Opened 6 years ago

Closed 15 months ago

#6140 closed task (wontfix)

Kazakhstan uses DPI to block Tor

Reported by: runa Owned by:
Priority: Medium Milestone:
Component: Obfuscation/Censorship analysis Version:
Severity: Normal Keywords: dpi censorship block kz
Cc: phw, bill-torstuff@…, asn, murble Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Two blog posts published in the beginning of March talks about Kazakhstan using DPI to block Tor. The posts say that Kazakhstan is identifying and blocking the SSL client key exchange during the setup of an SSL connection. It seems the Kazakhstan firewall finds something unique in the TLS "Server Hello" message as sent by the Tor relay or bridge and therefore blocks subsequent communications. IP address and TCP port are irrelevant to the censorship.

From #6045 (where we discuss Ethiopia blocking Tor based on ServerHello), we know that:

  • The normal Tor Browser Bundle with a special bridge works; the bridge with the patch that causes the final hello done TLS record to be sent in a separate packet.
  • The three bridges in https://blog.torproject.org/blog/update-censorship-ethiopia are also working in Kazakhstan. These are bridges with a patch that removes 0x0039 from SERVER_CIPHER_LIST.

Child Tickets

Change History (10)

comment:1 Changed 6 years ago by runa

Component: Tor BridgeCensorship analysis
Owner: set to runa

comment:2 Changed 6 years ago by runa

Owner: runa deleted
Status: newassigned

comment:3 Changed 6 years ago by asn

It seems that the info in this ticket and in the blog post are not exactly correct. A gentleman in IRC did some more research on the .kz case, and found out that there are two fingerprints. One in the ClientHello and another in the ServerHello.

The ClientHello fingerprint is the client cipherlist, the ServerHello fingerprint is still unknown (but if the last comments in #6045 are true, it seems to involve the selected ciphersuite.).

Maybe we should dig a bit more in the .kz case.

comment:4 Changed 6 years ago by asn

[Because of

    The normal Tor Browser Bundle with a special bridge works; the bridge with the patch that causes the final hello done TLS record to be sent in a separate packet. 

it seems there is also a fingerprint in the HelloDone.
]

comment:5 Changed 6 years ago by runa

A fourth bridge, with a padded sessionid replacing | SSL_CTX_set_session_cache_mode(result->ctx, SSL_SESS_CACHE_OFF) with SSL_CTX_set_options(result->ctx, SSL_OP_NO_TICKET) in tortls.c, does not for users in Kazakhstan.

comment:6 Changed 5 years ago by noidentity101

FYI, as of today, tor works as expected from Almaty using kazaktelecom's customer connection.

using tor-browser-gnu-linux-x86_64-2.3.25-10-dev-en-US.tar.gz

Jul 07 17:33:21.435 [Notice] Tor v0.2.3.25 (git-17c24b3118224d65) running on Linux.

(i think it's more about tor getting more stealthy than the DPI being disabled, but i don't have data on that)

comment:7 Changed 5 years ago by noidentity101

done some more testing, and DPI seems to be disabled, at least for the last few weeks and tested a few times.

these two versions of tor:

Tor v0.2.3.25 (git-17c24b3118224d65)
Tor v0.2.4.7-alpha (git-e46e1ed1bc50ad24)

seems to work without obfsproxy both from Almaty and Karaganda.

the older version used to be stuck in bootstrapping.

comment:8 Changed 3 years ago by dcf

Severity: Normal

https://metrics.torproject.org/userstats-relay-country.png
https://metrics.torproject.org/userstats-bridge-country.png

Last edited 18 months ago by dcf (previous) (diff)

comment:9 Changed 19 months ago by dcf

Keywords: censorship block kz added

comment:10 Changed 15 months ago by dcf

Resolution: wontfix
Status: assignedclosed

Closing this old ticket. Newer information about Kazakhstan is in #20348 and doc/OONI/censorshipwiki/CensorshipByCountry/Kazakhstan#a20348.

Note: See TracTickets for help on using tickets.