... | ... | @@ -20,11 +20,11 @@ Since 2016, we have been studying various kinds of censorship happening in Kazak |
|
|
|
|
|
[=#a20348-graphs]
|
|
|
|
|
|
[[Image(userstats-relay-country-kz-2016-01-01-2017-06-14-off.png)]] [https://metrics.torproject.org/userstats-relay-country.html?start=2016-01-01&end=2017-06-14&country=kz&events=off link]
|
|
|
![userstats-relay-country-kz-2016-01-01-2017-06-14-off.png](userstats-relay-country-kz-2016-01-01-2017-06-14-off.png) [link](https://metrics.torproject.org/userstats-relay-country.html?start=2016-01-01&end=2017-06-14&country=kz&events=off)
|
|
|
|
|
|
[[Image(userstats-bridge-country-kz-2016-01-01-2017-06-14.png)]] [https://metrics.torproject.org/userstats-bridge-country.html?start=2016-01-01&end=2017-06-14&country=kz link]
|
|
|
![userstats-bridge-country-kz-2016-01-01-2017-06-14.png](userstats-bridge-country-kz-2016-01-01-2017-06-14.png) [link](https://metrics.torproject.org/userstats-bridge-country.html?start=2016-01-01&end=2017-06-14&country=kz)
|
|
|
|
|
|
[[Image(userstats-bridge-combined-kz-2016-01-01-2017-06-14.png)]] [https://metrics.torproject.org/userstats-bridge-combined.html?start=2016-01-01&end=2017-06-14&country=kz link]
|
|
|
![userstats-bridge-combined-kz-2016-01-01-2017-06-14.png](userstats-bridge-combined-kz-2016-01-01-2017-06-14.png) [link](https://metrics.torproject.org/userstats-bridge-combined.html?start=2016-01-01&end=2017-06-14&country=kz)
|
|
|
|
|
|
|
|
|
== Code and data == #a20348-data
|
... | ... | @@ -43,7 +43,7 @@ and |
|
|
== HTTP blocking and fingerprint == #a20348-http
|
|
|
|
|
|
Between November and late December 2016, HTTP sites were blocked with a distinctive injected response that redirected to !http://92.63.88.128/?NTDzLZ ([[comment:159:ticket:20348|source]]):
|
|
|
{{{
|
|
|
```
|
|
|
HTTP/1.1 302 Found
|
|
|
Content-Length: 210
|
|
|
Location: http://92.63.88.128/?NTDzLZ
|
... | ... | @@ -55,9 +55,9 @@ Content-Type: text/html; charset=UTF-8 |
|
|
The document has moved
|
|
|
<A HREF="http://92.63.88.128/?NTDzLZ">here</A>
|
|
|
</BODY></HTML>
|
|
|
}}}
|
|
|
```
|
|
|
(Notice that the `Content-Length` header [[comment:202:ticket:20348|is wrong]]: it says `210` but it should be `224`.) Following the redirect leads to another server that, in turn, serves a different kind of redirect (meta-refresh and JavaScript) to the impossible URL !http://90.263.11.193. Note the "octet" 263 in what looks like an IP address ([[comment:149:ticket:20348|source]]):
|
|
|
{{{
|
|
|
```
|
|
|
HTTP/1.1 200 OK
|
|
|
Server: nginx
|
|
|
Date: Fri, 16 Dec 2016 17:01:22 GMT
|
... | ... | @@ -76,13 +76,12 @@ Set-Cookie: cfb9f=%7B%22streams%22%3A%5B1481907682%5D%2C%22campaigns%22%3A%7B%22 |
|
|
<script type="text/javascript">window.location = "http://90.263.11.193";</script>
|
|
|
</head>
|
|
|
</html>
|
|
|
}}}
|
|
|
```
|
|
|
The [[comment:149:ticket:20348|whois entry for 92.63.88.128]] points to an Internet company in Latvia, http://mwtv.lv/; and its [[comment:148:ticket:20348|reverse DNS entries]] are money-tree.pw, wsusupdate.com, and wsusupdate.info.
|
|
|
|
|
|
That the responses are injected is detectable from inconsistencies in the IP TTL and TCP options. Notice, in this [[attachment:youporn.com.pcap:ticket:20348|packet capture of requesting http://youporn.com]], that the TTL of the SYN/ACK is '''`50`''' while the TTL of the HTTP response is '''`58`'''. Notice also that there are TCP options in the SYN/ACK ('''`[mss 1304,sackOK,TS val 845116384 ecr 17593903,nop,wscale 7]`''') but none in the HTTP response; the `TS` option, at least, should oblige the server to include timestamps in all its subsequent segments.
|
|
|
That the responses are injected is detectable from inconsistencies in the IP TTL and TCP options. Notice, in this [youporn.com.pcap:ticket:20348|packet capture of requesting http://youporn.com](None/youporn.com.pcap:ticket:20348|packet capture of requesting http://youporn.com), that the TTL of the SYN/ACK is **`50`** while the TTL of the HTTP response is **`58`**. Notice also that there are TCP options in the SYN/ACK (**`[mss 1304,sackOK,TS val 845116384 ecr 17593903,nop,wscale 7]`**) but none in the HTTP response; the `TS` option, at least, should oblige the server to include timestamps in all its subsequent segments.
|
|
|
|
|
|
{{{
|
|
|
#!html
|
|
|
```
|
|
|
<pre style="font-size:80%">
|
|
|
<span style="background:cornsilk">10:40:31.768987 IP (tos 0x0, ttl 64, id 8730, offset 0, flags [DF], proto TCP (6), length 60)
|
|
|
10.11.0.150.52824 > 31.192.120.44.http: Flags [S], cksum 0x1df2 (correct), seq 2069320757, win 29200, <strong>options [mss 1460,sackOK,TS val 17593903 ecr 0,nop,wscale 7]</strong>, length 0</span>
|
... | ... | @@ -117,23 +116,23 @@ That the responses are injected is detectable from inconsistencies in the IP TTL |
|
|
10:40:34.829753 IP (tos 0x0, ttl 64, id 8734, offset 0, flags [DF], proto TCP (6), length 52)
|
|
|
10.11.0.150.52824 > 31.192.120.44.http: Flags [R.], cksum 0xe68e (correct), seq 110, ack 348, win 237, options [nop,nop,TS val 17594668 ecr 845116384], length 0</span>
|
|
|
</pre>
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
The blocking works bidirectionally, like the firewall in China ([[comment:173:ticket:20348|source]]). If you issue a request containing a forbidden Host header or SNI from the outside to the inside, you get the same censorship you would if you sent the request from the inside to the outside. For example, the first request gets a response but the second times out (formerly caused an HTTP injection):
|
|
|
{{{
|
|
|
```
|
|
|
echo -n $'GET / HTTP/1.0\r\nHost: example.com\r\n\r\n' | nc government.kz 80
|
|
|
echo -n $'GET / HTTP/1.0\r\nHost: bash.im\r\n\r\n' | nc government.kz 80
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
The firewall is stateful in that you wouldn't get an injection if you sent a naked payload without establishing a TCP connection first. I.e., in scapy, this didn't get an injection:
|
|
|
{{{
|
|
|
```
|
|
|
sr(IP(dst="government.kz")/TCP(flags="PA", seq=123456, ack=1000)/"GET / HTTP/1.0\r\nHost: bash.im\r\n\r\n")
|
|
|
}}}
|
|
|
```
|
|
|
but this did:
|
|
|
{{{
|
|
|
```
|
|
|
r = sr(IP(dst="government.kz")/TCP(flags="S", seq=1000))[0][0][1]
|
|
|
sr(IP(dst="government.kz")/TCP(flags="PA", seq=123456, ack=r.seq+1)/"GET / HTTP/1.0\r\nHost: bash.im\r\n\r\n")
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
=== Partial list of blocked sites === #a20348-blocked-sites
|
|
|
|
... | ... | @@ -199,16 +198,16 @@ From other sources we also know of blocks of: |
|
|
|
|
|
=== Finding the source of the HTTP fingerprints === #a20348-http-fp-source
|
|
|
|
|
|
The injected HTML, with its `The document has moved\n<A HREF="...">here</A>`, seems distinctive. It is [[comment:203:ticket:20348|similar but not identical]] to a redirect that Google's frontend servers can emit. We did not find a matching template in the source code of any public web server (e.g., by searching GitHub). We searched the [https://scans.io/study/sonar.http Project Sonar] port-80 scans (20160830-http.gz) for servers that had the same fingerprint. There were many matches, mainly under the domains of ISPs such as telcom.co.id, afrihost.com, and 2090000.ru ([[comment:161:ticket:20348|source]]).
|
|
|
The injected HTML, with its `The document has moved\n<A HREF="...">here</A>`, seems distinctive. It is [[comment:203:ticket:20348|similar but not identical]] to a redirect that Google's frontend servers can emit. We did not find a matching template in the source code of any public web server (e.g., by searching GitHub). We searched the [Project Sonar](https://scans.io/study/sonar.http) port-80 scans (20160830-http.gz) for servers that had the same fingerprint. There were many matches, mainly under the domains of ISPs such as telcom.co.id, afrihost.com, and 2090000.ru ([[comment:161:ticket:20348|source]]).
|
|
|
|
|
|
We found one of the matches still live under 2090000.ru, a Russian ISP, and tested it. We found responses being injected for two purposes: for customer payment enforcement and for censorship. Requesting an ordinary domain would redirect to http://0.2090000.ru, a page that says (in Russian):
|
|
|
The balance of your personal account is negative. To continue working on the Internet, please top up the balance.
|
|
|
Requesting a site that is blocked in Russia, on the other hand, serves a iframe from http://zapret.2090000.ru/ ("zapret" = [https://en.wiktionary.org/wiki/%D0%B7%D0%B0%D0%BF%D1%80%D0%B5%D1%82#Russian запрет] = "prohibition, interdiction, ban"), which says:
|
|
|
Requesting a site that is blocked in Russia, on the other hand, serves a iframe from http://zapret.2090000.ru/ ("zapret" = [запрет](https://en.wiktionary.org/wiki/%D0%B7%D0%B0%D0%BF%D1%80%D0%B5%D1%82#Russian) = "prohibition, interdiction, ban"), which says:
|
|
|
We apologize, but access to the requested resource is limited. Check the availability of the domain name and / or index of the site page, the network address in the Unified Register can be found at http://blocklist.rkn.gov.ru/
|
|
|
What it looks like is we found the router of a customer who hadn't paid their ISP bill, and our inbound requests were triggering the same response from the ISP's firewall as if the customer were browsing outbound. ([[comment:173:ticket:20348|Source]])
|
|
|
|
|
|
Example of accessing an ordinary site:
|
|
|
{{{
|
|
|
```
|
|
|
echo -n $'GET / HTTP/1.0\r\nHost: example.com\r\n\r\n' | nc 37.192.17.117 80
|
|
|
HTTP/1.1 302 Found
|
|
|
Content-Length: 202
|
... | ... | @@ -221,9 +220,9 @@ Content-Type: text/html; charset=UTF-8 |
|
|
The document has moved
|
|
|
<A HREF="http://0.2090000.ru">here</A>
|
|
|
</BODY></HTML>
|
|
|
}}}
|
|
|
```
|
|
|
Example of accessing a site blocked in Russia (http://ej.ru):
|
|
|
{{{
|
|
|
```
|
|
|
echo -n $'GET / HTTP/1.0\r\nHost: ej.ru\r\n\r\n' | nc 37.192.17.117 80
|
|
|
HTTP/1.1 200 OK
|
|
|
Connection: close
|
... | ... | @@ -238,7 +237,7 @@ Content-Type: text/html; charset=iso-8859-1 |
|
|
</div>
|
|
|
</BODY>
|
|
|
</HTML>
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
Our conclusion is: The similarity of the injections and the structure of the HTML suggests that the same or similar hardware is used in Kazakhstan and in this Russian ISP (and also probably the other cases we found, e.g. telcom.co.id, afrihost.com).
|
|
|
|
... | ... | @@ -248,16 +247,16 @@ We [[comment:169:ticket:20348|also found one server]] that had the same fingerpr |
|
|
== HTTPS blocking == #a20348-https
|
|
|
|
|
|
HTTPS blocking appears to be blocked by SNI. A TCP connection succeeds but the connection stalls after the TLS handshake. Here, the first request is blocked but the second one (without SNI) succeeds:
|
|
|
{{{
|
|
|
```
|
|
|
wget https://www.tumblr.com/
|
|
|
wget https://87.248.116.13/ --header 'Host: www.tumblr.com' --no-check-certificate
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
Just as with [[#a20348-http|HTTP]], HTTPS blocking is bidirectional. Here is an example of accessing a server inside Kazakhstan from outside, using an allowed and a blocked SNI. The first command works whereas the second one stalls.
|
|
|
{{{
|
|
|
```
|
|
|
echo -n $'GET / HTTP/1.0\r\nHost: gohost.kz\r\n\r\n' | openssl s_client -ign_eof -connect gohost.kz:443 -servername example.com
|
|
|
echo -n $'GET / HTTP/1.0\r\nHost: gohost.kz\r\n\r\n' | openssl s_client -ign_eof -connect gohost.kz:443 -servername www.tumblr.com
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
|
|
|
== obfs4 blocking == #a20348-obfs4
|
... | ... | @@ -280,11 +279,11 @@ Here is a summary of early observations (not all necessarily correct) that took |
|
|
|
|
|
We eventually got a semi-stable measurement site inside Kazakhstan, and it helped to resolve some of the above confusion. Between December 2016 and May 2017, we ran hourly obfs4 connection attempts to various bridges, from Kazakhstan and from the United States. This graph shows the results. The vertical position of each dot shows how far Tor got in its bootstrapping (10% = no connectivity, 100% = complete connectivity). When the red and blue dots are in the same place, Kazakhstan was not more censored than the U.S. When the blue dot is lower than the red dot, Kazakhstan was more censored. There are three gaps in the Kazakhstan data where there are no measurements: Dec 28 to January 12, April 8 to April 26, and after May 2 ([[comment:193:ticket:20348|source]]). Visible is a point around 2017-01-26 when Lisbeth and NX01 started being blocked (perhaps they were added to a blacklist on that date).
|
|
|
|
|
|
[[Image(ticket:20348:kz-data-20170605.png)]]
|
|
|
![ticket:20348:kz-data-20170605.png](ticket:20348:kz-data-20170605.png)
|
|
|
|
|
|
The next table shows the average maximum bootstrap percentage reached during the times when ''both'' the US and KZ sites were taking measurements (i.e., excluding the gaps mentioned above). What we see from this is that most measured bridges are not in fact blocked. The only bridges where the KZ rate is lower than the US rate are ndnop3, ndnop5, GreenBelt, Lisbeth, and NX01. Bridges that were added more recently, or were never used, are not more blocked in KZ.
|
|
|
The next table shows the average maximum bootstrap percentage reached during the times when _both_ the US and KZ sites were taking measurements (i.e., excluding the gaps mentioned above). What we see from this is that most measured bridges are not in fact blocked. The only bridges where the KZ rate is lower than the US rate are ndnop3, ndnop5, GreenBelt, Lisbeth, and NX01. Bridges that were added more recently, or were never used, are not more blocked in KZ.
|
|
|
|
|
|
{{{#!html
|
|
|
```
|
|
|
<table class="wiki">
|
|
|
<tr><th>bridge</th><th>US average bootstrap %</th><th>KZ average bootstrap %</th></tr>
|
|
|
<tr><td>ndnop3</td><td align=right style="background: #EBCAC9">63.33%</td><td align=right style="background: #DD918A">20.68%</td></tr>
|
... | ... | @@ -311,23 +310,23 @@ The next table shows the average maximum bootstrap percentage reached during the |
|
|
<tr><td>unused-iat1</td><td align=right style="background: #F7FAFE">99.61%</td><td align=right style="background: #F6F9FD">98.31%</td></tr>
|
|
|
<tr><td>unused-iat2</td><td align=right style="background: #E6B4B1">47.37%</td><td align=right style="background: #E6B5B2">47.92%</td></tr>
|
|
|
</table>
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
|
|
|
== meek blocking == #a20348-meek
|
|
|
|
|
|
Blocking of [[/doc/meek|meek]] seems to be based on a combination of [https://www.bamsoftware.com/papers/fronting/#sec:browserextension TLS fingerprint] and SNI, similarly to what has been documented in the past for [https://groups.google.com/d/msg/traffic-obf/BpFSCVgi5rs/nCqNwoeRKQAJ Cyberoam] and [https://groups.google.com/d/msg/traffic-obf/fwAN-WWz2Bk/Kr8FYq6qBgAJ FortiGuard] firewalls. [[/doc/meek#Howtochangethefrontdomain|Changing the front domain]] is sufficient to evade the block, but [[comment:142:ticket:20348|changing Firefox's TLS signature for Go's]] doesn't work by itself.
|
|
|
Blocking of [[/doc/meek|meek]] seems to be based on a combination of [TLS fingerprint](https://www.bamsoftware.com/papers/fronting/#sec:browserextension) and SNI, similarly to what has been documented in the past for [Cyberoam](https://groups.google.com/d/msg/traffic-obf/BpFSCVgi5rs/nCqNwoeRKQAJ) and [FortiGuard](https://groups.google.com/d/msg/traffic-obf/fwAN-WWz2Bk/Kr8FYq6qBgAJ) firewalls. [[/doc/meek#Howtochangethefrontdomain|Changing the front domain]] is sufficient to evade the block, but [[comment:142:ticket:20348|changing Firefox's TLS signature for Go's]] doesn't work by itself.
|
|
|
|
|
|
|
|
|
== Identifying hardware vendors == #a20348-vendors
|
|
|
|
|
|
Initially we suspected that firewall hardware was supplied by [https://www.cyberoam.com/ Sophos Cyberoam] (this accounts for the many references to Cyberoam in the comments at #20348). The only reason for this suspicion was that Cyberoam was one of the firewalls that had been reported to block obfs4 connections (the other was iBoss):
|
|
|
Initially we suspected that firewall hardware was supplied by [Sophos Cyberoam](https://www.cyberoam.com/) (this accounts for the many references to Cyberoam in the comments at #20348). The only reason for this suspicion was that Cyberoam was one of the firewalls that had been reported to block obfs4 connections (the other was iBoss):
|
|
|
* https://lists.torproject.org/pipermail/tor-talk/2016-May/040898.html
|
|
|
* https://lists.torproject.org/pipermail/tor-talk/2016-November/042586.html
|
|
|
|
|
|
Later, we found signs that a vendor may instead be [https://www.allot.com/ Allot Communications]. Observations supporting this are:
|
|
|
1. The Kazakh firewall's former [[#a20348-http|HTTP fingerprint]] was found to be shared by a Russian ISP, 2090000.ru. A [https://archive.is/QegJr forum post] said that in April 2014, 2090000.ru's block pages referred to Allot Communications ([[comment:175:ticket:20348|source]]).
|
|
|
2. Allot specifically advertises support (in their [https://www.allot.com/technology/dart-dpi/ "DART"] DPI tech) for blocking specific circumvention and anonymity tools, including Tor, Psiphon, meek, obfs4, and various VPNs ([[comment:184:ticket:20348|source]], [[attachment:allot-804579667973963776.jpg:ticket:20348|screenshot]], [https://groups.google.com/d/msg/traffic-obf/yzxlLpFyXLI/VhuxOZIvAQAJ more discussion]). Allot's firewall hardware [https://www.allot.com/products/security/contentprotector/#1461058884787-818bdce6-ef54 also does URL blocking] ([https://archive.is/0dP87 archive]).
|
|
|
Later, we found signs that a vendor may instead be [Allot Communications](https://www.allot.com/). Observations supporting this are:
|
|
|
1. The Kazakh firewall's former [[#a20348-http|HTTP fingerprint]] was found to be shared by a Russian ISP, 2090000.ru. A [forum post](https://archive.is/QegJr) said that in April 2014, 2090000.ru's block pages referred to Allot Communications ([[comment:175:ticket:20348|source]]).
|
|
|
2. Allot specifically advertises support (in their ["DART"](https://www.allot.com/technology/dart-dpi/) DPI tech) for blocking specific circumvention and anonymity tools, including Tor, Psiphon, meek, obfs4, and various VPNs ([[comment:184:ticket:20348|source]], [allot-804579667973963776.jpg:ticket:20348|screenshot](None/allot-804579667973963776.jpg:ticket:20348|screenshot), [more discussion](https://groups.google.com/d/msg/traffic-obf/yzxlLpFyXLI/VhuxOZIvAQAJ)). Allot's firewall hardware [also does URL blocking](https://www.allot.com/products/security/contentprotector/#1461058884787-818bdce6-ef54) ([archive](https://archive.is/0dP87)).
|
|
|
https://www.allot.com/products/platforms/supported-protocols/#1460974307058-a61550f0-8196 ([https://archive.is/AuA8b archive])
|
|
|
> ==== June 13, 2016 ====
|
|
|
> In Allot’s latest DART Protocol Pack, we refined our signature for the Tor obfs4 safe transport, to assure accruate identification of this kind of traffic on your network:
|
... | ... | @@ -344,7 +343,7 @@ Later, we found signs that a vendor may instead be [https://www.allot.com/ Allot |
|
|
> Allot’s latest DART Protocol Pack helps you identify traffic from users of the Psiphon circumvention system, which has becoming a popular way to bypass content-filtering systems in order to access sites that have been blocked due to geographical or regulatory restrictions.
|
|
|
> * Psiphon Proxy Server
|
|
|
> * Psiphon CDN (Meek mode)
|
|
|
3. Customs import applications on the site of the [http://en.nca.kz/ National Center of Accreditation] dated 2014-11-07 have "АО 'Казахтелеком'" ([https://en.wikipedia.org/wiki/Kazakhtelecom JSC Kazakhtelecom]) importing equipment from "Allot Communications LTD" in Israel, 7 SG-Tera 14 devices and 1 SG-Sigma E6 device.
|
|
|
3. Customs import applications on the site of the [National Center of Accreditation](http://en.nca.kz/) dated 2014-11-07 have "АО 'Казахтелеком'" ([JSC Kazakhtelecom](https://en.wikipedia.org/wiki/Kazakhtelecom)) importing equipment from "Allot Communications LTD" in Israel, 7 SG-Tera 14 devices and 1 SG-Sigma E6 device.
|
|
|
* [http://www.rep.nca.kz/index.php?mode=r3&SERT=4%D2%D1.KZ.1900193.21.01.02407 4ТС.KZ.1900193.21.01.02407] (https://archive.is/UXbwA): 1 × [https://www.allot.com/products/platforms/service-gateway/#1461143657367-91864faf-6cb8 SG-Sigma E6]
|
|
|
* [http://www.rep.nca.kz/index.php?mode=r3&SERT=4%D2%D1.KZ.1900193.21.01.02408 4ТС.KZ.1900193.21.01.02408] (https://archive.is/1vSE6): 3 × [https://www.allot.com/products/platforms/service-gateway/#1461143538377-8005dcec-ef24 SG-Tera 14]
|
|
|
* [http://www.rep.nca.kz/index.php?mode=r3&SERT=4%D2%D1.KZ.1900193.21.01.02409 4ТС.KZ.1900193.21.01.02409] (https://archive.is/UdfAf): 2 × [https://www.allot.com/products/platforms/service-gateway/#1461143538377-8005dcec-ef24 SG-Tera 14]:
|
... | ... | @@ -355,15 +354,15 @@ More information about Allot can be found in comment:184:ticket:20348 and its fo |
|
|
|
|
|
|
|
|
----
|
|
|
= 2015 =
|
|
|
# 2015
|
|
|
|
|
|
In March 2015 blocking is observable again, the stock tor browser bundle cannot connect.
|
|
|
|
|
|
dcf: Do you know when in March 2015 it started happening? It doesn't seem to have affected the user graph yet:
|
|
|
[[Image(https://metrics.torproject.org/userstats-relay-country.png?start=2014-10-01&events=off&end=2015-05-31&country=kz)]]
|
|
|
![https://metrics.torproject.org/userstats-relay-country.png?start=2014-10-01&events=off&end=2015-05-31&country=kz](https://metrics.torproject.org/userstats-relay-country.png?start=2014-10-01&events=off&end=2015-05-31&country=kz)
|
|
|
|
|
|
In April 2015 blocking is observable again, some user reporting about problems while another still using it. User graph confirms report.
|
|
|
[[Image(https://metrics.torproject.org/userstats-relay-country.png?start=2015-03-01&end=2015-04-21&country=kz&events=on)]]
|
|
|
![https://metrics.torproject.org/userstats-relay-country.png?start=2015-03-01&end=2015-04-21&country=kz&events=on](https://metrics.torproject.org/userstats-relay-country.png?start=2015-03-01&end=2015-04-21&country=kz&events=on)
|
|
|
|
|
|
Graze on, graze on, submissive nation! \\
|
|
|
You will not wake to honor's call.\\
|
... | ... | @@ -376,15 +375,15 @@ The yoke with jingles, and the gall. |
|
|
----
|
|
|
= 2012–2013 (#6140) = #Kazakhstan6140
|
|
|
|
|
|
== First witnessed ==
|
|
|
Tor blocking started between [https://metrics.torproject.org/users.html?graph=direct-users&start=2011-10-01&end=2012-05-01&country=kz&dpi=72#direct-users February and March 2012] and is mentioned in a [https://blog.torproject.org/blog/kazakhstan-upgrades-censorship-deep-packet-inspection blog post]. Another [https://blog.torproject.org/blog/updates-kazakhstan-internet-censorship blog post] was published two weeks afterwards.
|
|
|
== Last witnessed ==
|
|
|
## First witnessed
|
|
|
Tor blocking started between [February and March 2012](https://metrics.torproject.org/users.html?graph=direct-users&start=2011-10-01&end=2012-05-01&country=kz&dpi=72#direct-users) and is mentioned in a [blog post](https://blog.torproject.org/blog/kazakhstan-upgrades-censorship-deep-packet-inspection). Another [blog post](https://blog.torproject.org/blog/updates-kazakhstan-internet-censorship) was published two weeks afterwards.
|
|
|
## Last witnessed
|
|
|
Sometimes around the summer of 2013 the blocking has been disabled (and an old tor bundle started to work that didn't work before).
|
|
|
|
|
|
== Types of Tor censorship ==
|
|
|
* '''Deep packet inspection''': #6140
|
|
|
* '''Fingerprint''': The TLS client cipher-list in the ClientHello record, parts of the Tor TLS server hello record, and probably more fingerprints in other nearby TLS records.
|
|
|
== Types of non-Tor censorship ==
|
|
|
## Types of Tor censorship
|
|
|
* **Deep packet inspection**: #6140
|
|
|
* **Fingerprint**: The TLS client cipher-list in the ClientHello record, parts of the Tor TLS server hello record, and probably more fingerprints in other nearby TLS records.
|
|
|
## Types of non-Tor censorship
|
|
|
* Blocked and/or hijacked sites:
|
|
|
* [http://livejournal.com]
|
|
|
* [http://wordpress.com] (Main page works, but the blogs don't. All addresses of lb.wordpress.com are blocked.)
|
... | ... | @@ -409,12 +408,12 @@ Sometimes around the summer of 2013 the blocking has been disabled (and an old t |
|
|
* [http://distance.msu.ru] (Moscow State University distance education)
|
|
|
* [http://solarcycle24.com] (site about solar activity)
|
|
|
* News and plans
|
|
|
* [http://tengrinews.kz/kazakhstan_news/siloviki-kazahstana-esche-ne-nauchilis-blokirovat-Facebook-i-Twitter-242813/ Rumblings about blocking social networks partially or fully (in russian)]
|
|
|
* [http://www.zakon.kz/4652460-v-kazakhstane-zakryt-dostup-k-54.html#comment-2679371 Another wave of blocking, including sexual content (in russian)]
|
|
|
== Ways to bypass censorship ==
|
|
|
* [Rumblings about blocking social networks partially or fully (in russian)](http://tengrinews.kz/kazakhstan_news/siloviki-kazahstana-esche-ne-nauchilis-blokirovat-Facebook-i-Twitter-242813/)
|
|
|
* [Another wave of blocking, including sexual content (in russian)](http://www.zakon.kz/4652460-v-kazakhstane-zakryt-dostup-k-54.html#comment-2679371)
|
|
|
## Ways to bypass censorship
|
|
|
* https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/198-restore-clienthello-semantics.txt
|
|
|
* [https://www.torproject.org/projects/obfsproxy.html.en Obfsproxy] evades the DPI.
|
|
|
== Type of firewall ==
|
|
|
* [Obfsproxy](https://www.torproject.org/projects/obfsproxy.html.en) evades the DPI.
|
|
|
## Type of firewall
|
|
|
* Unknown.
|
|
|
== Reproducing the blocking ==
|
|
|
* Binaries, patches etc can be found in [https://gitweb.torproject.org/censorship-timeline.git censorship-timeline.git] |
|
|
## Reproducing the blocking
|
|
|
* Binaries, patches etc can be found in [censorship-timeline.git](https://gitweb.torproject.org/censorship-timeline.git) |