dslreports logo
site
spacer

spacer
 
   
spc
story category
Iran Clamps Down On 'Illegal' VPNs
Ahead of June's Presidential Election
by Karl Bode 09:53AM Monday Mar 11 2013
Iran, like Pakistan, in 2011 decided to make use of VPNs illegal, claiming the move was necessary for "security reasons" and to "stop militants" (easier spying is of course just coincidence). Reuters notes that the Iranian government have lately been clamping down harder on VPNs, hunting down and shuttering "illegal" VPNs. The country allows only official, surveillance-ready VPNs to operate. The clamp down comes as Iran prepares for its presidential election in June. Iran also filters or bans Facebook, Twitter, and YouTube significantly.

view:
topics flat nest 
rradina

join:2000-08-08
Chesterfield, MO

Do They Jam Satellite Internet?

Curious if satellite Internet is available in Iran. If so, do they attempt to jam it or is this a potential censorship loop hole?

Transmaster
Don't Blame Me I Voted For Bill and Opus

join:2001-06-20
Cheyenne, WY
Reviews:
·CenturyLink

3 edits

1 recommendation

Re: Do They Jam Satellite Internet?

OH NO!!! that means I can't access Iranian Porno anymore, You have not lived until you have watched a sexy Persian hottie in a Iranian berka dental floss bathing suit.
NOVA_UAV_Guy
Premium
join:2012-12-14
Purcellville, VA

Re: Do They Jam Satellite Internet?

Or the hard core stuff involving icons of Allah and camels, produced from the heart of Derka-Derkastan... LOL

David
I start new work on
Premium,VIP
join:2002-05-30
Granite City, IL
kudos:101
all I have to say is you guys and your fettishes..

I am thinking.... no, no, no, no...........how about no..... no..... no....

YukonHawk

join:2001-01-07
Patterson, NY

Re: Do They Jam Satellite Internet?

Have you ever seen Debbie does Iran?? WOW!!! LOL!!!
tpkatl

join:2009-11-16
Dacula, GA

Coming soon in the USA

An article today on TorrentFreak noted that since the 6-strikes regime began, the numbers of people signing up for VPNs in the US has skyrocketed - for obvious reasons.

Now that Iran has instituted VPN control, how long will it be before the MIAA and RIAA (our version of the Iran government) try to have VPNs outlawed in the US?

ITALIAN926

join:2003-08-16
kudos:2

Re: Coming soon in the USA

as they should............

mtn_area

@charter.com

Re: Coming soon in the USA

Sometimes I worry about you ITALIAN. I use a VPN for work, you're telling me they should be outlawed and complicate my ability to access systems and files at work just because people like you think they are only used to get around censors and hide torrent traffic?
Crookshanks

join:2008-02-04
Binghamton, NY

Re: Coming soon in the USA

You could give him the benefit of the doubt and assume the "as they should" was referencing the Iranians signing up for VPNs.....

Personally I would love to run a tor exit node, for precisely this reason, I just don't care to explain to my ISP and/or the authorities why kiddie porn is being traded on my connection. Suppose I could do one of the twitter-only configurations, that seems good enough to help smuggle the truth out.
fenix_jn

join:2006-12-28
Miami, FL

1 recommendation

The troll is strong with this one

woody7
Premium
join:2000-10-13
Torrance, CA

Re: Coming soon in the USA

ha...................................
--
BlooMe
Kamus

join:2011-01-27
El Paso, TX

1 recommendation

said by IRANIAN926 :

as they should............

Obvious troll is obvious.

rolande
Certifiable
Premium,Mod
join:2002-05-24
Dallas, TX
kudos:6
Reviews:
·AT&T U-Verse
·ViaTalk

Whack-a-mole

Would love to see how they are identifying which SSL traffic is a VPN and which is just application access. Not to mention trying to identify SSH across all ports. Sounds a little bit like a tail chasing exercise.
--
Scott, CCIE #14618 Routing & Switching
»rolande.wordpress.com/

fuziwuzi
Not born yesterday
Premium
join:2005-07-01
Atlanta, GA

Re: Whack-a-mole

During certain periods, like when the CCP was meeting, the Chinese Great Firewall also blocks most VPNs. My partner, who lives in Shanghai, had a terrible time getting to many sites that were normally open. The VPN we use would not connect, though through lots of work with the VPN tech support we were finally able to get a very slow connection. Lots and lots of people were affected by this, using many different VPN providers. Several corporations voiced complaints because their Chinese offices were cut off from Western headquarters. But the Chinese government just shrugged their shoulders. After the CCP congress, the restrictions were lifted and suddenly all the VPNs began working again and the speeds eventually returned to normal. But, it does demonstrate that they do have the ability to cut it all off if they want. In China it is estimated that several million internet users also use VPN to access many outside sites. Normally, the government doesn't really care because they still represent a small percentage of users. But during sensitive times, they will cut it off.
--
Teabaggers: Destroying America is Priority #1
Paxio
Premium
join:2011-02-23
Santa Clara, CA
kudos:1

Re: Whack-a-mole

I'm not saying my experience is typical, but I use OpenVPN every time I travel to Asia, including mainland China. I've never had even the slightest problem connecting to my servers at home.

To me the main use of a VPN is data security. I'd hate to think of the number of people snooping my traffic in a typical coffee shop with "free wifi" in Asia. It's epidemic in a lot of countries. I'd prefer not to give up any information while I'm traveling.

fuziwuzi
Not born yesterday
Premium
join:2005-07-01
Atlanta, GA

Re: Whack-a-mole

said by Paxio:

I'm not saying my experience is typical, but I use OpenVPN every time I travel to Asia, including mainland China. I've never had even the slightest problem connecting to my servers at home.

To me the main use of a VPN is data security. I'd hate to think of the number of people snooping my traffic in a typical coffee shop with "free wifi" in Asia. It's epidemic in a lot of countries. I'd prefer not to give up any information while I'm traveling.

Sure, under normal circumstances any OpenVPN connection should work well. I'm just saying that recently during the Party Congress, you would likely NOT be able to get a connection. All outside VPN providers were "cut off", they blocked outside DNS servers (openDNS, Google, Verizon, etc.). The Great Firewall made it almost impossible to circumvent. Through trial-and-error some VPN providers did find some holes, but the connections were very slow. After the Party Congress, suddenly the world opened up (relatively) again and normal VPN traffic resumed. Several corporations that have their own "home grown" VPN services experienced the cutoff, as well, so any claim that your own gateway would afford you magical access is highly unlikely. The "Great Firewall", as is being discovered, is a massively sophisticated and powerful system and they've shown it can be far more draconian than they currently deploy.
--
Teabaggers: Destroying America is Priority #1

rolande
Certifiable
Premium,Mod
join:2002-05-24
Dallas, TX
kudos:6
Reviews:
·AT&T U-Verse
·ViaTalk
The question is what criteria they use to match and block or slow down the access? Personally, I would set up my own SSH gateway on port 443 and use SSH forwarding with a proxy behind it or run something like PHProxy inside SSL on my own webserver. Finding that kind of stuff would have to be a needle in a haystack of haystacks.
--
Scott, CCIE #14618 Routing & Switching
»rolande.wordpress.com/
jvanbrecht

join:2007-01-08
Bowie, MD

Re: Whack-a-mole

This is easy to block. Especially with modern application firewalls, as well as other security devices. The headers for SSH differ from HTTPS headers.

Almost every gov agency blocks outbound VPN and SSH. They do not specify specific ports, rather they block the application. I have tested this using ssh, openvpn and cisco vpn concentrators, using random custom ports, as well as using well known ports (443, 8080, 25, and a bunch of others)

rolande
Certifiable
Premium,Mod
join:2002-05-24
Dallas, TX
kudos:6
Reviews:
·AT&T U-Verse
·ViaTalk

Re: Whack-a-mole

Differentiating SSL used for an application versus a tunnel is easy to block? Granted, SSH on any port can be discovered using application inspection, as long as you see the initial handshake. It is still resource intensive especially at huge volumes like an entire country would generate. Once SSH negotiates it is not really detectable. So, hopefully they see 100% of all packets on all connections by the inspection probes. At their scale that is easier said than done.

Regardless, if I stand up my own webserver with SSL and run a portal application behind it that requires authentication, it would be nearly impossible to find.
--
Scott, CCIE #14618 Routing & Switching
»rolande.wordpress.com/
Crookshanks

join:2008-02-04
Binghamton, NY

Re: Whack-a-mole

SSL's handshake is detectible. Not much of a leap to imagine a country that oppresses its people being willing to compel MITM for SSL conversations. Don't accept our hijacked certificate? No SSL conversation for you.

Resource intensive? Sure. Within the capabilities of a modern nation-state? Absolutely.

rolande
Certifiable
Premium,Mod
join:2002-05-24
Dallas, TX
kudos:6
Reviews:
·AT&T U-Verse
·ViaTalk

Re: Whack-a-mole

I get it. You're missing my point. Even if they bust open my SSL to my own personal server running my own portal app that has its own encoding mechanism, they'll have no idea what the hell that traffic is. It will look like HTTP and smell like a benign website application. There are always ways around the filters. They will never stop the creativity of the determined soul to get what they want. The more I make the traffic look like all the other stuff out there at the application layer, the more impossible it is for them to discover at volume.
--
Scott, CCIE #14618 Routing & Switching
»rolande.wordpress.com/
moonpuppy

join:2000-08-21
Glen Burnie, MD

Re: Whack-a-mole

said by rolande:

I get it. You're missing my point. Even if they bust open my SSL to my own personal server running my own portal app that has its own encoding mechanism, they'll have no idea what the hell that traffic is. It will look like HTTP and smell like a benign website application. There are always ways around the filters. They will never stop the creativity of the determined soul to get what they want. The more I make the traffic look like all the other stuff out there at the application layer, the more impossible it is for them to discover at volume.

And you are missing the point.

Notice what part of your statement I bolded. It's not like they want to know what you are doing, they don't care. They will shut it down and you will not complain unless you want a visit from the authorities and in Iran, that is a very one sided affair that will not be in your favor.

rolande
Certifiable
Premium,Mod
join:2002-05-24
Dallas, TX
kudos:6
Reviews:
·AT&T U-Verse
·ViaTalk

Re: Whack-a-mole

You're assuming that they blacklist everything by default and only explicitly permit a known set of identified content. Even then, I am certain, as a determined individual, I could still get what I want through their filters. I would host my own website with "approved" content and just so happen to have a plugin buried in the forum content that only presented itself as a portal/anonymizer agent under the right set of circumstances, otherwise it performs some innocent function. Anything is possible at the application layer with the right amount of obfuscation. That is the beauty of HTTP. Would it be impossible to detect? Probably not. Would it be improbable? Highly likely.
--
Scott, CCIE #14618 Routing & Switching
»rolande.wordpress.com/
moonpuppy

join:2000-08-21
Glen Burnie, MD

Re: Whack-a-mole

said by rolande:

You're assuming that they blacklist everything by default and only explicitly permit a known set of identified content. Even then, I am certain, as a determined individual, I could still get what I want through their filters. I would host my own website with "approved" content and just so happen to have a plugin buried in the forum content that only presented itself as a portal/anonymizer agent under the right set of circumstances, otherwise it performs some innocent function. Anything is possible at the application layer with the right amount of obfuscation. That is the beauty of HTTP. Would it be impossible to detect? Probably not. Would it be improbable? Highly likely.

Again, you are thinking like this is happening in the USA. It is not. This is Iran where they can take you off to jail for little to no provication. Even if they see a VPN connection coming from your IP (which the ISP will tell on you to get in the good graces of the mullahs), you will be hauled off for questioning and not allowed your one phone call. Arrest first and who cares if you are guilty.

rolande
Certifiable
Premium,Mod
join:2002-05-24
Dallas, TX
kudos:6
Reviews:
·AT&T U-Verse
·ViaTalk

Re: Whack-a-mole

I'm not talking about a VPN or tunnel for forwarding any app but a method for obfuscating HTTP content inside of other approved content natively at the application layer. It wouldn't look any different than accessing the website as a normal user. I've done it and seen it done many times before. It is extremely difficult to detect, even when isolating it and staring at the capture traces. Desperate people do desperate things.
--
Scott, CCIE #14618 Routing & Switching
»rolande.wordpress.com/
moonpuppy

join:2000-08-21
Glen Burnie, MD

Re: Whack-a-mole

said by rolande:

I'm not talking about a VPN or tunnel for forwarding any app but a method for obfuscating HTTP content inside of other approved content natively at the application layer. It wouldn't look any different than accessing the website as a normal user. I've done it and seen it done many times before. It is extremely difficult to detect, even when isolating it and staring at the capture traces. Desperate people do desperate things.

Doesn't matter. If an Iranian ISP sees something that they think is fishy, they will go after it. Again, we are not talking about an "innocent until proven guilty" government like ours.
whoyourdaddy

join:2013-02-20
Honey Brook, PA

VPNs outlawed in the US?

so how long do you think it will take for the us. to come up with something like this
tpkatl

join:2009-11-16
Dacula, GA

Re: VPNs outlawed in the US?

So we can be like Iran? Something to hope for, I guess, in some circles.
whoyourdaddy

join:2013-02-20
Honey Brook, PA

Re: VPNs outlawed in the US?

as soon as the government think its a threat yea think they will pass a bill to ban VPN's. yet they can't even pass a bill for the budget. the do nothing congress. they only work like 122 days out of the year or less. yet they get paid big bucks
NOVA_UAV_Guy
Premium
join:2012-12-14
Purcellville, VA
Reviews:
·Comcast

Re: VPNs outlawed in the US?

At this point, I'd rather they not pass a bill.

Have you really noticed any change in government services since the sequester started? Didn't think so. Maybe we're all better off with operating this way - at least now less of our money is being wasted.
--
The only difference between Bush and Obama is the group they're wasting our taxpayer money on. It's time to elect responsible legislators.
Crookshanks

join:2008-02-04
Binghamton, NY
said by whoyourdaddy:

as soon as the government think its a threat yea think they will pass a bill to ban VPN's.

Like they successfully outlawed PGP?

Oh wait, they didn't. Put the tinfoil hat away. Our Government is hypocritical, and rarely acts altruistically, but I am reminded of the words of Winston Churchill: "It is often said that Democracy is the worst form of Government, except for all the others that have been tried from time to time."
whoyourdaddy

join:2013-02-20
Honey Brook, PA
»www.chacha.com/question/how-many···ors-work
SilentMan

join:2002-07-15
New York, NY

Re: VPNs outlawed in the US?

And in those rare days when they work, they don't work 8 hours like most people do. And what about the food they consume in the dining halls of capitol hill "discussing" policies with their comrades in both caricature of Parties? Do the tax-payers also foot the bills on those expensive lunch or dinner?
NOVA_UAV_Guy
Premium
join:2012-12-14
Purcellville, VA
Reviews:
·Comcast
said by whoyourdaddy:

so how long do you think it will take for the us. to come up with something like this

It's probably on the schedule just as soon as they're done taking away our semi-automatic "assault rifles" and high capacity magazines, and right before they force the entire country to move over to that fine ObamaCare system they're still cooking up.

In all seriousness, it would not surprise me if our government eventually moved toward doing something like making VPNs illegal unless licensed and monitored somehow. Apparently all it takes is a few crying parents asking for something to be done for their childrens' safety. And that's how it will start - peddled to our country as a way to ferret out those nasty child-porn traffickers, with people who use VPNs characterized as "shady characters". Then come the "VPNs are used by terrorists" argument-makers, followed up by the rest of the mob who feel that we all must be saved from ourselves, for the good of the country.

--
The only difference between Bush and Obama is the group they're wasting our taxpayer money on. It's time to elect responsible legislators.

•••
SilentMan

join:2002-07-15
New York, NY

They Still Don't Learn

Censoring internet communications or censoring any other material increases people's appetite and curiosity for the censored material and it works against the interest of the government causing resentment, which is the last thing they need now.

I am against all forms of censorship for adults. Nobody should tell you what you can or cannot see or hear, or read. Let people listen to, watch, or read whatever they want; if the material is stupid, they will pretty soon realize it, get bored about it, and stop paying attention to it.
DanteX

join:2010-09-09
kudos:1

I enjoy My privacy

a few weeks back I inquired in the virtual networking portion of the the forums here about using a vpn to defeat the backdoor in skype and someone replied "what have you got to hide"

I do not have anything suspicious to hide I just value my privacy and do not appreciate big brother or some Dinosaur corporations Governments their jollies off wanting to know what I am doing or saying because I apparently may be a terrorist if I say something bad about the Government

You wouldn't let people snoop through your mail so why is internet traffic any different?

I hope the Iranian people can make it through this ( Where is Anonymous when you need them lol) need to punch a hole in their communications grid and allow people free access to the internet

AlexNYC

join:2001-06-02
Edwards, CO

TOR

I wonder if they figured out a way to block the TOR network? As long as the exit node is outside if Iran it should work.
civicturbo

join:2009-11-08
USA

My take :)

"Fuck Iran baby!"