Changes between Version 6 and Version 7 of doc/OONI/censorshipwiki/CensorshipByCountry/Ethiopia


Ignore:
Timestamp:
Jul 19, 2012, 11:13:37 PM (7 years ago)
Author:
phw
Comment:

Added new infos about the client hello being filtered.

Legend:

Unmodified
Added
Removed
Modified
  • doc/OONI/censorshipwiki/CensorshipByCountry/Ethiopia

    v6 v7  
    22== Ethiopia (#6045) ==
    33=== Summary of the current situation ===
    4 DPI boxes look for Tor TLS server hellos sent by relays or bridges to Tor clients. If such a packet is found, it is dropped. The DPI boxes seem to operate in-band and stateless.
     4At the beginning, DPI boxes only looked for Tor TLS server hellos sent by relays or bridges to Tor clients. If such a packet is found, it is dropped. Since the middle of July, the DPI boxes are ''also'' looking for TLS client hellos as sent by Tor clients < version 0.2.3.17-beta and dropping them. The dropping of client and server hello seems to happen independently of each other.
     5
     6The DPI boxes seem to operate ''in-band'' and ''stateless''.
    57
    68=== First witnessed ===
     
    1214=== Type of Tor censorship ===
    1315 * '''Deep packet inspection''': #6045
    14    * '''Fingerprint''': Multiple strings in the Tor TLS ServerHello/Certificate/ServerKeyExchange/ServerHelloDone records are matched (#6045). If a packet matches, it is dropped.
     16   * '''Fingerprint''': Multiple strings in the Tor TLS ServerHello/Certificate/ServerKeyExchange/ServerHelloDone records are matched (#6045). If a packet matches, it is dropped. Also, at least the cipher list in the TLS client hello (in versions < 0.2.3.17-beta) leads to the client hello being dropped.
    1517
    1618=== Types of non-Tor censorship ===
     
    1820
    1921=== Ways to bypass censorship ===
    20  * Bridges were patched to pick the cipher `TLS_DHE_RSA_WITH_AES_128_CBC_SHA` instead of `TLS_DHE_RSA_WITH_AES_256_CBC_SHA`. This was sufficient to evade the DPI boxes. Three patched bridges were published in a [https://blog.torproject.org/blog/update-censorship-ethiopia blog post]. However, all three bridges became useless at the beginning of July 2012. They appear to be blocked on the IP layer.
     22 * Bridges were patched to pick the cipher `TLS_DHE_RSA_WITH_AES_128_CBC_SHA` instead of `TLS_DHE_RSA_WITH_AES_256_CBC_SHA`. This used to be sufficient to evade the DPI boxes. Three patched bridges were published in a [https://blog.torproject.org/blog/update-censorship-ethiopia blog post]. However, since the DPI boxes started filtering for the client hello as well, a client with an updated cipher list (>= version 0.2.3.17-beta) is also necessary.
    2123 * [https://www.torproject.org/projects/obfsproxy.html.en Obfsproxy] probably evades the DPI boxes too.
    2224