[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Iran is doing ip-and-port filtering of SSL
- To: full-disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Iran is doing ip-and-port filtering of SSL
- From: Derek <derek@xxxxxxxxxxx>
- Date: Sun, 12 Feb 2012 19:43:16 +1030
maybe it's time to get the old school substitution code books out.
http://www.forbes.com/sites/andygreenberg/2012/02/10/as-iran-cracks-down-online-tor-tests-undetectable-encrypted-connections/
Thanks
Derek
On 12/02/2012, at 4:23, Sai <sai@xxxxxxxxxx> wrote:
> See my post @
> https://plus.google.com/u/0/103112149634414554669/posts/PT3eEF4u415
> to stay updated. Copying over update:
>
> -
>
> Further testing done. Conclusions:
>
> 1. IP-and-port filtering for some IPs
> 2. SSL protocol filtering on standard ports for targeted IPs / sites
> 3. No request header filtering
> 4. Some IPs / sites NOT SSL protocol or port filtered!
> 5. All Tor filtered, even unpublished proxies
>
> I'm not going to openly publish what went through to prevent it
> getting blacklisted and useless for testing, but it was a full normal
> https://something:443 connection, green lock w/ verified serial # and
> all.
>
> The government proxy is http://bgp.he.net/AS12880
> Still to test, will update post:
> * obfs2 tor
> * ssh on standard & nonstandard ports
> * nonstandard ssl ports
>
> More info:
> https://blog.torproject.org/blog/iran-partially-blocks-encrypted-network-traffic
> (based in part on my info)
> http://news.ycombinator.com/item?id=3575029
>
> On Wed, Feb 8, 2012 at 19:54, Sai <sai@xxxxxxxxxx> wrote:
>> I have pretty definitive proof that Iran is doing ip-and-port based
>> filtering of SSL.
>>
>> Filtering is being done by 217.218.154.250 after a hop through
>> 217.219.96.120 / 217.219.96.132. This hop is after my source's ISP,
>> and all three IPs are owned by ITC, Iran's central telco.
>>
>> Filtering targets all google.com IPs, some but not all torproject.org
>> IPs, probably more. Haven't attempted a broad scan. It's a simple
>> connection drop; filtered connections just time out.
>>
>> It is not based on SSL handshake signature; testing SSL on nonstandard
>> ports worked successfully, and testing non-SSL on :443 of target IPs
>> was blocked.
>>
>> I'm not sharing screencaps in order to protect my source, but tests
>> included TCP traceroutes on different IP/port combinations and some
>> simple use of curl.
>>
>> Cheers,
>> Sai
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/