dslreports logo
site
spacer

spacer
 
   
spc
story category
Iran Starts Blocking All Encrypted Traffic
As Tor Works on Solution to Bypass Iranian Filters
by Karl Bode 04:13PM Friday Feb 10 2012
Late last year Iranian leaders made it a criminal offense to bypass the country's Internet filters using VPNs or any other technology. The announcement by Iranian Telecommunications Minister Reza Taghipour insisted the move was made to combat a "soft war” being waged by Western countries against Iran (read: we want to spy on our own citizens and stifle information exchange among liberal thinkers). A post over at hacker news this morning notes that Iran has started blocking all encrypted traffic ahead of the celebration of 1979 Islamic revolution tomorrow. Says the local user:
quote:
Click for full size
Since Thursday Iranian government has shut down the https protocol which has caused almost all google services (gmail, and google.com itself) to become inaccessible. Almost all websites that reply on Google APIs (like wolfram alpha) won't work. Accessing to any website that replies on https (just imaging how many websites use this protocol, from Arch Wiki to bank websites). Also accessing many proxies is also impossible.
Forbes notes that the folks behind Tor are using the opportunity to test a new technology called "obfsproxy" (obfuscated proxy) that will help trick Iran's deep packet inspection filters into thinking encrypted traffic is unencrypted.

view:
topics flat nest 

fifty nine

join:2002-09-25
Sussex, NJ
kudos:2

Iran not the only one, China kinda does it too

If you are ever in the unfortunate position of having to set up SSL to be used by Chinese internet users, you are in for a surprise.

You cannot just get around the great firewall of China by using SSL. You must get approval from Chinese authorities which usually means letting them decrypt and inspect traffic. In fact I think encryption is licensed, which means that websites cannot use encryption without a license.

Iran may be a tad worse but it's certainly not something new.

fuziwuzi
Not born yesterday
Premium
join:2005-07-01
Atlanta, GA

Re: Iran not the only one, China kinda does it too

Perhaps for SSL, but VPN use in China is very widespread. My partner uses VPN daily to access sites outside of China that would otherwise be blocked. I've personally used a VPN while there, as well. Common proxies won't work, but OpenVPN is easily used by millions of Chinese netizens daily.
--
Teabaggers: Destroying America is Priority #1

jseymour

join:2009-12-11
Waterford, MI
said by fifty nine:

If you are ever in the unfortunate position of having to set up SSL to be used by Chinese internet users, you are in for a surprise.

You cannot just get around the great firewall of China by using SSL. license.

I've got corporate users over in China using SSL/TLS for email, extranet (web), and VPN--all with apparently no problem. If my users were unable to use those technologies, I don't see how we could possibly conduct business there.

fifty nine

join:2002-09-25
Sussex, NJ
kudos:2

Re: Iran not the only one, China kinda does it too

said by jseymour:

said by fifty nine:

If you are ever in the unfortunate position of having to set up SSL to be used by Chinese internet users, you are in for a surprise.

You cannot just get around the great firewall of China by using SSL. license.

I've got corporate users over in China using SSL/TLS for email, extranet (web), and VPN--all with apparently no problem. If my users were unable to use those technologies, I don't see how we could possibly conduct business there.

You can absolutely use those technologies but the authorities are deeply involved. They must be given the encryption keys on demand and need to know how and where encryption is being used.
hoyleysox
Premium
join:2003-11-07
Long Beach, CA
When I visited China every https site that I attempted to access on my laptop would hang.

fuziwuzi
Not born yesterday
Premium
join:2005-07-01
Atlanta, GA

Re: Iran not the only one, China kinda does it too

said by hoyleysox:

When I visited China every https site that I attempted to access on my laptop would hang.

Very few sites I use had that issue. My partner and I can access our bank accounts at Wells Fargo (which is obviously HTTPS) without using VPN. Many other HTTPS sites are also available. Only a few blocked sites require the use of a VPN for access.
--
Teabaggers: Destroying America is Priority #1

fifty nine

join:2002-09-25
Sussex, NJ
kudos:2

Re: Iran not the only one, China kinda does it too

said by fuziwuzi:

said by hoyleysox:

When I visited China every https site that I attempted to access on my laptop would hang.

Very few sites I use had that issue. My partner and I can access our bank accounts at Wells Fargo (which is obviously HTTPS) without using VPN. Many other HTTPS sites are also available. Only a few blocked sites require the use of a VPN for access.

It's not impossible to use SSL in China. However, it is heavily regulated.

If it works, WF probably just got a license, which means that the chinese authorities can likely see your banking transactions if they wanted to.

fuziwuzi
Not born yesterday
Premium
join:2005-07-01
Atlanta, GA

Re: Iran not the only one, China kinda does it too

said by fifty nine:

said by fuziwuzi:

said by hoyleysox:

When I visited China every https site that I attempted to access on my laptop would hang.

Very few sites I use had that issue. My partner and I can access our bank accounts at Wells Fargo (which is obviously HTTPS) without using VPN. Many other HTTPS sites are also available. Only a few blocked sites require the use of a VPN for access.

It's not impossible to use SSL in China. However, it is heavily regulated.

If it works, WF probably just got a license, which means that the chinese authorities can likely see your banking transactions if they wanted to.

I highly doubt every site I use "got a license" from the Chinese gov't. I don't know about Wells Fargo except that they do have a business arrangement with Agricultural Bank of China, which is convenient. We can transfer funds between our Wells Fargo and ABC accounts without any fees. I would find it rather incredible if Wells Fargo knowingly allowed "spying" on their customer's online activity.
--
Teabaggers: Destroying America is Priority #1

DataRiker
Premium
join:2002-05-19
00000
You've obviously never been to China.

fifty nine

join:2002-09-25
Sussex, NJ
kudos:2

Re: Iran not the only one, China kinda does it too

said by DataRiker:

You've obviously never been to China.

And you obviously have no clue how SSL works and why the Chinese Gov't can decrypt your SSL session quite easily.

DataRiker
Premium
join:2002-05-19
00000

4 edits

Re: Iran not the only one, China kinda does it too

Quite frankly you got caught making shit up. I've used SSL from South China on a number of occasions to the US.

Never had a problem, and the sites I use support TLS 1.2.

As far as I know there are no outstanding exploit issues known with a fully 1.2 complaint browser. ( IE for example )

KrK
Heavy Artillery For The Little Guy
Premium
join:2000-01-17
Tulsa, OK

Coming soon to the USA....

Wonder how long before they rule that people using encryption in the USA are obviously criminals and terrorists and begin following the "trailblazing" path of Iran.
--
"Fascism should more properly be called corporatism because it is the merger of state and corporate power." -- Benito Mussolini

Arne Bolen
Happy Anveo customer
Premium
join:2009-06-21
Cyberspace
kudos:4
Reviews:
·Anveo
·voip.ms
·callwithus
·Callcentric

Re: Coming soon to the USA....

said by KrK:

Wonder how long before they rule that people using encryption in the USA are obviously criminals and terrorists and begin following the "trailblazing" path of Iran.

 
VISA, Master Card and American Express would never approve of such rules.
 
--
Main provider: Anveo - Secondary providers: VoIP.ms, Callcentric, Localphone and Rebtel
Hosted PBX: PBXes.org - Phone: Gigaset S685IP

battleop

join:2005-09-28
00000

Re: Coming soon to the USA....

They can do SSL within the country probably because the government has some sort of back door into those sites. They can't do SSL when you go beyond the borders of Iran.

NickD
Premium
join:2000-11-17
Princeton Junction, NJ

Re: Coming soon to the USA....

The US allows 128 bit encryption within the country but forbids the export of anything stronger than 64 bit.
patcat88

join:2002-04-05
Jamaica, NY
kudos:1
Firefox comes with the Chinese backdoor certificate right out of the box.

fuziwuzi
Not born yesterday
Premium
join:2005-07-01
Atlanta, GA
said by KrK:

Wonder how long before they rule that people using encryption in the USA are obviously criminals and terrorists and begin following the "trailblazing" path of Iran.

Actually, the way SOPA/PIPA was worded, it could have been interpreted as making the use of VPN or other encrypted transmissions illegal. Don't think for a minute those behind SOPA/PIPA/ACTA wouldn't make it so.
--
Teabaggers: Destroying America is Priority #1

fatness
subtle
Premium,ex-mod 01-13
join:2000-11-17
fishing
kudos:14

1 recommendation

anti-piracy measure

Iran did this to prevent illegal distribution of movies and music, both of which are equivalent to cyberterrorism
--
hey Dale

45612019

join:2004-02-05
New York, NY

Re: anti-piracy measure

This guy is this site's lead mod?

This explains everything.

fatness
subtle
Premium,ex-mod 01-13
join:2000-11-17
fishing
kudos:14

Re: anti-piracy measure

Sarcasm has eluded you.

45612019

join:2004-02-05
New York, NY

Re: anti-piracy measure

This is false. With text, some indication of sarcasm is required - particularly on the Internet, where idiots abound.

I've seen serious comments like that from posters on this website before.
CXM_Splicer
Looking at the bigger picture
Premium
join:2011-08-11
NYC
kudos:2

Re: anti-piracy measure

It gave me a chuckle I think you are right though... idiots are abound.

fatness
subtle
Premium,ex-mod 01-13
join:2000-11-17
fishing
kudos:14
said by 45612019:

I've seen serious comments like that from posters on this website before.

So have I. I'm mocking them.
--
hey Dale

MacBridger
Late to the party
Premium
join:2001-01-11
Morgantown, WV
Reviews:
·Verizon Online DSL

Re: anti-piracy measure

You're not mocking them, you're just being you.

(For those not in the know, a post by Fatness IS the indicator of sarcasm.)
--
Fight Cancer! Join DSLR's Team Discovery

mr sean
Professional Infidel
Premium,ExMod 2001-07
join:2001-04-03
N. Absentia
kudos:1
said by fatness:

Sarcasm has eluded you.

Yes, but did it get away with the jewelry and family silver?
--
How you can make the world a Better Place

DataRiker
Premium
join:2002-05-19
00000
Fatness is good people Xizer and has personally helped me on this site before.

45612019

join:2004-02-05
New York, NY

Re: anti-piracy measure

On the other hand, his stooges have deleted countless numbers of my posts.

fatness
subtle
Premium,ex-mod 01-13
join:2000-11-17
fishing
kudos:14

Re: anti-piracy measure

I don't blame you for being embarrassed at missing the sarcasm others picked up. Good move to change the topic.
--
hey Dale

firephoto
We the people
Premium
join:2003-03-18
Brewster, WA

Looks like Iran needs a new business friend

They just don't have the right ssl cert provider.

»www.computerworld.com/s/article/···nishment

Why stop it when you can make everyone think your ssl traffic is secure and just siphon it all off with nobody noticing.
--
Say no to JAMS!
rradina

join:2000-08-08
Chesterfield, MO

Obfuscated Proxy

I think this is an interesting idea but it probably won't be long before they figure out a way to detect and block it. Although it might be possible to create something like this that's impossible to detect, it would be at the cost of seriously exploding the size of the data needed to transfer even trivial information. For instance, send a whole page worth of data that contains just a few actual words embedded in random places. After hundreds of pages, the few words make a page. But that's really wasteful. So wasteful that might be it's Achilles heal and lead to detection.

Probably just better to get satellite service from an adjacent country that doesn't censure -- unless the government has figured out a low power way to disrupt those services too.

KrK
Heavy Artillery For The Little Guy
Premium
join:2000-01-17
Tulsa, OK

Re: Obfuscated Proxy

said by rradina:

Probably just better to get satellite service from an adjacent country that doesn't censure --

Under Pain of Death
--
"Fascism should more properly be called corporatism because it is the merger of state and corporate power." -- Benito Mussolini

mod_wastrel
iamwhatiam

join:2008-03-28
kudos:1

When your faith is weak,

your fear is great.
moes

join:2009-11-15
Cedar City, UT
Reviews:
·Revol Wireless
·Optimum Online

subject

There country, there rules, they either play by them or do not play at all. it's just how things are and yes I know it's not right, but at the same time they are the ones who are putting up with that kind of goverment and what they enforce. so once they can over throw or what ever they can do away with silly things such as this.
MaynardKrebs
Heave Steve, for the good of the country
Premium
join:2009-06-17
kudos:4

1 recommendation

Re: subject

their, not there
moes

join:2009-11-15
Cedar City, UT

Re: subject

Please do not correct my spelling, I have some issues with certain words, I thank you for understanding.
59677028

join:2012-01-19
Pontypool, ON

for the stupid

ya guys do know that there are ways to decrypt https ssl without your permission a kind of man in middle trick

it can be avoided but i bet 99.9% of ya don't even know what i am talking about....
AND i would assume htat anything to be safeguarded woudl have to be encrypted before it touched hte net two ways to sundown and then encrypted with non standard web servering custom made. kind alike some er um NASA files...( did i say that out loud )

haha what you dont know.....security via hte web can be had only how useful will your web be? Answer almost useless.....

srlsly

@verizon.net

Re: for the stupid

oh hai

then why block at all? seems like a great way for an authoritarian government to secretly crack down on dissidents

XPAMD
Premium
join:2002-06-08
united state

Nukes

Iran to make major nuclear announcement.

»www.foxnews.com/world/2012/02/11···testnews

Too much of a co-inky dink here.

cork1958
Cork
Premium
join:2000-02-26

Re: Nukes

Exactly what I was thinking!!

Guest738

@telus.net

It's not right

My gosh, that's crazy. Why even bother having "Internet" If anything, by now EVERYTHING you do online should be using some kinda SSL. It only makes sense. I guess the Internet will be the death of commy..... lol