How the TOR Project defeated Iran filters inside 24 hours

Search Close

Account Information

Reset password

An email has been sent to you with instructions on how to reset your password.

Back to TechRepublic

Welcome to TechRepublic!

By registering, you agree to the Terms of Use and acknowledge the data practices outlined in the Privacy Policy.

You will also receive a complimentary subscription to TechRepublic's News and Special Offers newsletter and the Top Story of the Day newsletter. You may unsubscribe from these newsletters at any time.

All fields are required. Username must be unique. Password must be a minimum of 6 characters and have any 3 of the 4 items: a number (0 through 9), a special character (such as !, $, #, %), an uppercase character (A through Z) or a lowercase (a through z) character (no spaces).

When Iran detected and shut down TOR connections recently, the project's developers reacted quickly to defeat Iran's filters and enable Iran's users to continue to protect their identities.

Iran is well known as a country that censors Internet access for its citizens. Like China and a handful of other countries, the Government there considers a lot of activities online to be against the regime. With 20 million Internet users in that country, Iran has deployed more and more filters to make it very difficult for dissidents to talk freely online.

That’s why projects like TOR are very important. The basic premise of TOR is to provide online anonymity. Using it protects your privacy, and prevents your traffic from being monitored. According to the TOR metrics, thousands of people in Iran use the software to protect themselves.

It’s no wonder then that regimes like Iran have been trying to cut all TOR traffic. But the TOR protocols are incredibly well done, and blend themselves amongst regular traffic. They use traditional HTTPS connections to bypass filters, and look like any secure, encrypted connection. But last week, Iran successfully found a way to detect TOR and block it.

To understand how they did it, you need to understand how SSL connections are established. For a secure link to be made, a server has to authenticate itself using a certificate, signed by a trusted Certificate Authority (CA). This ensures that the website is who it says it is, and that there’s no impersonation going on. TOR mimics this, but there are some differences. For a start, it doesn’t use CAs. Iran looked into the way the SSL handshake is done to spot one such difference: the expiration date on the certificate.

Typically, a certificate is issued for one or two years. But in the case of TOR, the certificates used are session certificates, used for a single connection, and the expiration date on them was set to two hours instead. So the new Iran filter simply looked at these times and started blocking traffic of all connections that had a certificate with a small valid window of time. This successfully cut off all TOR users from the rest of the Internet.

Within a day however, the TOR Project was notified, and realized what had happened. They published a fix to simply increase the expiration date on session certificates, and the problem was resolved inside of a day. And since certificates are issued by servers, in TOR’s case relays, and not clients, that means people inside Iran don’t have to upgrade, only the relays around the world do. When enough relays have upgraded, connections will resume normally.

Meanwhile though, this event sparked quite a lot of discussion on the TOR mailing lists. It’s conceivable that Iran, or any other country, could block TOR again based on other differences that they could find in the certificates. So more solutions are being proposed, permanent solutions that would make TOR even stealthier.

One such proposal would remove the ability for TOR links to renegotiate their TLS connections, which would mean the certificate would only be exchanged at the beginning, then they would use another method to keep authenticating between both nodes. This would make it harder to track the various TOR connections.

Another proposal to the developers intends to randomize much of the information contained on those certificates, to avoid having easy-to-detect data. A hard-to-detect cover channel would be instigated through which relays would signal that they support the latest TOR protocol.

Finally, a longer term proposal suggests removing SSL from the core TOR project, and instead allow multiple transport protocols to be plugged in and used at will, such as VPN. This would allow relays and clients to negotiate which protocol they want to use, and switch if one becomes filtered out.

Still, the quick reaction of the developers was received with a lot of praise, as evidenced by the comments on the TOR blog. Many people from Iran depend on anonymity to speak their mind without fear of being imprisoned, and yet again they are now able to do so. But the work is never done, and censorship is always a cat and mouse game. There are companies working on TOR detectors all around the world.

With the proposed changes likely being implemented in the coming months, hopefully this will make this software even more immune to blocking and filtering, and promote freedom of expression, as was the original intent by its creators.

Also read:

Online anonymity: Balancing the needs to protect privacy and prevent cybercrime (Deb Shinder)

Compromised certificate authorities: How to protect yourself (Patrick Lambert)

TechRepublic Premium editorial calendar: IT policies, checklists, toolkits, and research for download

TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.

Image: diy13/Adobe Stock

Software

Windows 11 22H2 is here

Windows 11 gets an annual update on September 20 plus monthly extra features. In enterprises, IT can choose when to roll those out.

Virtual screen with stock chart and polygonal arrow hologram. — Image: Who is Danny/Adobe Stock

Edge

AI at the edge: 5 trends to watch

Edge AI offers opportunities for multiple applications. See what organizations are doing to incorporate it today and going forward.

Software

iPadOS cheat sheet: Everything you should know

This is a complete guide for Apple's iPadOS. Find out more about iPadOS 16, supported devices, release dates and key features with our cheat sheet.

Data analytics and business intelligence concept. — Image: Worawut/Adobe Stock

Big Data

Review this list of the best data intelligence software

Discover data intelligence solutions for big data processing and automation. Read more to explore your options.

People near the Microsoft store on Fifth Avenue in New York City. — Image: Bumblee_Dee, iStock/Getty Images

Software

108 Excel tips every user should master

Whether you are a Microsoft Excel beginner or an advanced user, you'll benefit from these step-by-step tutorials.

This document helps make sure that you address data governance practices for an efficient, comprehensive approach to data management. This checklist from TechRepublic Premium includes: an introduction to data governance, a data governance checklist and how to manage a data governance checklist. From this checklist’s introduction: Data governance is the process by which an organization ...

Recruiting a Scrum Master with the right combination of technical expertise and experience will require a comprehensive screening process. This hiring kit provides a customizable framework your business can use to find, recruit and ultimately hire the right person for the job. This hiring kit from TechRepublic Premium includes a job description, sample interview questions ...

How the TOR Project defeated Iran filters inside 24 hours