Censorship detection techniques. Most of the credit goes to Jacob Appelbaum and this presentation was prepared last minute for the ESC2011 Italian hacker camp.
2. Whoami
• @hellais on twitter
• hellais@torproject.org
• art@globaleaks.org
• art@fuffa.org
• art@winstonsmith.org
Sunday, September 4, 2011
3. What is Censorship?
• Internet filtering is a form of non
democratic oppression on people.
• It allows those in power to subvert the
reality.
Sunday, September 4, 2011
4. Filternet
• It’s a distorsion of what is in reality the
internet.
• Follows the subjectiveness of the
authorities
• This does not help humanity
Sunday, September 4, 2011
5. La soluzione a quelli che sono percepiti
soggettivamente come contenuti inappropriati è
oggettivamente più contenuti
Sunday, September 4, 2011
6. Tor
• Tor software downloads are currently
blocked from China, Iran, Lebanon, Qatar,
etc.
• Tor delivers via email, write to
gettor@torproject.org and we will send
you a client to bootstrap a Tor client
Sunday, September 4, 2011
7. Hidden Services
• They allow a server to give access to
content anonymously
• This bypasses censorship in place
Sunday, September 4, 2011
8. Tor Hidden Services
• am4wuhz3zifexz5u.onion
• Anonymity for the Server
• DoS protection
• End-To-End encryption
Sunday, September 4, 2011
9. How HS work
Client
Hidden Server
IP
IP
IP
Sunday, September 4, 2011
10. How HS work
Client
Hidden Server
IP
IP
IP
RP
Sunday, September 4, 2011
11. Why use HS
• Avoid retaliation for what you publish
• Securely host and serve content
• Stealth Hidden Service
Sunday, September 4, 2011
12. How filtering is
performed
• Depends on the location and entities
performing it
• A mix of commercial products and open
source software
• Lebanon ISP’s use Free Software
• Syria uses commercial Blue Coat devices
• US/NSA use commercial Narus devices
Sunday, September 4, 2011
13. Filtering taxonomy
• Logging (passive)
• Network and protocol Hijacking
• Injection (modify content, 302, rst etc.)
• Dropping (packets not transmitted)
Sunday, September 4, 2011
14. Filter detection
techniques
• Important to classify by risk profile
• People running filter detection tools must
know how invasive the technique is
Sunday, September 4, 2011
15. OONI
• Open Observatory of Network
Interference
• I am working on this with Jacob Appelbaum
as part of The Tor Project
• An extensible and flexible tool to perform
censorship detection
Sunday, September 4, 2011
16. Existing testing tools
• Netalyzr, rTurtle, Herdict.
• Unfortunately either the raw data results
or even the tools themselves are closed :(
• They only release reports, without the
original raw data
Sunday, September 4, 2011
17. Goals for OONI
• Make a something Open Source and publish
the raw data collected
• Have hackers write code and sociologist
write reports ;)
Sunday, September 4, 2011
18. Filtering detection
techniques
• High risk and Active
• request for certain “bad” resources (test censorship lists)
• keyword injection
• anything that may trigger DPI devices
• Low risk and Active
• TTL walking
• Network latency
• Passive
• In the future proxooni to proxy traffic with a SOCKS proxy and
detect anomalies as the user does his normal internet activities
Sunday, September 4, 2011
19. Fingerprinting of the
application
• Most existing tools that we audited leak
who they are
• In OONI reports will only be submitted
over Tor
Sunday, September 4, 2011
20. The scientific method
• Control
• What you know is a good result
• It can also be a request done over Tor
• Experiment
• Check if it matches up with the result
• If it does not there is an anomaly that
must be explored
Sunday, September 4, 2011
22. Syria: BlueCoat
• They are using commerical bluecoat
devices
• Anonymous Telecomix contributors
produced a good analysis
Sunday, September 4, 2011
23. Syria: BlueCoat
• SERVER is located outside Syria
• CLIENT1 is located inside Syria
• CLIENT connects to SERVER port 5060, no
connection
• CLIENT connects to SERVER port 443,
connection works
• CLIENT connects to SERVER port 80, the
headers in the response are rewritten
Sunday, September 4, 2011
24. Syria: BlueCoat
GET /HTTP/1.1
Host: SERVER
User-Agent: Standard-browser-User-Agent
Accept: text/html,etc.
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
X-Forwarded-For: CLIENT
Cache-Control: max-stale=0
Connection: Keep-Alive
X-BlueCoat-Via: 2C044BEC00210EB6
Sunday, September 4, 2011
25. Syria: BlueCoat
• More details and funness to come in the
following days ;)
Sunday, September 4, 2011
26. Funny ⅖ Off Topic
discovery
• Who has ever used a captive portal?
• Skype makes you pay access with it’s credit
• It has problems doing login
• It uses a captive portal
Sunday, September 4, 2011
29. Iran
• Nokia has reportedly sold equipment to the
Iranian government. It helps wiretap, track,
and crush dissenting members of Iranian
society. Nokia claims that this is ethical
because they were forced to put legal
intercepts into their products by the West.
Sunday, September 4, 2011
30. Italy
• Currently two methods are being used:
• DNS based
• ISP level blacklisting
Sunday, September 4, 2011