Iran blocks Tor; Tor releases same-day fix

by arma | September 14, 2011

The short version: Tor relays and bridges should upgrade to Tor 0.2.2.33 or Tor 0.2.3.4-alpha so users in Iran can reach them again.

Yesterday morning (in our timezones — that evening, in Iran), Iran added a filter rule to their border routers that recognized Tor traffic and blocked it. Thanks to help from a variety of friends around the world, we quickly discovered how they were blocking it and released a new version of Tor that isn't blocked. Fortunately, the fix is on the relay side: that means once enough relays and bridges upgrade, the many tens of thousands of Tor users in Iran will resume being able to reach the Tor network, without needing to change their software.

How did the filter work technically? Tor tries to make its traffic look like a web browser talking to an https web server, but if you look carefully enough you can tell some differences. In this case, the characteristic of Tor's SSL handshake they looked at was the expiry time for our SSL session certificates: we rotate the session certificates every two hours, whereas normal SSL certificates you get from a certificate authority typically last a year or more. The fix was to simply write a larger expiration time on the certificates, so our certs have more plausible expiry times.

There are plenty of interesting discussion points from the research angle around how this arms race should be played. We're working on medium term and longer term solutions, but in the short term, there are other ways to filter Tor traffic like the one Iran used. Should we fix them all preemptively, meaning the next time they block us it will be through some more complex mechanism that's harder to figure out? Or should we leave things as they are, knowing there will be more blocking events but also knowing that we can solve them easily? Given that their last blocking attempt was in January 2011, I think it's smartest to collect some more data points first.

It's too early to have cool graphs showing a drop in users and then the users coming back a day or so later. I'll plan to add these graphs once things play out more. [Update: here is the graph as of Sept 16]

Comments

Please note that the comment area below has been archived.

September 14, 2011

Permalink

So I fired up the bridge again and... what the hell is going on - 185 active inbound bridge clients, and 180 outbound connections to relays?

Is Tor just part of a botnet now then, because this doesnt look right at all (and neither does this: https://metrics.torproject.org/bridge-users.png ).

Is there a option available to restrict which countries can access the bridge similar to using {CC} in the torcc? Example: AllowBridgeClients {IR}

I had the same problem in August: I ran a TOR bridge for months and suddenly I was having hundreds of connections to relay, too much for my home broadband, regrettably I had to shut it down.

Actually I remembered reading something about this but couldn't think where... cryptome.org. So, after re-reading that and checking out tor-talk I see you're aware of the problem.

So, how about setting some friendly hackers against those numerous IT/ES/BR/IL/... addresses to ID what they're running? Shouldn't take long at all, there's surely enough of 'em to find a sploit or two in... Hey, some of em' even host websites replete with nice convenient contact details... ;)

Sorry, just ain't gonna be running a bridge node like this. Threw up a monitor for a short while and logged around 16,000 inbound connection attempts in approx. 6 hours...

September 14, 2011

Permalink

Thank you so much torproject.
Last time, I managed to reach tor network via proxy (Settings -> Network -> I use a proxy to access Internet) when they attempted to block Tor in january. This time it was different. I tried many anonymous , elite and transparent proxies with different ports but it did not work at all.

September 15, 2011

Permalink

you didn't had to spoil everything you did because the goverment is not idiot.
they will see this post and will think of new ways to filter the traffic.

"you didn't had to spoil everything you did because the goverment is not idiot.
they will see this post and will think of new ways to filter the traffic."

Exactly what do you think the Iranian government will learn from this blog post, that they don't already know? It will be obvious to them that Tor has been updated, and it will be obvious to them how it has changed.

They're not idiots, so they don't need this post to think of new ways to filter the traffic — or to realize that we would change Tor to get around their filter, like we already did in January. At the same time, I think it's valuable to let our users know what's up, and to help other people working on circumvention tools (now and in the future) get a better sense of how these arms races play out.

See the last paragraph of point #4 in https://svn.torproject.org/svn/projects/articles/circumvention-features… for more discussion.

if this blog wasn't here, I'm sure that the gov't could just poke around the open source changelogs etc to find out that we fixed what they tried to break...

September 15, 2011

Permalink

Thanks for the quick reaction.
As to your question of what to fix preemptively, my take would be that the clues which allow a government to detect someone is using tor ought to fixed asap. If no such risks exist it may be smarter to wait and see.
FWIW

September 15, 2011

Permalink

Thanks

Yes, you'll be able to get it the same way as before (email gettor@torproject.org with 'windows' in the body of your message). The new Tor Browser Bundles aren't ready yet though -- stay tuned for a follow-up blog post.

If you're in Iran though, note that you don't actually need to upgrade to get your Tor working again. It's the relays that need to upgrade. At this point enough of them have upgraded that things should be working again on your side, even without the latest Tor.

September 15, 2011

Permalink

Thanks very much, we have the same problem in Syria.
the problem with bridges by email , you will get same IPs in message you send

September 15, 2011

Permalink

> knowing there will be more blocking events but also knowing that we can solve them easily?

This sounds like the right strategy. It also confuses the attacker as to where to invade, makes him waste energy on things easily fixed.

fwiw

September 15, 2011

Permalink

That is a very interesting discussion to have.

The reason the Allies were able to continue breaking Enigma through WWII is because the Germans made incremental improvements. Had they done them all at one the Allies would have been screwed, would have been cut off from intelligence for a long period of time instead of many short periods, and may even have moved men to work on more fruitful ciphers.

Fixing all the flaws in Tor at once could deal such a set back to Iranian geeks that they may give up or lose funding and leadership support if they have no progress for a long period of time, while incrementally fixing them would keep them rewarded psychologically, bureaucratically and financially.

They could come up with something smart, but it seems like the incremental approach would at best delay the day that happens, and at worst keep more people working towards that day and thus ensure that day comes.

The problem with analogies is that unless it is the same problem, the same solution may not be the right one. The subtle difference in this case is for the Enigma it was finding the decryption key due to poor implementation by its users allowing the message to be decoded. If they implemented everything strongly from the start, or if they just used it properly, it would of taken much much longer to break.

In this case it is detecting non-standard messages are being used. They will look for things so subtle that the people behind tor might take months to figure out a way around, once all the easy methods are off. The technology to check out a timestamp in a certificate is much less complex then one that calculates entropy and other metrics.

Of course this discussion might be pointless, eventually these countries, since they don't believe in freedom, just cut off the Internet, work on a white list, or create there own private internet, which I hope the some long term solution will help mitigate this, although it is outside the scope of tor.

September 15, 2011

Permalink

I sincerely believe that the Tor Project developers should approach this problem of future blocking of Tor traffic by government entities as if it were a game of poker. Don't show your hand, and keep good cards (patches) ready to use. Any theoretical weaknesses can have patches written for them and essentially fixed _now_, but to rule out weaknesses publicly by putting the patches out there immediately is doing some of the work for enemies of Tor. You can potentially make it frustrating and intimidating work to block Tor traffic by making them afraid of how much work must done until the Tor Project runs out of patches.

September 15, 2011

Permalink

Great job, guys. Your commendable work is a God-send to thousands of people, you should all be proud!

September 15, 2011

Permalink

I must admit that I giggled a bit at the comments here. "Iran will do this", "Iran will do that", "Iran isn't stupid", etc.

In this cat and mouse game it's not Iran that we're playing against. We're playing against Iran's censorware vendors, our peers in silicon valley who frequent the same coffee shops and web-forums everyone else here does. I expect the person responsible for this blocking, the person who added the cert age check to some "enterprise" product with improbably high scale a few months back is reading this very post. I wonder if they even realize that we're talking about them?

It's probably futile to argue the ethics of this to the people who are responsible from the technology— burred behind N levels of sales and product management they feel no culpability or at least those who did self-selected them out of the business. So I'll skip the admonishment...

To those who remain, I'll just leave the reminder that playing both sides will not only improve the cause of civil rights without decreasing your income it will probably increase your income as your customers keep returning to you for the next half-assed step in the cat and mouse game.

September 15, 2011

Permalink

It does appear whoever implemented that change on the border routers went for the low-hanging fruit. Whether this type of small issue are fixed now or later is essentially idempotent: the result is almost identical which ever order the changes are applied and the same conclusion will be reached fairly quickly.

I would assume there are more robust methods of filtering, which would be substantially more tricky to bypass. A naive approach would be to monitor all SSL/TLS connections then pass that list of IPs to a script that pulls the certificate chain from each SSL/TLS service; if the returned certificate chain is signed by a normal CA then it is put in the "accept" bin and if not, the "block" bin. After a few days, the corpus would reflect those IPs which are from normal websites/secure SMTP/etc and those which come from applications such as Tor. The actual filtering can be performed very quickly on the router as it is supplied as an IP list, i.e. no deep packet inspection required. I've seen far more difficult setups implemented within a few days at ISP level, so it cannot be too difficult. There are also a few reasonably easy counters to defeat that sort of construction (and I would imagine it may hurt businesses as well, so probably not a first-line option).

It looks like we're going to see a bit of an arms race going on. Having said that, I suspect the more insidious issue of side-channels will be what oppressive governments will focus on - something that is all together more difficult to protect against. These sort of blocking attempts are more likely implemented as a rough-and-ready means to reduce the amount of work they have to do.

That's just great, you are posting new ways to for the authoritarians to block it, how wonderful.
And all to show how 'clever' you (think) you are.

September 15, 2011

Permalink

hi
thanks for tor
i have used to configure opera for using tor in port 8118
but in new versions of tor there is no way to use opera
what can i do?

You really shouldn't be using Tor with anything other than Firefox + Torbutton. See the huge list of application-level privacy issues that Torbutton tackles: https://decvnxytmk.oedi.net/torbutton/en/design/

Our recent switch to recommending Tor Browser Bundle makes it even more straightforward to use Tor correctly. A side effect is that it makes it harder to use Tor unsafely. https://vbdvexcmqi.oedi.net/blog/toggle-or-not-toggle-end-torbutton

September 16, 2011

In reply to arma

Permalink

Many users in Iran are prevented from having access to high speed Internet. Many of them use Opera Turbo to speed up their browsing.

September 15, 2011

Permalink

!!Chaos!! :

I'd say wait for them to try to block you, then apply the fix. This would have the effect of driving them completely mad as well as waste their time, effort, and money. If you fixed everything first however, they'd have to expend less resources on blocking you next time. This whole matter is a bit of a war, and it's wise to make the battle more expensive for your enemy then it is for you.

September 15, 2011

Permalink

thanks again.a problem that me and other friends have is that:tor bundle and it 's firefox portable version can't show and play flash contents!there is not any flash player plugin/active x installed!it is possible to add the latest version of flash player packed with tor bundle?thanks

Not at present. Flash simply has too many ways to screw up your privacy (not to mention your system security). https://decvnxytmk.oedi.net/torbutton/torbutton-faq.html.en#noflash

There are some possibilities to sandbox the browser enough to keep it safe (see e.g. http://www.romab.com/ironfox/) but don't hold your breath. In the mean time, hope for rapid acceptance of HTML5: http://www.youtube.com/html5

September 15, 2011

Permalink

we used to watch many videos of our green movemenet's against islamic murderer regime of iran in youtube
and now we can not watch this kind of videos in recent versions of tor
previously we can configure opera or ie to use with tor and this was our remedy for our problem

The newer versions of Tor do seem to have that kind of trouble, but there may be a workaround. Some stuff will not work with the HTTP proxy, but will work with the Socks proxy. You might want to look for a program like SocksCap or ProxyCap, configure it for your Socks proxy (which is 127.0.0.1, port 9050, unless you have changed any settings), and then have it make everything from your browser go through the Socks proxy.

Barring that, you can try and find an older version of Tor, which will allow streaming audio or video on the HTTP proxy.

September 15, 2011

Permalink

We are providing tunneling solutions for VoIP in Iran, Oman, UAE and other countries (http://www.mizu-voip.com/Products/VoIPTunnel.aspx) and we had the same problems in the past, whether if we should fix all these preemptively or first wait to be blocked and act accordingly.
Our decision was to do what we can preemptively. As our best knowledge, we don't have anything which can be filtered and we use various methods to bypass all kind of filters using different transport methods like UDP, TCP, HTTP, socks 4,5 and http proxies on random ports and servers with strong RSA encryption (+ a few other encryption method)
Since we made all these, we are still blocked time to time (4 months ago last time), but now we can release a fix very quickly.
The main point is that you cannot predict all tricks. So my recommendation is to fix/change everything what you can do with less effort, and don't put too much effort to guess how it can be blocked, because that is almost unpredictable.
For example in one country the ISP have blocked all streams (both UDP and TCP) where the bandwidth usage was almost the same both way which is typical for VoIP. So we had to separate the up and down streams to separate connections. And this is just an example for a hard to predict blocking method. We have seen a lot of other interesting attempts.
Good luck!

Istvan Fenesi,
Mizutech SRL
istvan at mizu-voip.com

September 16, 2011

Permalink

Just a heads up to the devs.. (i don't know where to submit this)...
Palo Alto Networks Firewalls will detect and deny all TOR connections.
I haven't tested if the latest version will be blocked.
Will report back.

Regards

September 16, 2011

Permalink

Hi , Thanx and greeting from Syria:
I have seen some node that are located in Syria , Can you further investigate them , they look fishy as hell ,
and it is possible to configure my torcc to exclude Iran and Syria based nodes(the wicked friends lol) in the path(entry or exit)?

September 16, 2011

Permalink

"That's just great, you are posting new ways to for the authoritarians to block it, how wonderful.
And all to show how 'clever' you (think) you are."

The Iranian government - or more appropriately the state - run border routers. To do so you need experienced and competent staff, hence they will have thought of the same and more. Countries like China contract companies such as Cisco specifically to implement filtering mechanisms; you can be well assured they can invent much better than has been discussed here since they make most of the equipment in the first place.

If the Iranians haven't implemented better filtering, you can be sure it is not out of lack of competence, rather for other reasons.

I think your level of intelligence is demonstrably evident from your post.

-----

Regarding youtube videos, one could probably use a script such as youtube_dl proxied over Tor; once the video has been downloaded watch using, say, VLC. Not the most elegant solution but it (should) work.

September 16, 2011

Permalink

Ther is an other way to let people use Tor. If you have an older version of Tor (0.2.1.19 or ealier), you can configure Tor to operate is a publicly accessible proxy. This means that someone can simply change their browser settings to your IP adress, and whatever port you designate for Tor, and they will not need to hiave any software installed.

I have done this at times, to allow people to use Tor from their workplaces, where it might be blocked. Also very handy when PCs are locked down against insalling software, All you need to do change some configuration files. You would change it from 127.0.0.1 to the IP address on your PC, and then restart Tor. Then anyone on the Net can use your proxy to get no Tor without having to have the software installed.

Beware that you will need an older version of Tor, since the latest versions no longer support making Tor a publicly accessible proxy.

Woah. This is really bad advice -- first because it advocates using old and insecure versions of Tor, but also because these users will be making unencrypted unauthenticated connections from their computer to yours, meaning you (and anybody watching) get to learn (or modify!) the websites they ask for, read their traffic if it doesn't use https, etc. You are not letting them "use Tor" in any meaningful sense.

If you want to let somebody use your computer to bounce Tor traffic, you should configure your Tor to be a bridge, and have them configure their Tor to use you as their bridge. https://decvnxytmk.oedi.net/docs/bridges

September 16, 2011

Permalink

Well, it's no Hans Rosling presentation, but interesting graph. ;-) And good work, keep it up.

Our tor bulk exit list service is being overloaded by jerks. We have it on the todo list to write one that's harder to overload, but it'll be another month or so at this rate.

September 18, 2011

Permalink

This is really great that you've enabled that many people to access internet again. After your post I've started a relay on my own debian box, with an intention to run it for quite a long period.

However, there is something I'm not sure I fully understand: what happens if Iran, or any other country that wants to block TOR, periodically downloads the list of all relays, that AFAIU publically available, and then blocks access to ALL those relays, country wide. How TOR deals with that kind of block?

Thanks in advance,
--Dima

September 22, 2011

In reply to arma

Permalink

Thank you!

They 'forgot' about/gave up on/gave in to China a long time ago, so now they just pretend like it/the problem doesn't exist anymore.

Today, for those of you not in the loop, it's all about IRAN (and other, similar, regimes they're at present especially focused on destabili... oops, better not go there!).

No. This addon works by creating a log file in your browser profile folder that stores information on what https sites you visit and when you visit them. Not the sort of thing you want to be using with Tor.

September 23, 2011

Permalink

Hello,

I'am using newest firefox (clean intall) after CA Identity breaks. I want to install new fresh secure TOR again (after cleaned previous) but I found my firefox say that this connection to https://decvnxytmk.oedi.net are untrusted. I'am using addon Ghostery and Https Everywhere and NoScript.

But if I connect to TOR blog, it was trusted (verified by GeoTrust, Inc.)

So how to secure connection to download TOR?

You should use Gmail and send the GetTor email address an email containing just the name of the bundle you need for your operating system. Ex: Windows-bundle

Really? Any more details? We haven't heard this from anybody else, so I assume you're having problems using it correctly, rather than that there's a government-wide blocking event again.

October 04, 2011

Permalink

Nice, accurate and to the point. Not everyone can provide information with proper flow. Good post. I am going to save the URL and will definitely visit again. Keep it up.
Logo Design Contests

October 04, 2011

Permalink

I completely agree with the above comment, the internet is with a doubt growing into the most important medium of communication across the globe and its due to sites like this that ideas are spreading so quickly.  
http://www.mightydesigners.com

October 14, 2011

Permalink

hi
i am tor user from iran and use tor alot
recently tor became very slow.
i have a 100KB/s connection and before this happend i could watch youtube with 100KB speed but now its restricted to 20kB at most .
maybe its based on restriction on https port speed?
this is for a week now.
any suggestion?
is there a way to make tor use another port like 80 so that iran goverment cant restreict its speed?

Interesting. I'm beginning to think that Iran has done something more subtle than simply blocking the Tor protocol, but instead is using DPI to recognize and throttle it.

That said, you might just be finding that Tor is overloaded these days and can't keep up with what you're trying to do over it. Tor has far too many users and far too few relays. Get your friends to help be relays! :)

In any case, changing the destination port probably isn't going to do any good. Your government uses the Nokia boxes they bought to do Deep Packet Inspection (DPI), which recognizes protocols like SSL no matter which port they use.

November 08, 2011

Permalink

Could it be that:
Internet-SSL MTM/Proxy -- check patterns -- Torclient

What happens with the SSL transmission sequence if "check patterns" layer answers this to IE/FF/OPERA without TOR
If the pattern is clear, what happens if the cleint is TOR
Is there somedifference in that challenge.

If that is the filter on the Iranian side it only needs to figureout a difference and can therefore fingerprint that the enduser is using TOR

Hmm just a thought...

November 08, 2011

Permalink

Dont print that last message about SSL handshare fingerprinting, if its possible to do it, Iran will probably be able to filter for all future.

November 24, 2011

Permalink

hello!

thanks tor!

i'm an iranian outlaw and i really need to get this anti proxy....

uh, could someone explain how can i download tor?

thanksssssss!

February 03, 2012

Permalink

Country tries to censor internet, internet uncensored within a day. Teach countries not to fuck around with internet: Success.

Iran government dun goofed

February 09, 2012

Permalink

Tor doesn't work from 9th of feb, it's been 2 days now, and i have the latest version what is the problem?

March 12, 2012

Permalink

Screw Iran. Focus on technology, not politics.

Technology trumps politics.