.wikipedia.org/wiki/Virgin_Killer
https://en.wikipedia.org/wiki/Wikipedia#Sexual_content
In short, if any website goes against their stupid and yes effed up ideals they will ban it. The ISP's can't do anything because they're forced to comply.
Forget ACTA or SOPA, these idiots just do whatever they wish.
Forcing countries like China, Iran and US to go into dark ages if they don't use the new all encrypted networks.
It's a shame that we are so paranoid as a species that we need to do that, but I don't see any other way.
I know this is extreme, but I don't want to see the freedom I enjoy right now taken away by these obsolete power hungry entities.
The problem is some governments would be perfectly happy with that. In fact for the most repressive ones it's long term goal.
China wants to create a separate internet for Chinese users and they're half way there. They have their own local censored versions of Google, Twitter and Facebook. Soon most internet users in China won't care if the rest of the internet disappears. Likewise for Iran, except they have been more open about it [1].
[1] http://online.wsj.com/article/SB1000142405274870488940457627...
Absolutely but the effect will be not be huge in my opinion because of the language differences. All my Chinese friends here in the EU still use mainly Chinese language website, most of which are based in China, especially the social networking ones.
They could try to mitigate by rationing secure channels, or allowing them with backdoors, but this still sacrifices the spontaneous creativity of a truly open system.
We can do secure comms over HTTP - all it takes is a binary protocol like TLV, encrypting that, and implementing a well thought through approach to key management. Ideally something derived from the Needham-Schroeder protocol, but if we take on some lessons from PGP and the like, using timestamps instead of nonces.
The Internet is just a piece of wire - what travels across it is up to us. This goes back to the idea of building platforms rather than applications.
Maybe my ramblings here are a bit too much up in the clouds, but I think I'm going to build something that does secure comms over HTTP...
[1] Iran notwithstanding, the recent TrustWave snooping story shows that SSL is even losing its usefulness inside organisations! If you're interested, the story is here:
http://www.theregister.co.uk/2012/02/09/tustwave_disavows_mi...
Not being familiar with specific DPI implementations I would imagine if such filtering was white list -based then anything unrecognisable would be blocked?
Granted, someone could do entropy detection, and e.g. pass only things that look statistically like valid English/Persian/etc. text. But that needs more compute power, and can be worked around as well using statistical methods similar to Huffman coding.
My experience of DPI is limited to Tenix diodes (which are white-list based, and are more focused around stripping malicious code by converting known objects to another format, eg .jpg to .png and back, or Word to PDF and back), or McAfee's Secure Web (used to be Web Washer), which does URL filtering, SSL scanning, etc. Also white list based.
FWIW our product can do this very quickly (we sell a 1U which can inspect 8 Gb/s).
1: https://twitter.com/#!/ioerror/status/167922546807812096 2: https://www.torproject.org/projects/obfsproxy-instructions.h...
Currently if you run such a bridge, you'll either need to manually tell us (via email to tor-assistants at torproject.org ) about it or you'll need to share these bridges with people you want to help directly. It's a pain and we're working on it.
https://github.com/stealth/sshttp
You do need a server on the 'outside' though. (oh bugger, github uses https)
The problem is, with the people (in the court or the gov.) who don't understand how the Internet works.
The one main memory I have is leaving my iPhone, with my hotel room key-card inside the case, in a Taxi.
The driver searched for me for 30 minutes to return it. Great people, and I love the barter culture.
Internet is pretty slow (I use a 3G which runs on around 1Mb/sec and costs around $20/month), the infrastructure is poor, the people are either struggling or confused how all these structural problems could get solved.
Not a great place to be in, honestly. If you are in Europe and looking for some Sun, then may be it's a deal for you considering the cost.
If you happen to make a travel, I added my phone number. I'm moving to the capital this summer, and if I happened to purchase a car, I'll take you in a free drive around the capital and Hammamet.
The Internet is easy to kill, as are digital cell-based radio networks. Proper amateur radio is not.
Jamming is not that effective over a large area before anyone suggests that.
I lived through the communist era in Poland. Amateur radio stations were banned and prosecuted (you would go to jail), even possession of a CB radio was a crime. Things may be similar in Iran.
As usual, if you don't take precautions, that will happen.
Pirate radio stations were and still are common in the UK, particularly around London. They move around regularly and broadcast for short periods so it's hard to trace or predict a location.
The same conditions apply here.
Also, remember the general rule is that if the broadcaster can become a target, so can the oppressor.
When I finished my EE qual, I actually ended up working as an engineer for one of the more nefarious defense contractors. After about 2 years, I realised that what I was working on was engineering devices to watch people, to keep secrets and kill people. So I gave them the finger. My morals have kept me thinking about this for the last 20 years.
Tor is not a solution, because it could be found on your computer.
Radiowaves - I don't know, I would also expect them to be easily detectable, but I'll look it up.
Rather work at a Taco Bell than write a censorship program.
Regarding triangulation, it's about finding the source. The source is hard to track reliably if it moves, especially away from the detection devices or rapidly out of range. Try tracking a broadcast source from a vehicle driving around you in a circle. If it's omnidirectional you'd have to be in the line of sight. If there is interference across the band, selectivity of the RDF recievers is compromised. Radio direction finding is surprisingly painful.
Hint: The anti-triangulation measures are actively used on Clansman radio sets.
Of course it would also have to be implemented on the server-side but that's another problem.
The fact about the shut down is correct. I would also add that secure connection to servers inside Iran is possible. I've tried some, and they work. But trying to connect to services like Github and PivotalTracker, which we relay on in our starup, results in no response.
Also I will note that the ssh protocol is the same. I can ssh into my university machine (inside Iran) but I can't access my rackspace VPS with ssh for example.
One thing to add is that `Sara70` creator of this thread, mentions some non-related reason for this (The reason for this horrible shutdown is that the Iranian regime celebrates 1979 Islamic revolution tomorrow.) which is wrong.
Here nobody officially said anything about this. But as this shutdown is getting more attention in the media, I suspect this issue to get resolved soon.
How do you know this?
I know this because, this trend (shutting down secure network protocols) started on and off, like 1 year ago.
But thanks for the offer.
I wrote a simple script to do this, and I would like to share it with all of my countrymen:
https://launchpad.net/~mohammad-sepent/+archive/ppa/+package...
To use it, just replace ssh command with issh like this:
issh user@hostname [other-ssh-options]
[1] https://launchpad.net/~mohammad-sepent/+archive/ppa/+files/i...
Edit: Non SSL link: http://ppa.launchpad.net/mohammad-sepent/ppa/ubuntu/pool/mai...
sudo add-apt-repository ppa:mohammad-sepent/ppa
sudo apt-get update
sudo apt-get install issh
For other distros you can grab the .deb or the source package from the given link.
If you don't live within their control, they don't want you to see the propaganda they put out on their "British Broadcasting Corporation" (BBC) television stations and web site. Needless to say, there are ways around their entirely pointless technical restrictions.
(Note_To_Self: As somewhat dyslectic person, I'll never forgive patio11 for nick-naming his product "BCC").
I would like to say that by-passing government sanctioned Internet restrictions is simple and easy, but it's not true. Doing it safely can be impossible at times, and considering the rather severe punishments for getting caught (i.e. death), it may not be the smartest choice you could make. If you want to take your chances, there are often technically possible ways to by-pass the restrictions. It's not easy, and it may not be entirely safe, but usually, it is technically possible.
There are free solutions out there like Tor ("The Onion Router" https://www.torproject.org/), but they mostly suck. If you don't believe me, then just try using them. The other problem with the free solutions is a lot of government filtering knows about them and adjusts accordingly (when possible). There is also a lot of monitoring an profiling done on the traffic on the free solutions like Tor since the traffic is interesting.
If you need a solution that sucks less, you'll need to pay for it. As much as many would like to believe otherwise, bandwidth and servers are not free, so when a service is unable to support itself through advertising, then you'll need to pay for it. The commercial VPN vendors are more reliable and have far better security, privacy and performance than the free alternatives.
I've been a paying customer of https://www.tunnelr.com for over a year, and really enjoy their service. I'm on friendly terms through email with the two founders, Daniel and Jared, so I'm probably guilty of some sock puppetry or fanboyism. They also run the "devio.us" free shell provider service which is very impressive.
The thing to realize is the people responsible for controlling the network you are on and enforcing the restrictions probably have a way out of their own. It could be that their "day job" gives them access to the "other" side of their censorship filters, or possibly they've left a few holes here and there that they can use to by-pass their own filtering system. If the latter, it's probably done with a VPN of some sort.
In the case of a good commercial service like tunnelr.com, you don't need to worry too much about figuring out where things were left open.
Typically, if UDP traffic is found going to port 53, most people expect it to be DNS lookups from client systems. Again typically, if TCP traffic is going to port 53, most people expect it to be DNS lookups done by DNS servers. Of course, if you see TCP traffic going to port 80, you'd expect it to be going to a web server...
The common expectations are not "wrong" in most situations, but these expectations can be wrong if things are configured differently.
In the case of good VPN services, things are configured differently!
For example, I can use TCP and connect to port 80 but establish a SSH connection, or use UDP and connect to port 53 but establish an OpenVPN connection.
This kind of trickery will not fool filters with the capacity to do "Deep Packet Inspection" ("DPI" e.g. protocol profiling), but the vast majority of filtering tech out there can't do deep packet inspection all of the time. It requires too much computation to be effective on fully saturate...
I'm not trying to be an ass by asking; I'm actually curious, but testing it myself (American) is not particularly smart.
Anyhow, if DPI is in place and at wire-speed (rare, but would cover everything), then the answer is obvious; ssh over http. It can be done with gothard [1] and corkscrew [2].
[1] http://www.nazgul.ch/dev.html [2] http://www.agroman.net/corkscrew/
- https://blog.torproject.org/blog/iran-blocks-tor-tor-release... Iran detects ssl parameters and block suspicious connections (they based it on the expiry time of the session certificates)
- http://www.telegraph.co.uk/news/worldnews/middleeast/iran/83...
- http://www.christopher-parsons.com/blog/technology/is-iran-n...
Btw. it is not only Iran running country wide DPI - have a look at http://www.youtube.com/watch?v=DX46Qv_b7F4 about the different techniques currently used to block/prevent access to VPNs/Tor etc.
(edit: added some additional links)
http://www.slideshare.net/bleidl/net-neutrality-and-internet...
True, but wouldn't you expect a repressive regime to be able to afford such equipment? The original post talks about Iran, which probably places more emphasis on blocking traffic than the UK.
You mean you don't pay for the TV license since you're not in the UK and you complain that you can't watch their tv? Shocking...
I really don't understand your approach to this - propaganda? restrictions of a regime? very oppressive? There are some things I disagree with in the UK, but you're trying to watch a TV channel they want to get paid for. It's that simple - there's no point in dragging politics into this one. I'm definitely against silly country filtering using geoip on services that don't allow other means of access, but in the context of what's happening in other countries, let's not call it "oppressive", please.
Download proxytunnel and follow this guide to set up Apache (or whatever server you prefer) to http proxy ssh connections to port 22: http://dag.wieers.com/howto/ssh-http-tunneling/
Then run ssh with proxytunnel as the ProxyCommand (as shown in the guide). It will make a plaintext HTTP connection, request a CONNECT yoursite.com:22, and if they aren't inspecting "too deep" you should be able to get an ssh connection.
If that doesn't work there's always icmp tunneling (hans), dns tunneling (iodine), and various other options. See if you can make a udp connection over port 53 to a remote host and transmit non-DNS packets; if they aren't intercepting DNS traffic, just make an openvpn udp connection over port 53 for your tunnel.
I actually have a whole paper on circumventing captive portals and firewalls and a crappy tool to probe them if anyone wants it.
I'll have to find the paper and clean it up a bit, but e-mail me and i'll send it when I find it and i'll post it on here. It's not amazing or anything, mostly just a talk with references to tools and articles and common flaws in captive portals.
It looks like Iranian government uses a transparent proxy, so all connections to ems01.your-freedom.de (ems01 through ems24) first redirect to iran.ir and then go to YF's servers!
(YF is blocked right now, so I can't re-do this test right now. These images are from my email to YF 10 months ago)
http://www.imeezo.com/v/images/49229825994939115647.png
http://www.imeezo.com/v/images/46490363986030440278.png
A page accessed without a VPN/proxy: http://www.imeezo.com/v/images/98155525346546936123.png
The same page, but with a VPN: http://www.imeezo.com/v/images/30239946359511647325.png
In the third image, the response is from iran.ir's transparent proxy, not YF servers...
[1] your-freedom.de
Just let you know that I used that when I'm in "not-really-freedom-friendly-country" =)
http://nihilex.com/obfuscated-openssh
Slow but works =)