censorship-analysis issueshttps://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues2022-02-07T14:39:12Zhttps://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/40027Something funky is going in Iran: numbers of relay users flies off to 1M+2022-02-07T14:39:12ZcypherpunksSomething funky is going in Iran: numbers of relay users flies off to 1M+![userstats-relay-country-ir-2019-04-01-2019-09-03-off.png,600px](uploads/userstats-relay-country-ir-2019-04-01-2019-09-03-off.png,600px) [link](https://metrics.torproject.org/userstats-relay-country.html?start=2019-04-01&end=2019-09-03&...![userstats-relay-country-ir-2019-04-01-2019-09-03-off.png,600px](uploads/userstats-relay-country-ir-2019-04-01-2019-09-03-off.png,600px) [link](https://metrics.torproject.org/userstats-relay-country.html?start=2019-04-01&end=2019-09-03&country=ir)
![userstats-bridge-country-ir-2019-04-01-2019-09-03.png,600px](uploads/userstats-bridge-country-ir-2019-04-01-2019-09-03.png,600px) [link](https://metrics.torproject.org/userstats-bridge-country.html?start=2019-04-01&end=2019-09-03&country=ir)
![userstats-bridge-combined-ir-2019-04-01-2019-09-03.png,600px](uploads/userstats-bridge-combined-ir-2019-04-01-2019-09-03.png,600px) [link](https://metrics.torproject.org/userstats-bridge-combined.html?start=2019-04-01&end=2019-09-03&country=ir)https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/40023Understand where gettor distribution providers are blocked2022-11-27T22:36:00ZCecylia BocovichUnderstand where gettor distribution providers are blockedWe should get a better understanding of where our different gettor providers are blocked. Right now we use four different providers:
- `gitlab.com`
- `github.com`
- `archive.org`
- `docs.google.com`
However, some of these domains resolv...We should get a better understanding of where our different gettor providers are blocked. Right now we use four different providers:
- `gitlab.com`
- `github.com`
- `archive.org`
- `docs.google.com`
However, some of these domains resolve to a different URL in the process of downloading the file. For example, binaries uploaded to github used to retrieved from `raw.githubusercontent.com` and now it redirects to `github-production-release-asset-2e65be.s3.amazonaws.com`.
Perhaps we can use OONI data to stay on track of when gettor becomes unavailable due to blocking these URLs?https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/34153Use emma to learn where our bridge distribution mechanisms (don't) work2021-06-17T14:50:57ZPhilipp Winterphw@torproject.orgUse emma to learn where our bridge distribution mechanisms (don't) workWe have [BridgeDB usage metrics](https://collector.torproject.org/archive/bridgedb-metrics/) that allow us to infer where our HTTPS frontend works and probably doesn't work. This is not as easy for email and for moat because we currently...We have [BridgeDB usage metrics](https://collector.torproject.org/archive/bridgedb-metrics/) that allow us to infer where our HTTPS frontend works and probably doesn't work. This is not as easy for email and for moat because we currently don't see the source address of a client (see legacy/trac#32276).
Emma however can tell us if a user can use each of BridgeDB's distribution mechanisms:
1. It checks if the page behind https://bridges.torproject.org contains the string "The Tor Project" (for the HTTPS distributor).
2. It checks if the page behind https://ajax.aspnetcdn.com contains the string "Microsoft Ajax Content Delivery Network" (for the moat distributor).
3. It checks if the page behind https://accounts.google.com/ServiceLogin contains the string "Sign in" (for the email distributor).
4. It checks if the page behind https://mail.riseup.net/rc/ contains the string "Welcome to mail.riseup.net" (also for the email distributor).
What remains is to ask volunteers in different countries to run emma, so we can get a better idea of where our distribution mechanisms (don't) work.Sponsor 30 - Objective 2.1GusGushttps://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/32095Analyse the "Carbon Reductor DPI X" DPI system2021-07-09T14:14:25ZPhilipp Winterphw@torproject.orgAnalyse the "Carbon Reductor DPI X" DPI systemSee https://github.com/net4people/bbs/issues/15
Let's take a look at the DPI system and see what we can learn from it. Hopefully, it will help us refine our threat models.See https://github.com/net4people/bbs/issues/15
Let's take a look at the DPI system and see what we can learn from it. Hopefully, it will help us refine our threat models.https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/27723Obfs4 stopped working 16 Sept 182020-06-27T13:43:39ZTracObfs4 stopped working 16 Sept 18I was using obfs4 on 15 Sept 18, but shortly after midnight, it stopped working, and I'm using azure. I assume that's the only thing that works when obfs4 fails.
**Trac**:
**Username**: mwolfeI was using obfs4 on 15 Sept 18, but shortly after midnight, it stopped working, and I'm using azure. I assume that's the only thing that works when obfs4 fails.
**Trac**:
**Username**: mwolfeDavid Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/25137Tor blocked in UAE2020-06-27T13:43:40ZTracTor blocked in UAEOn 1 Jan, I was unable to connect to a site I often use with Tor. It got 75% loaded and stopped. After 2 hours, I figured out the UAE had started blocking Tor, and switched to obfs4. This worked until today at midnight. So I switched to ...On 1 Jan, I was unable to connect to a site I often use with Tor. It got 75% loaded and stopped. After 2 hours, I figured out the UAE had started blocking Tor, and switched to obfs4. This worked until today at midnight. So I switched to meek, which worked. I connected to one yahoo mail account, finished, closed Tor before switching to my other yahoo mail account (I don't want yahoo to know they're both me). Tor only loaded 25%. It downloaded the network consensus, but could not load the network consensus. I closed Tor and tried meek-Amazon and meek-azure, but always, Tor could not load the network consensus. So I switched to Openvpn, and was able to use Tor in normal mode, without a bridge. (Of course, I had to reset my computer clock to match the VPN address). Does anyone know how the UAE is blocking Tor so that it cannot load the network status, and what I can do about it (in case they figure out how to block Openvpn).
**Trac**:
**Username**: mwolfeDavid Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/21014Turkey blocking of direct connections, 2016-12-122022-12-13T20:22:52ZNima FatemiTurkey blocking of direct connections, 2016-12-12Turkey Blocks article: https://turkeyblocks.org/2016/12/18/tor-blocked-in-turkey-vpn-ban/
After getting some reports on twitter about Tor being blocked in Turkey and some chat on IRC, <bypassemall> aka <trdpi> aka <kzdpi> ran some tests...Turkey Blocks article: https://turkeyblocks.org/2016/12/18/tor-blocked-in-turkey-vpn-ban/
After getting some reports on twitter about Tor being blocked in Turkey and some chat on IRC, <bypassemall> aka <trdpi> aka <kzdpi> ran some tests and found some interesting information about how Turkey is blocking vanilla Tor connections. I paste their findings here:
```
16:48 < trdpi> 10 connections died in state handshaking (TLS) with SSL state SSLv2/v3 read server hello A in HANDSHAKE
16:48 < trdpi> after less than 10 seconds
...
16:55 < trdpi> this isp injects rst it seems
16:56 < trdpi> to both side, as i got 2 rst one legit and 2 not
16:57 < mrphs> oh apparently today is an special day in turkey
...
17:00 < trdpi> telneting to or port, no rsts. it triggered by something more than ip:port connection
17:01 < trdpi> yay, window trick for split req works for tr
17:02 < trdpi> magic tool allows to bypass vanilla tor censorship
17:04 < trdpi> so it's about ciphersuits or something
17:07 < trdpi> it's like kz, but obfs4 works
17:07 < trdpi> and kz do not rsts
17:07 < trdpi> it controlls connection
17:07 < trdpi> and tr like do not controlls and to inject fraud only
```https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/20495Unexplained drop in meek users, 2016-10-19 to 2016-11-102020-06-27T13:43:41ZDavid Fifielddcf@torproject.orgUnexplained drop in meek users, 2016-10-19 to 2016-11-10There was a drop in bridge users on October 19 or 20, 2016:
![userstats-bridge-country-cn-2016-07-30-2016-10-28.png](uploads/userstats-bridge-country-cn-2016-07-30-2016-10-28.png) [link](https://metrics.torproject.org/userstats-bridge-co...There was a drop in bridge users on October 19 or 20, 2016:
![userstats-bridge-country-cn-2016-07-30-2016-10-28.png](uploads/userstats-bridge-country-cn-2016-07-30-2016-10-28.png) [link](https://metrics.torproject.org/userstats-bridge-country.html?start=2016-07-30&end=2016-10-28&country=cn)
The by-transport graph shows that almost all meek users disappeared:
![userstats-bridge-combined-cn-2016-07-30-2016-10-28.png](uploads/userstats-bridge-combined-cn-2016-07-30-2016-10-28.png) [link](https://metrics.torproject.org/userstats-bridge-combined.html?start=2016-07-30&end=2016-10-28&country=cn)https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/16772Google's reCAPTCHA Tor Censorship !?2020-06-27T13:43:42ZcypherpunksGoogle's reCAPTCHA Tor Censorship !?This week, everytime I've encountered a reCAPTCHA from Google, I was completely unable to solve the CAPTCHA's, see attached image with my CAPTCHA solutions.
Also, from since last week, I encountered Google displaying no CAPTCHA image, b...This week, everytime I've encountered a reCAPTCHA from Google, I was completely unable to solve the CAPTCHA's, see attached image with my CAPTCHA solutions.
Also, from since last week, I encountered Google displaying no CAPTCHA image, but an error, that Google wants to protect it's users from automated requests or something like that.
Sorry, If there are some errors in my CAPTCHA solutions.https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/9549Tor hacked when starting up in Aspen, CO, 19AUG20132020-06-27T13:43:42ZTracTor hacked when starting up in Aspen, CO, 19AUG2013This is the first ticket... just wanted to let you guys know I'm, apparently, a COINTELPRO target and have been for a couple of years since I began activating after the oil spill crisis in Louisiana.
I just downloaded Tor last May, an...This is the first ticket... just wanted to let you guys know I'm, apparently, a COINTELPRO target and have been for a couple of years since I began activating after the oil spill crisis in Louisiana.
I just downloaded Tor last May, and it worked without a hitch.
After yesterday's hack-a-thon (as versus a hacktivist-a-thon), I had to reload Tor via Google Chrome a few minutes ago (yuk)since the Tor application files were erased from my harddrive. (This has happened often with Google over the last couple of years...)
Now am having FireFox proxy issues, FYI, and had to use Chrome to send this message... I thought I should let you know what's happened in case security has been breached... if that's possible.
Hope this message isn't a waste of your time.
Best regards,
Elizabeth
aerguyton.wordpress.com
**Trac**:
**Username**: Elizabethhttps://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/8591GFW actively probes obfs2 bridges2020-06-27T13:43:42ZPhilipp Winterphw@torproject.orgGFW actively probes obfs2 bridgesIt looks like the GFW is now actively probing obfs2. After hearing rumours yesterday, I wasn't able to reproduce this. Today, however, I got my private obfs2 bridge probed just milliseconds after my own connection from China. I got hit b...It looks like the GFW is now actively probing obfs2. After hearing rumours yesterday, I wasn't able to reproduce this. Today, however, I got my private obfs2 bridge probed just milliseconds after my own connection from China. I got hit by two random Chinese addresses as we already know it from the Tor probing. After the probing, my obfs2 connection timed out and the SYN/ACK segments from the bridge were dropped when trying to establish a new connection. I could reproduce all of this several times.
I haven't tested obfs3 yet and I suppose we can skip the old looking-for-the-fingerprint game. Depending on what protocols they are trying to detect, they might have to probe several times since it's not clear what's behind all that entropy. It might be obfs2, obfs3 or VPN PSK and perhaps even more protocols.Philipp Winterphw@torproject.orgPhilipp Winterphw@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/7141How is Iran blocking Tor?2020-06-27T13:43:43ZPhilipp Winterphw@torproject.orgHow is Iran blocking Tor?Note that currently it looks like there might be more than just one filtering technique in place. The following was the initial report describing one possible filtering technique and [this comment](https://trac.torproject.org/projects/to...Note that currently it looks like there might be more than just one filtering technique in place. The following was the initial report describing one possible filtering technique and [this comment](https://trac.torproject.org/projects/tor/ticket/7141#comment:8) describes another technique.
----
Some users reported that the Iranian ISP "[Pars Online](https://en.wikipedia.org/wiki/Pars_Online)" is (partially?) blocking Tor.
One user looked into it and believes that Tor is identified based on the server_name extension in the TLS client hello. It looks like DPI boxes extract the domain and do a DNS lookup for it. If the domain resolves and the relay/bridge is listening on port 443, the connection passes. Apparently, an omitted server_name or a server_name rewritten to `www.google.com` passed the filter.
Obfsproxy seems to work.
Some open questions:
* Can we reproduce and verify the existing hypothesis?
* Is this an attempt to only allow HTTPS and no other SSL/TLS-based protocols? Or is it targeting only Tor?
* Can we modify [brdgrd](https://gitweb.torproject.org/brdgrd.git) to evade the server_name extraction?
* Is this type of block limited to Pars Online?Philipp Winterphw@torproject.orgPhilipp Winterphw@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/6651Someone's blocking Tor in Mexico?2020-06-27T13:43:43ZRuna SandvikSomeone's blocking Tor in Mexico?One user in Mexico reported that he is unable to connect to Tor, even with a private bridge. We have enough data to analyze the situation.One user in Mexico reported that he is unable to connect to Tor, even with a private bridge. We have enough data to analyze the situation.Runa SandvikRuna Sandvikhttps://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/6258The Philippines are blocking Tor?2020-06-27T13:43:43ZPhilipp Winterphw@torproject.orgThe Philippines are blocking Tor?A user mentioned in the [ethiopian blog post](https://blog.torproject.org/blog/update-censorship-ethiopia):
_two of the biggest ISP's here in the philippines blocked tor recently! _
The [statistic for directly connecting users](https...A user mentioned in the [ethiopian blog post](https://blog.torproject.org/blog/update-censorship-ethiopia):
_two of the biggest ISP's here in the philippines blocked tor recently! _
The [statistic for directly connecting users](https://metrics.torproject.org/users.html?graph=direct-users&start=2012-03-31&end=2012-06-29&country=ph&dpi=72#direct-users) indeed shows a sudden drop in usage in the beginning of May. The [bridge usage statistic](https://metrics.torproject.org/users.html?graph=bridge-users&start=2012-03-31&end=2012-06-29&country=ph&dpi=72#bridge-users) shows a suspicious usage drop in the middle of June.
We should analyze the situation.https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/6246UAE uses DPI to block Tor2020-06-27T13:43:43ZRuna SandvikUAE uses DPI to block TorThe Emirates Telecommunications Corporation, also known as Etisalat, started blocking Tor using DPI on June 25 2012. It seems they are doing something similar to Ethiopia (legacy/trac#6045) and Kazakhstan (legacy/trac#6140), but we shoul...The Emirates Telecommunications Corporation, also known as Etisalat, started blocking Tor using DPI on June 25 2012. It seems they are doing something similar to Ethiopia (legacy/trac#6045) and Kazakhstan (legacy/trac#6140), but we should figure out how these cases are different.
We know that:
* The three bridges in https://blog.torproject.org/blog/update-censorship-ethiopia are working. These are bridges with a patch that removes 0x0039 from SERVER_CIPHER_LIST.https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/6140Kazakhstan uses DPI to block Tor2020-06-27T13:43:43ZRuna SandvikKazakhstan uses DPI to block TorTwo blog posts published in the beginning of March talks about Kazakhstan using DPI to block Tor. The posts say that Kazakhstan is identifying and blocking the SSL client key exchange during the setup of an SSL connection. It seems the K...Two blog posts published in the beginning of March talks about Kazakhstan using DPI to block Tor. The posts say that Kazakhstan is identifying and blocking the SSL client key exchange during the setup of an SSL connection. It seems the Kazakhstan firewall finds something unique in the TLS "Server Hello" message as sent by the Tor relay or bridge and therefore blocks subsequent communications. IP address and TCP port are irrelevant to the censorship.
From legacy/trac#6045 (where we discuss Ethiopia blocking Tor based on ServerHello), we know that:
* The normal Tor Browser Bundle with a special bridge works; the bridge with the patch that causes the final hello done TLS record to be sent in a separate packet.
* The three bridges in https://blog.torproject.org/blog/update-censorship-ethiopia are also working in Kazakhstan. These are bridges with a patch that removes 0x0039 from SERVER_CIPHER_LIST.https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/6045Ethiopia blocks Tor based on ServerHello2020-06-27T13:43:43ZGeorge KadianakisEthiopia blocks Tor based on ServerHelloEthiopia is blocking Tor by DPIing the ServerHello TLS record. We
found out that changing the ciphersuite selected (from the default
TLS1_TXT_DHE_RSA_WITH_AES_256_SHA (0x0039)) bypasses the censorship.
This is a ticket to see how we can...Ethiopia is blocking Tor by DPIing the ServerHello TLS record. We
found out that changing the ciphersuite selected (from the default
TLS1_TXT_DHE_RSA_WITH_AES_256_SHA (0x0039)) bypasses the censorship.
This is a ticket to see how we can handle this issue. We should also
be think about how legacy/trac#4744 and proposal 198 influence this.
The patch we used during tests removes 0x0039 from `SERVER_CIPHER_LIST`:
https://gitorious.org/mytor/mytor/commit/087de5215cada3320c8494fdc97b87746b45e1cb
A good short-term plan would be to set-up a few patched bridges,
update the blog post, and distribute the patched bridges to anyone who
asks for them.https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/5158in iran both obsfproxy and vidalia relays are too slow2020-06-27T13:43:44ZTracin iran both obsfproxy and vidalia relays are too slowseems iran's government is blocking tor network mostly faster relays. please do something about it.
**Trac**:
**Username**: pptp9seems iran's government is blocking tor network mostly faster relays. please do something about it.
**Trac**:
**Username**: pptp9