wiki:org/meetings/2018MexicoCity/Notes/TorVenezuela

Tor blocking in Venezuela

Facilitator: Andres Azpurua

Media websites were increasingly blocked in Venezuela, as well as a number of other sites. This includes major, mainstream Venezuelan news websites (not small, niche media). These sites were blocked by means of HTTP blocking, while sites had previously being blocked by means of DNS.

Armando.info, an investigative journalism site covering corruption, also got blocked recently. Multiple currency exchange sites are blocked as well.

Eventually, Venezuela's state-owned ISP (CANTV) started blocking access to the Tor network as well. In the beginning it was unclear how Tor was blocked. Local venezuelan civil society groups started running OONI Probe tests to measure the blocking of Tor. More specifically, they ran OONI's Vanilla Tor test as well as OONI's bridge reachability tests.

The collected measurement data suggested that access to Tor and obfs4 were blocked. They started to see some variation in terms of accessibility. For example, in some cases, they could connect to the Tor network, and in others they couldn't. In other words, access to Tor would flip from blocking, unblocking, blocking etc over time within regions and across regions. So it was quite unclear what exactly was going on.

Some Venezuelan ISPs appeared to block at their own discretion, since there was variation in blocking.

Most of the time though, connections to the Tor network and connections to obfs4 would fail.

A random sample of bridges from BridgeDB was also tested, and many of those worked. This led to the conclusion that they were not blocking the protocol itself, but rather, they were blocking a set of bridges (but not all of them).

Vanilla bridges randomly set up for tests work perfectly fine, that's important to clarify. They were only blocking known IP and ports, not the protocols.

They found that about 75% of the consensus was blocked, but it's unclear if that corresponded to some earlier consensus or not.

When CANTV drops all the packets towards specific IP addresses. In some cases, they couldn't detect the precise location of where packets were dropped. The packet loss was happening at one of the US-based ISPs (one of the many uplink providers to the state-owned ISP). Latency-wise, the blocking was reasonably close to routers located in Venezuela though.

The blocking of the Tor network was happening on the reverse path.

The HTTP blocking of sites needs further investigation, but currently it's not occuring. We need to try to measure that more when/if it occurs again. The HTTP failures (and the timeout errors) might be triggered as a result of the use of Deep Packet Inspection (DPI) technology.

Reddit.com was also blocked by means of HTTP by Movistar (Spanish telecom), and on CANTV it has been on and off blocked. It would be interesting to try to connect to reddit with some host name that is not served by reddit at all. In Iran, for example, we have seen that with the common name of the certificate that was public TLS 1.3.

It would also be interesting to run traceroute tests to see whether there are differences in the traffic from upstream providers versus what is blocked.

Venezuelan civil society never imagined that Tor would get blocked in Venezuela and as a result, many OONI Probes are not submitting measurements anymore (since they rely on hidden services for uploading measurements). They want to analyze the Tor report failures so that they can pinpoint when the blocks happen exactly.

Venezuela has the 2nd largest Tor userbase in Latin America, only behind Brazil (which has a much larger population). They primarily started using Tor due to the increase of censorship events. They primarily use Tor to access blocked information online. Venezuelans can't pay for commercial VPNs, so Tor - which is free - was a good option (though they also use free VPNs and other tools). The problem though is that Tor is slow to use in Venezuela where internet speed is already pretty slow.

Since people already know and use Tor, perhaps we can work on making it easier for them to use? Perhaps set up Tor relays?

OperaVPN was reportedly blocked in Venezuela too, but this needs to be investigated. They previously blocked the tunnelbear domain. Tor is now, currently unblocked/accessible, it seems.

It would be interesting to examine how long it takes ISPs to start blocking some public relay that you spin up, so that we can figure out exactly what they're doing --> if it's something they're doing automatically or not. If that's what they do, we could potentially push an update to Tor browser that allows Tor censorship circumvention.

The relay that we set up in Venezuela never got blocked, and the previous one that was blocked is not blocked anymore.

Last modified 2 months ago Last modified on Oct 1, 2018, 10:03:00 PM