GitLab

Note that currently it looks like there might be more than just one filtering technique in place. The following was the initial report describing one possible filtering technique and this comment describes another technique.

---

Some users reported that the Iranian ISP "Pars Online" is (partially?) blocking Tor.

One user looked into it and believes that Tor is identified based on the server_name extension in the TLS client hello. It looks like DPI boxes extract the domain and do a DNS lookup for it. If the domain resolves and the relay/bridge is listening on port 443, the connection passes. Apparently, an omitted server_name or a server_name rewritten to www.google.com passed the filter.

Obfsproxy seems to work.

Some open questions:

• Can we reproduce and verify the existing hypothesis?
• Is this an attempt to only allow HTTPS and no other SSL/TLS-based protocols? Or is it targeting only Tor?
• Can we modify brdgrd to evade the server_name extraction?
• Is this type of block limited to Pars Online?