block various sites like yandex.ru or yandex.ua, mail.ru, vk.com etc. claiming this is essentially censorship by ISP. We don't have many exits at the same ISP but checking with B62DE0BD62FBFFC3398014A73839C2E49A6D4CC0 shows the same problem.
ISPs in Ukraine are not the only ones doing this kind of censorship, we've seen similar issues in other countries, though.
This ticket is the parent ticket to the following tasks:
find a place where we keep track of that information
figure out means how to scan for this kind of censorship
think about how to handle those exit relays
Note: for a user things do not look differently if websites block Tor users. Thus, one could be inclined to conflate both problems. However, we should not do so as websites not wanting to have Tor users vs. ISPs interfering with Tor connections are different problems requiring very likely different solutions.
Another thing that would be interesting to think about: could we design something to route around this kind of censorship in an automated fashion while not compromising any of Tor's anonymity/safety guarantees?
Like it was said above: from a user's point of view there is no difference in websites blocking Tor or ISPs censoring requests: they just want to get that content. And while there might be reasons to pause with respect to websites it seems ISPs censoring requests falls into the same category as ISPs censoring access to Tor: we should think about ways routing around those.
So, some circuit-building which takes censorship into account seems worth to explore I guess. :) (famous last words, I know)
Here is another relay I stumbled upon: C1482971FE5B8F82A342BEA9CDA61F644474F0A3 which is located at AS29049 supposedly being in Azerbaijan. I can't reach our own website while using that exit, yet other websites I checked (e.g. twitter.com) are fine.
We recently saw blender.io getting censored, likely by AS12389 as we saw issues when trying to reach that website via A6BBD12D033949DC97CBA67178DC48D142A2E630 which was running on that AS at that time.
#153 (closed) has some good examples of some Russian ASes blocking torproject.org and protonmail.com temporarily at least.
I've been thinking a bit about this. Depending on how the censorship is implemented we might actually be able to do something. Taking the two Aramis relays in #153 (closed) blocking protonmail.com it seems requesting https://185.70.42.12 is fine (module the TLS cert warning) and we can reach Protonmail that way. Thus, I assume the censoring is implemented via the ISPs DNS resolver. One way to work around such a censor might be to ask exit operators to not use the ISPs resolver. I'll try that out with torix's two relays.
#153 (closed) has some good examples of some Russian ASes blocking torproject.org and protonmail.com temporarily at least.
I've been thinking a bit about this. Depending on how the censorship is implemented we might actually be able to do something. Taking the two Aramis relays in #153 (closed) blocking protonmail.com it seems requesting https://185.70.42.12 is fine (module the TLS cert warning) and we can reach Protonmail that way. Thus, I assume the censoring is implemented via the ISPs DNS resolver. One way to work around such a censor might be to ask exit operators to not use the ISPs resolver. I'll try that out with torix's two relays.
What we know so far is that just using Unbound does not resolve the problem. Additionally, making sure external services like Google's/Cloudflare's DNS resolvers are used does not help either. It remains to be seen whether DNS over TLS would help to bypass the censorship, though.
We got another report today that it was not possible to request gate.io via 81FAC66C91F57955FE6376FABA21849AC608FF17. It seems to be hosted in .it (at AS24806) and trying to access gate.io is triggering a forbidden page allegedly coming from Italian authorities.
We got another report today that it was not possible to request gate.io via 81FAC66C91F57955FE6376FABA21849AC608FF17. It seems to be hosted in .it (at AS24806) and trying to access gate.io is triggering a forbidden page allegedly coming from Italian authorities.
One lands at 85.18.219.195 and then gets a
HTTP/1.1 301 Moved PermanentlyConnection: closeLocation: https://warning1.consob.it
The response body has a pile of html goo but it ends with
<h1>AVVISO</h1><p>L’accesso al presente sito è stato disabilitato in esecuzione alle disposizioni della CONSOB che impongono la inibizione dei nomi a dominio relativi ai siti web tramite cui vengono offerti servizi finanziari senza la dovuta autorizzazione.</p><p>Per maggiori informazioni visiti il sito <a href="https://www.consob.it/web/area-pubblica/oscuramenti">www.consob.it/web/area-pubblica/oscuramenti</a></p>
So it looks like this relay's ISP in Italy is enforcing censorship on the website because financial arguments.
I currently don't think that it is bad enough to warrant marking the relay as a bad exit.
It seems like multiple ISPs are doing the block. If you notice some inconsistencies it's likely due to the user having chosen a custom DNS resolver, as opposed to using the official provider one (in Italy censorship is mostly implemented by having the DNS resolver of the ISP lie).
Question: Should we keep the priority high or do you have enough data now to have an informed opinion about what's going on?
That's intercepting HTTP requests to http://bitfinex.com and http://okx.com as well. Those three sites just do not load. They seem to get redirected to some IN IP addresses (49.44.18.34 and 14.141.123.218) that block them...