4. “Tor is free software and an open network
that helps you defend against a form of
network surveillance that threatens personal
freedom and privacy, confidential business
activities and relationships, and state
security known as traffic analysis.”
5. History
• Originally designed, implemented, and
deployed as a third-generation onion
routing project of the U.S. Naval Research
Laboratory
• Developed for the primary purpose of
protecting government communications
• The source code was released in 2002, the
design paper was published in 2004
10. Indicators
• Increase in downloads of the Tor Browser
Bundle: https://webstats.torproject.org/
• Anomaly-based censorship-detection
system: https://metrics.torproject.org/
• Unblocking of the Tor Project website
• Increase in emails sent to the Tor help desk
at help@rt.torproject.org
11. 2006 - 2009 (1)
• Thailand (2006): DNS filtering of
torproject.org
• Smartfilter/Websense (2006): Tor used
HTTP for fetching directory info, cut all
HTTP GET requests for “/tor/...”
• Iran (2009): throttled SSL traffic, got Tor
for free because it looked like Firefox
+Apache
12. 2006 - 2009 (2)
• Tunisia (2009): blocked all but port 80+443,
could also block port 443 especially for you
• China (2009): blocked all public relays and
enumerated one of the bridge buckets
14. Between 2010 and 2012
• Tunisia: from 800 to 1,000
• Egypt: from 600 to 1,500
• Syria: from 600 to 15,000
• Iran: from 7,000 to 40,000
• All countries: from 200,000 to 500,000
15. China (October 2011)
• Directory authorities, public relays, and
bridges have been blocked for a while
• GFW will identify a Tor connection, initiate
active scanning, attempt to establish a Tor
connection with the destination host and,
if successful, block the IP:port.
• Private bridges are blocked as soon as a
user in China connects
16. UK and US (January 2012)
• The HTTP version of the Tor Project
website, along with other legitimate sites,
was found to be filtered by a number of
mobile operators
• Vodafone, Three, O2, and T-Mobile in the
UK, as well as T-Mobile in the US
• See http://ooni.nu/, the Tor Project blog,
and the Mobile Internet Censorship report
by the Open Rights Group for details
17. Iran (February 2012)
• DPI on SSL DH modulus (Jan 2011), DPI on
SSL certificate expiration time (Sept 2011)
• Iranian government ramped up censorship
in three ways: deep packet inspection of
SSL traffic, selective blocking of IP
addresses, and some keyword filtering
• Preparing for a “halal” Internet, first phase
of this project will be rolled out in the
beginning of September
18.
19. Kazakhstan (February 2012)
• Target SSL-based protocols for blocking;
Tor, IPsec, PPT-based technologies, and
some SSL-based VPNs
• Fingerprints Tor on the TLS client cipher
list in the ClientHello record, parts of the
Tor TLS server record, and probably more
• Will want to reanalyze the data we have
from this blocking event
20.
21. Ethiopia (May 2012)
• In the beginning, DPI devices were only
looking for Tor TLS server hellos sent by
relays or bridges to Tor clients
• Since the middle of July, DPI devices are also
looking for TLS client hellos as sent by Tor
clients < version 0.2.3.17-beta
22.
23.
24. UAE (June 2012)
• The Emirates Telecommunications
Corporation, also known as Etisalat,
started blocking Tor using DPI on June 25
2012
• We are still analyzing the data from this
blocking event
• Tor bridges with a patch that removes
0x0039 from SERVER_CIPHER_LIST seem to
work, so does Obfsproxy
25.
26. The Philippines (May 2012)
• We have only heard from one user in the
Philippines, he was able to successfully
connect to Tor without using a bridge
• We have no other data about this blocking
event, apart from the metrics user graph
27.
28. Jordan (June 2012)
• User in Jordan reported seeing a fake
certificate for torproject.org
• Assumed to be similar to the DigiNotar and
Comodo incidents, turned out not to be the
case
30. CVE-2012-3372
• Cyberoam UTM device with malware scan
• All devices share the same CA certificate
• Hence the same private key
• Any Cyberoam device can intercept traffic
from any other
32. Public key pinning - Chrome
• Certificate chain for torproject.org must
now include a whitelisted public key
• Self-signed certificate will display a
warning, incorrect certificate will fail hard
• XP prior to SP3 will have issues with
SHA256 signed certificates, including the
one for torproject.org
33. Censorship Wiki
• Collect information about the status of
blocking events around the world,
circumvention research, useful tools, etc
• Contains information about all the blocking
events I have covered today, minus
Wireshark network captures
• https://trac.torproject.org/projects/tor/
wiki/doc/OONI/censorshipwiki
34. Obfsproxy
• Rolled out in February 2012
• Makes it easier to change how Tor traffic
looks on the network, requires volunteers
to set up special bridges
• FlashProxy, StegoTorus, SkypeMorph, Dust
• https://www.torproject.org/projects/
obfsproxy.html.en
35. ooni-probe
• A part of the Open Observatory of Network
Interference project
• Can be used to collect high-quality data
about Internet censorship and surveillance
• Will eventually be able to determine how
different DPI devices are blocking Tor
36. Questions?
• help@rt.torproject.org and tor-
dev@lists.torproject.org
• IRC: #tor and #tor-dev on irc.oftc.net
• Twitter: @torproject, @runasand
• runa@torproject.org