Runa A. Sandvik presents 2012 in review: Tor and the censorship arms race at 44CON 2012 in London, September 2012.

1. 2012 in review: Tor and the
censorship arms race
/ Runa A. Sandvik / runa@torproject.org / @runasand

2. Today, we’re going to look at how Tor is being
blocked and censored around the world.

3. In the beginning...

4. “Tor is free software and an open network
that helps you defend against a form of
network surveillance that threatens personal
freedom and privacy, confidential business
activities and relationships, and state
security known as traffic analysis.”

5. History
• Originally designed, implemented, and
deployed as a third-generation onion
routing project of the U.S. Naval Research
Laboratory
• Developed for the primary purpose of
protecting government communications
• The source code was released in 2002, the
design paper was published in 2004

6. How Tor works

9. The arms race begins...

10. Indicators
• Increase in downloads of the Tor Browser
Bundle: https://webstats.torproject.org/
• Anomaly-based censorship-detection
system: https://metrics.torproject.org/
• Unblocking of the Tor Project website
• Increase in emails sent to the Tor help desk
at help@rt.torproject.org

11. 2006 - 2009 (1)
• Thailand (2006): DNS filtering of
torproject.org
• Smartfilter/Websense (2006): Tor used
HTTP for fetching directory info, cut all
HTTP GET requests for “/tor/...”
• Iran (2009): throttled SSL traffic, got Tor
for free because it looked like Firefox
+Apache

12. 2006 - 2009 (2)
• Tunisia (2009): blocked all but port 80+443,
could also block port 443 especially for you
• China (2009): blocked all public relays and
enumerated one of the bridge buckets

13. Since then...

14. Between 2010 and 2012
• Tunisia: from 800 to 1,000
• Egypt: from 600 to 1,500
• Syria: from 600 to 15,000
• Iran: from 7,000 to 40,000
• All countries: from 200,000 to 500,000

15. China (October 2011)
• Directory authorities, public relays, and
bridges have been blocked for a while
• GFW will identify a Tor connection, initiate
active scanning, attempt to establish a Tor
connection with the destination host and,
if successful, block the IP:port.
• Private bridges are blocked as soon as a
user in China connects

16. UK and US (January 2012)
• The HTTP version of the Tor Project
website, along with other legitimate sites,
was found to be filtered by a number of
mobile operators
• Vodafone, Three, O2, and T-Mobile in the
UK, as well as T-Mobile in the US
• See http://ooni.nu/, the Tor Project blog,
and the Mobile Internet Censorship report
by the Open Rights Group for details

17. Iran (February 2012)
• DPI on SSL DH modulus (Jan 2011), DPI on
SSL certificate expiration time (Sept 2011)
• Iranian government ramped up censorship
in three ways: deep packet inspection of
SSL traffic, selective blocking of IP
addresses, and some keyword filtering
• Preparing for a “halal” Internet, first phase
of this project will be rolled out in the
beginning of September

19. Kazakhstan (February 2012)
• Target SSL-based protocols for blocking;
Tor, IPsec, PPT-based technologies, and
some SSL-based VPNs
• Fingerprints Tor on the TLS client cipher
list in the ClientHello record, parts of the
Tor TLS server record, and probably more
• Will want to reanalyze the data we have
from this blocking event

21. Ethiopia (May 2012)
• In the beginning, DPI devices were only
looking for Tor TLS server hellos sent by
relays or bridges to Tor clients
• Since the middle of July, DPI devices are also
looking for TLS client hellos as sent by Tor
clients < version 0.2.3.17-beta

24. UAE (June 2012)
• The Emirates Telecommunications
Corporation, also known as Etisalat,
started blocking Tor using DPI on June 25
2012
• We are still analyzing the data from this
blocking event
• Tor bridges with a patch that removes
0x0039 from SERVER_CIPHER_LIST seem to
work, so does Obfsproxy

26. The Philippines (May 2012)
• We have only heard from one user in the
Philippines, he was able to successfully
connect to Tor without using a bridge
• We have no other data about this blocking
event, apart from the metrics user graph

28. Jordan (June 2012)
• User in Jordan reported seeing a fake
certificate for torproject.org
• Assumed to be similar to the DigiNotar and
Comodo incidents, turned out not to be the
case

29. Cyberoam SSL CA

30. CVE-2012-3372
• Cyberoam UTM device with malware scan
• All devices share the same CA certificate
• Hence the same private key
• Any Cyberoam device can intercept traffic
from any other

31. Documentation, tools, and solutions

32. Public key pinning - Chrome
• Certificate chain for torproject.org must
now include a whitelisted public key
• Self-signed certificate will display a
warning, incorrect certificate will fail hard
• XP prior to SP3 will have issues with
SHA256 signed certificates, including the
one for torproject.org

33. Censorship Wiki
• Collect information about the status of
blocking events around the world,
circumvention research, useful tools, etc
• Contains information about all the blocking
events I have covered today, minus
Wireshark network captures
• https://trac.torproject.org/projects/tor/
wiki/doc/OONI/censorshipwiki

34. Obfsproxy
• Rolled out in February 2012
• Makes it easier to change how Tor traffic
looks on the network, requires volunteers
to set up special bridges
• FlashProxy, StegoTorus, SkypeMorph, Dust
• https://www.torproject.org/projects/
obfsproxy.html.en

35. ooni-probe
• A part of the Open Observatory of Network
Interference project
• Can be used to collect high-quality data
about Internet censorship and surveillance
• Will eventually be able to determine how
different DPI devices are blocking Tor

36. Questions?
• help@rt.torproject.org and tor-
dev@lists.torproject.org
• IRC: #tor and #tor-dev on irc.oftc.net
• Twitter: @torproject, @runasand
• runa@torproject.org