Recently, the anonymizing network system TOR (The Onion Router) found its traffic was ratcheted to a standstill in Iran, prompting a comparison by one of the TOR project developers to an emerging “arms race”. Users of the service, hoping to evade state censorship/snooping, encrypt the traffic that then gets routed anonymously around the globe. But it seems Iran has caught on, and started shutting down the traffic.
This, the latest in a continuing escalation globally of attempts to crackdown on Internet traffic, matched by zealous competing efforts from those in favor of a more open system of communication. Nation states are being tapped to control what may be perceived as threatening communication, ala recent efforts in the UK to tag Internet traffic as a more likely propagator of potential “violent radicalisation” activity than any other, including religious institutions, prisons, universities, etc.
But TOR had an “ace up its sleeve” according to developer Jacob Applebaum with the project. Apparently, they had anticipated the increased scrutiny on the SSL/TLS traffic that TOR communication generates, and have developed an add-on called obfsproxy, which works around it, making the encrypted traffic appear more like normal Internet traffic, thereby avoiding unwanted attention.
And so it goes. Last month TOR operators noticed Chinese state actors apparently sensing TOR traffic and blacklisting the TOR onramp “relays” so others couldn’t connect. What is interesting is the way it was detected and blacklisted, causing speculation that the methodology used near-linespeed realtime Deep Packet Inspection (DPI) to snoop the traffic, a non-trivial feat to be sure, especially at speeds fast enough to avoid creating excessive latency, a telltale sign that the traffic may be monitored. TOR communications, while tunneled across a standard SSL port, are unlike traditional SSL negotiations which only last short periods. TOR, on the other hand, would show a continual stream of SSL traffic for longer periods of time.
What is also interesting is that Iran is second only to the U.S. when it comes to use of the TOR network (according to the project’s statistics), suggesting a level of cyber sophistication in that region that is far above average. We also read that other middle eastern nation states are ratcheting up cyber attack rhetoric and posturing more reminiscent of traditionally military actions. It’s easy to draw parallels to a new emerging cyber arms race, as mentioned by Mr. Applebaum.
This promises to be a long haul, technologically, with privacy and anti-censorship efforts coming into full focus in the coming months, as states attempt to control dialog – for whatever reason – and citizens attempt to exercise their power to communicate freely, both for good and evil.
Author Cameron Camp, ESET