[149680] in North American Network Operators' Group
Re: Iran blocking essentially all encyrpted protocols
daemon@ATHENA.MIT.EDU (Richard Barnes)
Sat Feb 11 16:51:03 2012
In-Reply-To: <CAJNg7VJBtM_bNOto0gsZzxMNjbUNSXFOhqACxoZAaVb+-asYCQ@mail.gmail.com>
Date: Sat, 11 Feb 2012 13:50:10 -0800
From: Richard Barnes <richard.barnes@gmail.com>
To: Marshall Eubanks <marshall.eubanks@gmail.com>
Cc: Ryan Malayter <malayter@gmail.com>, "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
FWIW: A colleague in Iran was able to connect to a server in the US
using HTTPS on a non-standard port (9999). It appears that the
Iranian government is not blocking TLS/HTTPS per se, but just port
443. So in principle, if there were just some HTTPS proxies using
non-standard ports, then people would be able to get out. At least
until (1) the addresses of the proxies become known to the regime, or
(2) they start blocking cross-border TLS altogether.
--Richard
On Fri, Feb 10, 2012 at 12:07 PM, Marshall Eubanks
<marshall.eubanks@gmail.com> wrote:
> And in response
>
> http://www.forbes.com/sites/andygreenberg/2012/02/10/as-iran-cracks-down-=
online-tor-tests-undetectable-encrypted-connections/
>
> (quoting) :
>
> =93Basically, say you want to look like an XMPP chat instead of SSL,=94 h=
e
> writes to me, referring to a protocol for instant messaging as the
> decoy for the encrypted SSL communications. =93Obfsproxy should start
> up, you choose XMPP, and obfsproxy should emulate XMPP to the point
> where even a sophisticated [deep packet inspection] device cannot find
> anything suspicious.=94
>
> Regards
> Marshall
>
> On Fri, Feb 10, 2012 at 2:03 PM, Shahab Vahabzadeh
> <sh.vahabzadeh@gmail.com> wrote:
>> Yes I am from Iran and outgoing TCP/443 has been stoped ;)
>>
>> --
>> Regards,
>> Shahab Vahabzadeh, Network Engineer and System Administrator
>>
>> PGP Key Fingerprint =3D 8E34 B335 D702 0CA7 5A81 =A0C2EE 76A2 46C2 5367 =
BF90
>>
>> On Feb 10, 2012, at 9:56 PM, Ryan Malayter <malayter@gmail.com> wrote:
>>
>>> Haven't seen this come through on NANOG yet:
>>> http://arstechnica.com/tech-policy/news/2012/02/iran-reportedly-blockin=
g-encrypted-internet-traffic.ars
>>>
>>> Can anyone with the ability confirm that TCP/443 traffic from Iran has
>>> stopped?
>>>
>>
>
