Sunday, June 28, 2009


Arbor Networks has a great post with data on Iranian Internet censorship. As well as the deliberate transit shortage, they seem to be targeting specific protocols, notably SSH, the secure shell protocol one uses to administer servers and also quite often to provide a VPN tunnel. This isn't surprising, really, but it is depressing; practically any shell account and any machine, including my mobile phone, will let you set up an SSH tunnel, and it is strongly encrypted, so it's one of the most reliable and easiest ways to beat the censor.

Arbor's analysis suggests that the point is to limit traffic to levels that their existing censorship infrastructure can handle; interestingly, e-mail, and bogstandard Web traffic on port 80, seem unaffected, which suggests they already had the big squid proxy etc. in place. There is, of course, nothing to stop you configuring your server to do SSH on port 80, but it might be a little obvious. An alternative would be to use something like OpenVPN, which uses the same HTTPS protocol and port that all the e-commerce and corporate e-mail things do.

Fascinatingly, levels of gaming application traffic are unaffected, and Arbor wonder if it would be possible to use this for clandestine communications. (Perhaps the government wants people playing computer games?) This is, of course, a major plot point from Charlie Stross's Halting State, although the exploit is rather more sophisticated there - rather than just meeting up for a chat in-game, they are mapping their data to the game's commands and reversing the process at the other end.

Depressingly, according to Renesys, many of the open proxy servers that have been set up for the use of Iranian dissidents are being heavily abused by Chinese spammers. This is a hard problem; any tunnelling system intended to defeat the censor must be open to anyone, it's insanely risky to keep any logs of who accesses it, so it seems inevitable that the vermin will get in.

No comments:

kostenloser Counter