October 2008

A Review on HTTPS Filtering in Islamic Republic
I have probably already told you about my stories with Datak earlier and I guess that's for more than enough. For about a month I was thinking that problems through https are actually Datak's fault of not being able to properly maintain their network and servers (Which wasn't the first time in that case). But that turned out to be quite a different issue as the things are getting clear and I'm getting aware of what government is actually capable of doing.

Of course filtering https contents is not as horrible as restricting people's access to public contents, media, and free flow of information, but it's eventually the second worst act of Islamic Republic ever taken over information censorship.


Censorship is done in pretty much different ways, one is known and rumored to be looking into HTTP headers and comparing "Host" header string with entries available in a certain unified blacklist. Pedram Azimayi is probably the first one to have this method revealed.


After I had several unsuccessful attempts on violating Host headers using ModifyHeaders, AmirMohammad Saied wrote a simple yet handy add-on for firefox which is confirmed to be working and thus you can have access to censored websites. The trick is to violate Host header string with a desired character with an ASCII code lesser than 32. According to RFC977 standards, Host header should be looking like this:


HOST_STR CR LF



So if you somehow managed to violate it to look like something like: HOST_STR\t CR LF, then you are all set. SEPAR won't detect your HOST_STR as a blacklisted entry thus grants you permission to access that website. Apache and IIS however are known to remove these character therefore making HOST_STR in a whole a valid Host header again. Lighttpd however does not take care of such characters in Host header string, so from the stand point of non-technical user, you can't have access to contents serving on a Lighttpd webserver using this method.


But the problem with https is that you cannot sniff into it's traffic, watch it and control it which is probably a good thing. Yet again it's sad to hear that when Islamic Republic is not able to control you, or solve a problem in peace, it decides to wipe you of the map completely. That's exactly the case of https. The rule of the thumb here is, when you are not able to censor traffic through https, block it completely.


Based on my guesses, they are currently keeping a whitelist of allowed websites, all others are blocked and this is not done in a similar way as what they do to HTTP contents. They actually drop all HTTPS requests to all hosts unless otherwise noted. This is completely dumb.


However, not all the routes are affected (at the time in which this is article is being written), but sooner or later when your ISP gets these new rules from TCT for their routes you might as well experience the very same problem with your https and unfortunately it would be strictly impossible to workaround it this time.

Did you know that you are nothing more than a bloody flip-flop? Face it.

17 October 08 | 4 comments
« September 2008
November 2008 »

« Back to my homepage

Categories

Blog Archives

Search

Friends

Saied Taghvi
Abbas Esmaeeli
Pedram Azimaie
Navid Paya
Ebrahim Mohammadi Panah
Omid Mottaghi
Bahram Siyaadati
Hossein Mortazavi
Ali Sattari
Mola Pahnadayan
Hamidreza Davoodi
Behnam Behjatmarandi
Vahid Rafiei
Emil Sedgh
Amir Mohammad Saeid
Sasan Rose
Siavash Safi
Milad Raastian
Mohsen Pahlevanzadeh
Armen Baghumian
Alan Baghumian
Sara Amirahmadi
Nima Mohammadi
Omid Fathi
Kaveh Razavi

Read List

UNIX Systems Programming: Communication, Concurrency and Threads (2nd Edition) Advanced Linux Programming (Landmark)

Professional Assembly Language (Programmer to Programmer) Operating Systems Design and Implementation (3rd Edition) (Prentice Hall Software Series)

    Feeds

    rss
    atom

    Last.fm