2012 in review: Tor and the censorship arms race - 44CON 2012


Published on

Runa A. Sandvik presents 2012 in review: Tor and the censorship arms race at 44CON 2012 in London, September 2012.

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

2012 in review: Tor and the censorship arms race - 44CON 2012

  1. 1. 2012 in review: Tor and the censorship arms race / Runa A. Sandvik / runa@torproject.org / @runasand
  2. 2. Today, we’re going to look at how Tor is being blocked and censored around the world.
  3. 3. In the beginning...
  4. 4. “Tor is free software and an open networkthat helps you defend against a form ofnetwork surveillance that threatens personalfreedom and privacy, confidential businessactivities and relationships, and statesecurity known as traffic analysis.”
  5. 5. History• Originally designed, implemented, and deployed as a third-generation onion routing project of the U.S. Naval Research Laboratory• Developed for the primary purpose of protecting government communications• The source code was released in 2002, the design paper was published in 2004
  6. 6. How Tor works
  7. 7. The arms race begins...
  8. 8. Indicators• Increase in downloads of the Tor Browser Bundle: https://webstats.torproject.org/• Anomaly-based censorship-detection system: https://metrics.torproject.org/• Unblocking of the Tor Project website• Increase in emails sent to the Tor help desk at help@rt.torproject.org
  9. 9. 2006 - 2009 (1)• Thailand (2006): DNS filtering of torproject.org• Smartfilter/Websense (2006): Tor used HTTP for fetching directory info, cut all HTTP GET requests for “/tor/...”• Iran (2009): throttled SSL traffic, got Tor for free because it looked like Firefox +Apache
  10. 10. 2006 - 2009 (2)• Tunisia (2009): blocked all but port 80+443, could also block port 443 especially for you• China (2009): blocked all public relays and enumerated one of the bridge buckets
  11. 11. Since then...
  12. 12. Between 2010 and 2012• Tunisia: from 800 to 1,000• Egypt: from 600 to 1,500• Syria: from 600 to 15,000• Iran: from 7,000 to 40,000• All countries: from 200,000 to 500,000
  13. 13. China (October 2011)• Directory authorities, public relays, and bridges have been blocked for a while• GFW will identify a Tor connection, initiate active scanning, attempt to establish a Tor connection with the destination host and, if successful, block the IP:port.• Private bridges are blocked as soon as a user in China connects
  14. 14. UK and US (January 2012)• The HTTP version of the Tor Project website, along with other legitimate sites, was found to be filtered by a number of mobile operators• Vodafone, Three, O2, and T-Mobile in the UK, as well as T-Mobile in the US• See http://ooni.nu/, the Tor Project blog, and the Mobile Internet Censorship report by the Open Rights Group for details
  15. 15. Iran (February 2012)• DPI on SSL DH modulus (Jan 2011), DPI on SSL certificate expiration time (Sept 2011)• Iranian government ramped up censorship in three ways: deep packet inspection of SSL traffic, selective blocking of IP addresses, and some keyword filtering• Preparing for a “halal” Internet, first phase of this project will be rolled out in the beginning of September
  16. 16. Kazakhstan (February 2012)• Target SSL-based protocols for blocking; Tor, IPsec, PPT-based technologies, and some SSL-based VPNs• Fingerprints Tor on the TLS client cipher list in the ClientHello record, parts of the Tor TLS server record, and probably more• Will want to reanalyze the data we have from this blocking event
  17. 17. Ethiopia (May 2012)• In the beginning, DPI devices were only looking for Tor TLS server hellos sent by relays or bridges to Tor clients• Since the middle of July, DPI devices are also looking for TLS client hellos as sent by Tor clients < version
  18. 18. UAE (June 2012)• The Emirates Telecommunications Corporation, also known as Etisalat, started blocking Tor using DPI on June 25 2012• We are still analyzing the data from this blocking event• Tor bridges with a patch that removes 0x0039 from SERVER_CIPHER_LIST seem to work, so does Obfsproxy
  19. 19. The Philippines (May 2012)• We have only heard from one user in the Philippines, he was able to successfully connect to Tor without using a bridge• We have no other data about this blocking event, apart from the metrics user graph
  20. 20. Jordan (June 2012)• User in Jordan reported seeing a fake certificate for torproject.org• Assumed to be similar to the DigiNotar and Comodo incidents, turned out not to be the case
  21. 21. Cyberoam SSL CA
  22. 22. CVE-2012-3372• Cyberoam UTM device with malware scan• All devices share the same CA certificate• Hence the same private key• Any Cyberoam device can intercept traffic from any other
  23. 23. Documentation, tools, and solutions
  24. 24. Public key pinning - Chrome• Certificate chain for torproject.org must now include a whitelisted public key• Self-signed certificate will display a warning, incorrect certificate will fail hard• XP prior to SP3 will have issues with SHA256 signed certificates, including the one for torproject.org
  25. 25. Censorship Wiki• Collect information about the status of blocking events around the world, circumvention research, useful tools, etc• Contains information about all the blocking events I have covered today, minus Wireshark network captures• https://trac.torproject.org/projects/tor/ wiki/doc/OONI/censorshipwiki
  26. 26. Obfsproxy• Rolled out in February 2012• Makes it easier to change how Tor traffic looks on the network, requires volunteers to set up special bridges• FlashProxy, StegoTorus, SkypeMorph, Dust• https://www.torproject.org/projects/ obfsproxy.html.en
  27. 27. ooni-probe• A part of the Open Observatory of Network Interference project• Can be used to collect high-quality data about Internet censorship and surveillance• Will eventually be able to determine how different DPI devices are blocking Tor
  28. 28. Questions?• help@rt.torproject.org and tor- dev@lists.torproject.org• IRC: #tor and #tor-dev on irc.oftc.net• Twitter: @torproject, @runasand• runa@torproject.org