2012 in review: Tor and the censorship arms race

/ Runa A. Sandvik / runa@torproject.org / @runasand

Today, we’re going to look at how Tor is being blocked and censored around the world.

In the beginning...

“Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security known as traffic analysis.”

History

• Originally designed, implemented, and deployed as a third-generation onion routing project of the U.S. Naval Research Laboratory

• Developed for the primary purpose of protecting government communications

• The source code was released in 2002, the design paper was published in 2004

How Tor works

The arms race begins...

Indicators

• Increase in downloads of the Tor Browser Bundle: https://webstats.torproject.org/

• Anomaly-based censorship-detection system: https://metrics.torproject.org/

• Unblocking of the Tor Project website

• Increase in emails sent to the Tor help desk at help@rt.torproject.org

2006 - 2009 (1)

• Thailand (2006): DNS filtering of torproject.org

• Smartfilter/Websense (2006): Tor used HTTP for fetching directory info, cut all HTTP GET requests for “/tor/...”

• Iran (2009): throttled SSL traffic, got Tor for free because it looked like Firefox+Apache

2006 - 2009 (2)

• Tunisia (2009): blocked all but port 80+443, could also block port 443 especially for you

• China (2009): blocked all public relays and enumerated one of the bridge buckets

Since then...

Between 2010 and 2012

• Tunisia: from 800 to 1,000

• Egypt: from 600 to 1,500

• Syria: from 600 to 15,000

• Iran: from 7,000 to 40,000

• All countries: from 200,000 to 500,000

China (October 2011)

• Directory authorities, public relays, and bridges have been blocked for a while

• GFW will identify a Tor connection, initiate active scanning, attempt to establish a Tor connection with the destination host and, if successful, block the IP:port.

• Private bridges are blocked as soon as a user in China connects

UK and US (January 2012)

• The HTTP version of the Tor Project website, along with other legitimate sites, was found to be filtered by a number of mobile operators

• Vodafone, Three, O2, and T-Mobile in the UK, as well as T-Mobile in the US

• See http://ooni.nu/, the Tor Project blog, and the Mobile Internet Censorship report by the Open Rights Group for details

Iran (February 2012)

• DPI on SSL DH modulus (Jan 2011), DPI on SSL certificate expiration time (Sept 2011)

• Iranian government ramped up censorship in three ways: deep packet inspection of SSL traffic, selective blocking of IP addresses, and some keyword filtering

• Preparing for a “halal” Internet, first phase of this project will be rolled out in the beginning of September

Kazakhstan (February 2012)

• Target SSL-based protocols for blocking; Tor, IPsec, PPT-based technologies, and some SSL-based VPNs

• Fingerprints Tor on the TLS client cipher list in the ClientHello record, parts of the Tor TLS server record, and probably more

• Will want to reanalyze the data we have from this blocking event

Ethiopia (May 2012)

• In the beginning, DPI devices were only looking for Tor TLS server hellos sent by relays or bridges to Tor clients

• Since the middle of July, DPI devices are also looking for TLS client hellos as sent by Tor clients < version 0.2.3.17-beta

UAE (June 2012)

• The Emirates Telecommunications Corporation, also known as Etisalat, started blocking Tor using DPI on June 25 2012

• We are still analyzing the data from this blocking event

• Tor bridges with a patch that removes 0x0039 from SERVER_CIPHER_LIST seem to work, so does Obfsproxy

The Philippines (May 2012)

• We have only heard from one user in the Philippines, he was able to successfully connect to Tor without using a bridge

• We have no other data about this blocking event, apart from the metrics user graph

Jordan (June 2012)

• User in Jordan reported seeing a fake certificate for torproject.org

• Assumed to be similar to the DigiNotar and Comodo incidents, turned out not to be the case

Cyberoam SSL CA

CVE-2012-3372

• Cyberoam UTM device with malware scan

• All devices share the same CA certificate

• Hence the same private key

• Any Cyberoam device can intercept traffic from any other

Documentation, tools, and solutions

Public key pinning - Chrome

• Certificate chain for torproject.org must now include a whitelisted public key

• Self-signed certificate will display a warning, incorrect certificate will fail hard

• XP prior to SP3 will have issues with SHA256 signed certificates, including the one for torproject.org

Censorship Wiki

• Collect information about the status of blocking events around the world, circumvention research, useful tools, etc

• Contains information about all the blocking events I have covered today, minus Wireshark network captures

• https://trac.torproject.org/projects/tor/wiki/doc/OONI/censorshipwiki

Obfsproxy

• Rolled out in February 2012

• Makes it easier to change how Tor traffic looks on the network, requires volunteers to set up special bridges

• FlashProxy, StegoTorus, SkypeMorph, Dust

• https://www.torproject.org/projects/obfsproxy.html.en

ooni-probe

• A part of the Open Observatory of Network Interference project

• Can be used to collect high-quality data about Internet censorship and surveillance

• Will eventually be able to determine how different DPI devices are blocking Tor

Questions?

• help@rt.torproject.org and tor-dev@lists.torproject.org

• IRC: #tor and #tor-dev on irc.oftc.net

• Twitter: @torproject, @runasand

• runa@torproject.org