Online AnonymityBefore and After the Arab Spring

A talk by Runa A. Sandvik, runa@torproject.org, on August 14, 2012,at the first Network of Excellence Internet Science Summer School

I am

• From Oslo, Norway, based in London, UK

• A developer, researcher, project coordinator, community manager, support assistant, and translation coordinator

• Worked for and with the Tor Project since Google Summer of Code in 2009

This is

• A talk about what Tor is, how it works, the increase in users over the past two years, blocking events, and work in progress

• Will look at blocking events from 2006 to 2009 and compare these with the events we have seen since the beginning of 2011

Before the Arab Spring

“Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security known as traffic analysis.”

How Tor works

Tor is open source

• The code was released in 2002

• The design paper published in 2004

• Tor was (and still is) an anonymity tool, but no one had thought about circumvention/anti-censorship

The arms race begins

• Thailand (2006): DNS filtering of our website

• Smartfilter/Websense (2006): Tor used HTTP for fetching directory info, cut all HTTP GET requests for “/tor/...”

• Iran (2009): throttled SSL traffic, got Tor for free because it looked like Firefox+Apache

• Tunisia (2009): blocked all but port 80+443

• China (2009): blocked all public relays and enumerated one of the bridge buckets

The Arab Spring

Use of social media

• In the months following the first protests in December 2010, videos, pictures, and stories from activists spread quickly via the Internet

• Use of social media helped activists organize protests and spread awareness, that changed when authorities started to censor more and more websites

Hacktivism

• Griffin Boyce at HOPE Number Nine: Information distribution in the Arab Spring

• Shortwave and pirate radio to communicate with other activists and the rest of the world

• A few ISPs around the world set up dial-up services for people in Egypt

• Speak To Tweet, Bluetooth local networks to share and spread videos, word of mouth

• Free proxies, VPN services, RetroShare, Tor

Between 2010 and 2012

• Tunisia: from 800 to 1,000

• Egypt: from 600 to 1,500

• Syria: from 600 to 15,000

• Iran: from 7,000 to 40,000

• All countries: from 200,000 to 500,000

Since then...

A quick reminder

• DNS filtering of our website

• Cut all HTTP GET requests for “/tor/...”

• Throttle SSL traffic

• Block all but port 80 and 443

• Block all public relays and bridges

The arms race continues

• DigiNotar and Comodo (2011): incorrectly issued certificates for our website to a malicious party

• China (2011): use of DPI, follow-up scanning to determine what the connection is and if it should be blocked

• Iran (2011): use of DPI on SSL in 2011, general SSL block in February 2012, “halal” Internet

• Kazakhstan, Ethiopia, UAE (2012): use of DPI

Public key pinning

• We pinned the certificate for our website in Google Chrome, the certificate chain must now include a whitelisted public key

• A self-signed certificate will display a warning and ask the user if she wants to continue, an incorrect certificate will fail hard

• Users with XP prior to SP3 will have some issues with SHA256 signed certificates, including the one for torproject.org

Obfsproxy

• A new tool to make it easier to change how Tor traffic looks on the network

• Rolled out in February 2012 when Iran started using DPI to filter all SSL connections

• Requires volunteers to set up special bridges

• We are working on automating builds of the Tor Browser Bundle with Obfsproxy

• Different pluggable transports available; FlashProxy, StegoTorus, SkypeMorph, Dust

Manual blocking analysis

• Requires in-country contacts with patience, access to Wireshark, the Tor Browser Bundle, and a private Tor bridge

• We spend a lot of time analyzing captured network data, try to determine the fingerprint that is being used to block Tor, and then set up special bridges for affected users

Tor censorship events

• An anomaly-based censorship-detection system for Tor on https://metrics.torproject.org/, also includes the Tor censorship events mailing list

• Censorship Wiki with details about blocking events, research, tools: https://trac.torproject.org/projects/tor/wiki/doc/OONI/censorshipwiki

ooni-probe

• A part of the Open Observatory of Network Interference project

• Can be used to collect high-quality data about Internet censorship and surveillance

• Runs a set of tests on your local Internet connection to check for blocked or modified content

• Will eventually be able to determine how different DPI devices are blocking Tor

Questions?

• Support: help@rt.torproject.org

• Development: tor-dev@lists.torproject.org

• IRC: #tor and #tor-dev on irc.oftc.net

• Twitter: @torproject

• runa@torproject.org

• Twitter: @runasand