2012 in review: Tor and the censorship arms race. / Runa A. Sandvik /

Transcription

1 2012 in review: Tor and the censorship arms race / Runa A. Sandvik / runa@torproject.org

2 Today, we re going to look at how Tor is being blocked and censored around the world.

3 In the beginning...

4 Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security known as traffic analysis.

5 History Originally designed, implemented, and deployed as a third-generation onion routing project of the U.S. Naval Research Laboratory Developed for the primary purpose of protecting government communications The source code was released in 2002, the design paper was published in 2004

6 How Tor works

7

8

9 The arms race begins...

10 Indicators Increase in downloads of the Tor Browser Bundle: Anomaly-based censorship-detection system: Unblocking of the Tor Project website Increase in s sent to the Tor help desk at

11 (1) Thailand (2006): DNS filtering of torproject.org Smartfilter/Websense (2006): Tor used HTTP for fetching directory info, cut all HTTP GET requests for /tor/... Iran (2009): throttled SSL traffic, got Tor for free because it looked like Firefox +Apache

12 (2) Tunisia (2009): blocked all but port , could also block port 443 especially for you China (2009): blocked all public relays and enumerated one of the bridge buckets

13 Since then...

14 Between 2010 and 2012 Tunisia: from 800 to 1,000 Egypt: from 600 to 1,500 Syria: from 600 to 15,000 Iran: from 7,000 to 40,000 All countries: from 200,000 to 500,000

15 China (October 2011) Directory authorities, public relays, and bridges have been blocked for a while GFW will identify a Tor connection, initiate active scanning, attempt to establish a Tor connection with the destination host and, if successful, block the IP:port. Private bridges are blocked as soon as a user in China connects

16 UK and US (January 2012) The HTTP version of the Tor Project website, along with other legitimate sites, was found to be filtered by a number of mobile operators Vodafone, Three, O2, and T-Mobile in the UK, as well as T-Mobile in the US See the Tor Project blog, and the Mobile Internet Censorship report by the Open Rights Group for details

17 Iran (February 2012) DPI on SSL DH modulus (Jan 2011), DPI on SSL certificate expiration time (Sept 2011) Iranian government ramped up censorship in three ways: deep packet inspection of SSL traffic, selective blocking of IP addresses, and some keyword filtering Preparing for a halal Internet, first phase of this project will be rolled out in the beginning of September

18

19 Kazakhstan (February 2012) Target SSL-based protocols for blocking; Tor, IPsec, PPT-based technologies, and some SSL-based VPNs Fingerprints Tor on the TLS client cipher list in the ClientHello record, parts of the Tor TLS server record, and probably more Will want to reanalyze the data we have from this blocking event

20

21 Ethiopia (May 2012) In the beginning, DPI devices were only looking for Tor TLS server hellos sent by relays or bridges to Tor clients Since the middle of July, DPI devices are also looking for TLS client hellos as sent by Tor clients < version beta

22

23

24 UAE (June 2012) The Emirates Telecommunications Corporation, also known as Etisalat, started blocking Tor using DPI on June We are still analyzing the data from this blocking event Tor bridges with a patch that removes 0x0039 from SERVER_CIPHER_LIST seem to work, so does Obfsproxy

25

26 The Philippines (May 2012) We have only heard from one user in the Philippines, he was able to successfully connect to Tor without using a bridge We have no other data about this blocking event, apart from the metrics user graph

27

28 Jordan (June 2012) User in Jordan reported seeing a fake certificate for torproject.org Assumed to be similar to the DigiNotar and Comodo incidents, turned out not to be the case

29 Cyberoam SSL CA

30 CVE Cyberoam UTM device with malware scan All devices share the same CA certificate Hence the same private key Any Cyberoam device can intercept traffic from any other

31 Documentation, tools, and solutions

32 Public key pinning - Chrome Certificate chain for torproject.org must now include a whitelisted public key Self-signed certificate will display a warning, incorrect certificate will fail hard XP prior to SP3 will have issues with SHA256 signed certificates, including the one for torproject.org

33 Censorship Wiki Collect information about the status of blocking events around the world, circumvention research, useful tools, etc Contains information about all the blocking events I have covered today, minus Wireshark network captures wiki/doc/ooni/censorshipwiki

34 Obfsproxy Rolled out in February 2012 Makes it easier to change how Tor traffic looks on the network, requires volunteers to set up special bridges FlashProxy, StegoTorus, SkypeMorph, Dust obfsproxy.html.en

35 ooni-probe A part of the Open Observatory of Network Interference project Can be used to collect high-quality data about Internet censorship and surveillance Will eventually be able to determine how different DPI devices are blocking Tor

36 Questions? and IRC: #tor and #tor-dev on