The snooping of unencrypted SNI in the TLS handshake is a known weakness that is still mostly unresolved despite four years of standardization effort. The encrypted SNI work has been revised and updated to encrypted ClientHello and is still technically an IETF draft and not yet formalized in an RFC:
That said, CloudFlare, Firefox, and Chromium teams have all been working toward the evolving spec so one can hope that soon with eCH and DNS-over-HTTPS we will be able to have clients securely connect to servers without broadcasting the hostname to which they are connecting.
The idea is you force them to choose the entire effective internet or nothing, which is not an economic self own even most dictatorships are willing to make.
These firewalls are an exercise in having your cake and eating it too.
But it doesn't end there... they block the CDN that implements this feature, and then the CDN's customers--who probably didn't care much about the benefits this gives to some of their users but are now losing access to some large customer base--start complaining and migrating off the CDN, which results in the CDN pulling back on the feature.
And we know this is what will happen as this is effectively what happened with domain fronting--where you simply use the wrong SNI instead of hiding it entirely--with all the large CDNs actively "fixing" this feature to prevent their customer's websites from being blocked by firewalls because of users who were using this to get around hostname restrictions.
Yup it's a cat and mouse game, and how much money these dictators represent.
Thankfully? in the case of Iran, many customers do not want to interact with Iran because of US export regulations, so if it breaks that, all the better ironically enough.
Iran, definitely. I don't think many companies would cry over the loss of Iran due to blocking their CDN.
China, on the other hand... That's where it starts getting interesting. There's already been several prominent examples of companies self-censoring to appease the Chinese government.
> which is not an economic self own even most dictatorships are willing to make.
What basis do you have for this claim? People make these claims constantly so confidently, but wherever I look all I see is that dictators have always been willing to make their nations incredibly poor.
> These firewalls are an exercise in having your cake and eating it too.
More to the point this isn't the Gordian Knot you think it is.
HTTPS isn't designed to prevent this. If you want to allow 'legitmate' access you just issues your own certs, and proxy requests. Universities etc can install your root cert and use your DNS servers.
It is game theory. Consider what happens in the real world - it is strictly easier for Iran or any country with a competent infrastructure to just shut down the big internet pipelines for retail customers. They don’t do that. China has spent untold amounts of money creating a stupidly effective surveillance state which is still technically open to the internet. Why?
So your assumption that “dictators will do the worst they can” is wrong. They will keep pushing the boundary outside the current Overton window but can’t do it in a snap. You force their hand by not providing alternatives and suddenly they’re stuck. They can’t just restrict feminist websites and claim that it is harming the social fabric then expand the net slowly. It is all or nothing as the OP explains.
More accurately is the ruling class wants to stay rich, and if they can stay rich without needing an educated and non-poor populace, all the better, because the hungry, disconnected and illiterate do not start effective revolutions. You see this in many resource dictatorships, since you don't need your populace to create your wealth.
In dictatorships where they need the populace, then they are in a tough spot, because the only way you get rich is having a developed population productive enough to tax, which you see in Singapore, China, Dubai and Iran somewhat.
It is this kind of authoritarian regime that needs the internet, but also wishes they didn't need the internet in the case of Iran and China.
They’re not equivalent statements. Dictators can be fine with making their countries poorer but still maintain internet access. There is a critical point (which isn’t well defined because we’re probably the only species in the universe at our level of tech that has no social science of any merit) beyond which policies will start backfiring. At the beginning of their reign, the dictator will take risks and push that window. Once entrenched, they will have to use a lighter touch unless they entirely go the North Korea route (which is difficult to do in 2022).
So in essence, this is a positive move because even dictators willing to destroy their countries for power will have to make a choice on internet access well before they gain enough power to cut it off entirely.
>What basis do you have for this claim? People make these claims constantly so confidently, but wherever I look all I see is that dictators have always been willing to make their nations incredibly poor.
Iran lost $17 billion in economic activity by cutting off the entire internet a few years ago for a week. They have not done that this time, making internet outages at specific times of day, etc.
I agree, this is the best approach. With every improvement, technology increases the amount of tyranny required of governments to maintain the same level of control they had before. They used to be able to block specific sites, now they will have to block everything and cut themselves off from the internet.
Eventually, we'll end up with either uncensorable technology or a totalitarian government.
Also I'm not well-educated in that area, but I would expect that CDNs would allocate dedicated IP ranged for big customers like Microsoft or Apple. So state can ban more selectively, white-listing those ranges.
Some people interested in the Great Firewall wrote up weirdness they saw with one particular prototype of eSNI years back. A game of Telephone later this became nonsense like "China blocks TLS 1.3" but actually if you do that what you get isn't web sites stripped of protection but connection errors. Which is indeed what happens for some sites from the other side of the Great Firewall, but we just say China blocks those sites, because that is what they do. Protocol versions are not crucial to them.
The current iteration of ECH is designed to be GREASEd which means browsers might just always do ECH with dummy values regardless, so either you block or you don't, you won't be able to selectively block ECH. This doesn't magically prevent the Great Firewall from working but does mean specifically host matching is degraded as intended.
Funny enough the children's "telephone game" is, in many Commonwealth countries, apparently called "Chinese whispers," at least according to my Londoner colleagues.
I don't know anything about that (and I'm pretty sure TLS 1.3 doesn't mandate ECH since ECH isn't even finished standardizing!) but you can check to see if your browser supports ECH by visiting https://tls-ech.dev/
Pretty crazy that a country can just completely block all internet outside of what they want to be accessible...
One app that came to my mind reading this is Briar [1] - no real internet required, can connect to other briar participants via bluetooth and WiFi. Sadly only for Android...
"They" are whoever holds the monopoly on violence in the region. Sometimes colloquially called a "government" or "state".
You probably don't pay them to uphold their power to close roads whenever they want, it's just a consequence of the aforesaid monopoly on violence.
If you think it's wrong, you can try to bring competition into the market, but if history is any indication you'd better make sure you have a lot of upper/middle-class people who agree with you first.
We aren't doing anything, The Iranian government chooses to control what happens to electricity within their borders. It's one of the fundamental points of state sovereignty.
States can, and do, maintain the power to maintain or close public roads. In fact, they do so daily at border checkpoints, and do so locally in cases like local natural disaster risk (e.g. hurricane or wildfire evacuation).
Why would I want to connect to other briar participants? I want to connect to hacker news. It might be useful for terrorists or protesters, but for ordinary people - not sure.
The only real solution long-term is completely peer-to-peer ad-hoc networking that doesn't depend on BGP.
A few projects are in similar territory but none I've seen are working at the layer of bypassing BGP. Many are just acting as an overlay; which works to an extent. https://github.com/yggdrasil-network/yggdrasil-go
It's probably begging for a different model of the "internet" and where data lives.
My requirements:
1. Offline-first applications that sync via a pub/sub DHT of trusted peers. More details here but basically allows bypassing BGP.
2. Trusted peers are routable via a determinstic pathing algoritm without exposing the recipient. (content addressable everything).
3. Automatically distribute storage and compute on all local devices a user has and or needs (it's so dumb and wasteful that I only use one computer at a time when I have hundreds at my home at different levels of compute from thermostat to fridge to laptop to desktop).
I've thought about this for a long time and planned many requirements out. I was very committed to working on it but then I lost motivation because I don't get along with most humans today and where the world seems to be going. It also sucks to have people think your ideas are crazy.
Most of the things you mentioned are implemented in the "Browser" that I've built. It's using multicast DNS to discover neighboring running instances and it has an offline cache first mentality, which means that e.g. download streams are shared among local peers.
Global peer discovery is solved via mapping of identifiers via the reserved TLD, and via mutual TLS for identification and verification. So peers are basically pinned client certificates in your local settings.
Works for most cases, had to implement a couple of breakout tunnel protocols though, so that peer discovery works failsafe when known IPs/ASNs are blocked.
Relaying and scattering traffic works automatically, so that no correlation of IPs to scraped websites can be done by an MITM. Tunnel protocols are all generically implemented, DNS exfiltration, HTTPS smuggling, ICMP tunnels, and pwnat work already pretty failsafe.
What's missing is UPnP support so that it behaves a little more gracefully when a router would be cooperative in nature, but after trying to implement the "specification" a bunch of times I skipped it for now.
Lots of work to be done though, and had to focus on couple of other things first before I can get back to the project.
The browser is part of a larger network that's trying to automate cyber threat intelligence on a peer to peer level, so clients, servers, websites and domains have a trust ratio and a history of trust to prevent misclassification of a new domain owner that e.g. defaced a website or tries to inject their malicious assets up unto previously trusted peers.
Currently we only have a public (and another private) Telegram channel where we occasionally discuss upcoming features, problems and solutions to technical problems.
The Stealth browser is kind of a solo project for now. It grew out of my personal intention to build a better architecture for a more efficient web scraper + browser that doesn't waste internet bandwidth, because I have pretty crappy internet abroad. But I'd love to grow a community out of it.
Before the 4chan attacks last year there were a couple of other devs that occasionally contributed to the project, but they faded slowly away with the discreditation campaigns against me/us. As the 4chan raids led to us realizing that we're better at building cyber intelligence + defense products, we also pivoted with the company to this area because of it. The threat analysis mechanisms and peer-to-peer networking parts (with trust ratio of nodes/edges/paths) are very similar in nature, so it was a good fit, technology-wise.
I'd still want to build the stealth browser further and make a better project out of it (especially with the RetroKit fork which is WebKit minus the tracking APIs), but I've pivoted with the company to a different area and that's currently the primary objective. As our country is regularly attacked by a lot of cyber threats right now, we've focussed our efforts on developing the cyber defense technologies.
Right now, stealth is primarily being used as a Web Scraper via it's node.js APIs by us. So it's still actively used and occasionally we'll push some features to the repository.
How exactly are you going to "bypass BGP" on the global Internet? Reaching your trusted peers depends on routing, which means BGP (at least for anything outside of your ASN.)
Well if you want to get rid of BGP then it probably doesn't make sense to talk about ASNs since BGP is a way to connect ASNs... That being said, it does seem very pie-in-the-sky to imagine the entire global internet using decentralized routing without some sort of backbone infra that is at least moderately centralized. There is just too much data. I could imagine mesh networks being more feasible if we were still living in an era of html websites and RSS feeds.
All data should only exist within the light cone that it is used within. That means a lot of data is improperly used today in terms of where and how it is moved.
You need a lot less information "over the wire" when it doesn't move as far, and when you can speculate and predict what to render (ML/AI). What matters is the package and space more than anything. Go figure. That's also why "massively distributed compute/swarm computation" makes sense in this mesh like model you hint at.
The future is strictly local data unless we totally escape time dialation over large distances, whether or not we bypass speed of light limits.
The future is strictly a simulation if we are a multi-galaxy species, let alone spread across the galaxy. The only way to have a real-time conversation is to simulate the person/ego. The local copies would be as real/eventually consistent as possible over time.
Maybe it is too much data for devices that have to share a channel. But lasers (think: old TV remotes using infrared) do not have to share channels with each other, and can be very high-bandwidth and more difficult to snoop on indeed. Mirrors could even be used for relaying, to save lots of compute. Like fiber cables piercing through the air itself!
I was speculating that the notion of a laser-based mesh network could deserve more attention, if it is economically viable. That seems like a better choice than something like WiFi, because you do not have to share a channel with huge amounts of other devices.
Several kilometers of range seems tolerable with enough collaboration. I do wonder though, whether mesh networks for bidirectional (synchronous) comms are a good idea in hostile environments. It seems too easy to map out the positions of the nodes. Systems that support distrbuted, asynchronous comms and use of wireless protocols on phones seem like a good match for them though.
I guess this would require everyone to use a government-sanctioned DNS and that would require traffic on udp 53 to non-gov-dns servers blocked? I felt like this was glossed over a bit too quickly in the article
Probably more like all the local ISPs DNS servers resolve that, or that there's potentially some DNS rewriting going on. Its not too hard to rewrite basic DNS traffic. DNS is not encrypted, its payloads are very structured, and quite small.
FWIW here [1] is an option that should still work. I would be curious to hear from people in Iran if this no longer works and they are blocking SSH to VPS nodes.
Air dropping starlink terminals onto protesters is the solution.
In fact, if you live anywhere outside of the US, owning one "just in case" is good for future proofing your freedom, IMHO. Kind of like being armed.
Edit: in fact, starlink v2 global LTE-from-space coverage will be a true game changer for world freedom. We can only hope this comes to be sooner rather than later.
Until having a starlink terminal on your roof becomes punishable by death. You can try to hide them visually, but Iran could always detect them electronically if they want to put in the effort.
One needs to only google "iran satellite dish confiscation" to see the low tech methods used. They occasionally go on binges of confiscating and destroying receive-only tv satellite dishes.
There's a pretty long history of dropping radio transmitters for people to use in violently authoritarian environments. Not without specialized uses but declaring it 'the solution' seems like overpromising things a bit.
Why not airdrop AKM assault rifles and lots of ammo then? The protesters could use the weapons to overthrow the government. Much more effective than Starlink when your government has a monopoly on violence.
I tried helping my Iranian friend to get around the internet restrictions. I have to agree with the author most big players could not give a flying f*ck. Even signal can't be bothered to address verification SMS issue.
Key word is bad days. Expats in China have noticed the same thing, with VPNs sporadically not working during summits, around certain holidays, etc but resuming afterwards. Also, for some reason certain VPNs work more consistently than others even though they use the same protocols as blocked services. Some speculate that the ones that continue to work are either honeypots or the companies behind them have (social) connections
Also, it's kind of poor taste to call those who want free(dom) internet there as "neo liberals"
This is a common and natural misconception. When the firewall gains a feature (i.e. the ability to block certain traffic) the VPN providers then have to figure out some technique to bypass it. This happens over and over again. The firewall isn't relaxing after the event, it is staying the same and the VPN provider has improved.
On your second point, I can't comment for all providers, but I've heard this rumour in a more specific context and can say that it is definitely at least sometimes false.
Thanks for clarifying. I admit it's anecdotal but was wondering if these new features are rolled out automatically or with humans deploying them? If the latter it might explain why expats in China have said it [access to VPNs] gets worse at times.
Years ago one provider that rhymes with krill was pretty consistent, but in the end it seemed one could get the most mileage(err uptime) by rolling their own v2ray instances on a VPS provider that had "Hong Kong" servers in Hangzhou.
I'm not sure this is entirely the case, though probably partly so. I think they do track known VPN servers, or suspected therein, and closer to congress sessions cut those off. I had a number of self hosted setups used by a few people that would get cut off at those times only to come back on later.
Neoliberal is usually used as a pejorative towards "liberals" who prioritise economic growth/profit over human dignity/freedom. Think: the Blair administration in the UK.
>Also, it's kind of poor taste to call those who want free(dom) internet there as "neo liberals"
Thanks, sincerely, for the note on language. I've used that insult a lot in the past.
I also had a string of international students do things like complain I was racist for asking questions and answers be repeated back in English, not just Mandarin. (And they weren't from Taiwan.)
It's true that America has no official language, but when folks like myself expressed that sentiment in the policy space, it was with the intent if someone speaks French, Spanish, or one of the many languages of the Native Americans could be given services in a manner they understad, as is their human right.
It was not a rhetorical devie meant to me wielded by agents of a foreign power.
I ended up accepting an alaprazolam script, following a string of failed antidepressants, navigating the social mileau of "they treat me like an international student because I know who the spies are and refuse to just... hire me somewhere... as their system crashes around them"
This was in the lead up to, and during, the Summer of Snowden -- I was really pissed that no one would hire me into private industry and civil society... well all I can say about so called "civil" society is Epstein didn't kill himself.
> Instead, the TCP 3-way handshake won't complete (the syn-ack is dropped).
Sounds like my internet connection in grad student housing about 10% of the time, except the initial SYN is dropped. Pings and everything else are fine.
I remember one guy in my company had hard-on on blocking every way to tunnel out of our network (...that was not required by anyone, he was just security nut).
We had sites blacking out because he decided DNS tunnelling bad so he blocked anything with low TTL. Meanwhile simple POC DNS tunnel worked fine..
This is difficult to read. The author confuses nouns and proper nouns and isn't clear about who it is they're referring to (who are the neo-liberals, for instance?).
I understand that not everyone is as good at writing as others, but it really doesn't take much effort to ask someone to proofread.
Otherwise, this is a good start, even though it lacks details and examples.
Conceptually, I clicked it and thought I would learn something about the Iranian firewall, but instead I ended up at "The Hackers Choice" blog, a blog with exactly two articles, and read a confusing rant along with a laundry list of firewall techniques talked about in vague enough terms that I learned absolutely nothing, other than to be skeptical about this source going forward.
I recollect few years ago when the US ordered all western services to be blocked to Iranian citizens, it was a big outcry when Gitlab and Github published blogs confirming their implementation of the Iran blockade. To me the west lost all moral arguments criticizing Iran for doing the same within their own country.
Not all control is bad. Some state actors should be controlled. It is my opinion that the Iranian regime is one of them.
I was probably a little un-clear in my response though, I meant in one case the goal of the administration was to control and repress the people in direct opposition to my values and that of many others. In the other case, the goal is to control the administration and erode their ability to do so.
I don't think anyone's a self-proclaimed global policeman, and America has become of late increasingly reluctant to extend their influence. I'm not American. My personal position is that the world would be worse off if America were to cede their influence because the vacuum would be filled by China, Russia or both. These forces all keep each other in balance and maintain the current detente.
This is one of the most peaceful times in world history, after all.
With that in mind, no, I don't support the Iranian regime. Positions should be evaluated piecemeal, it doesn't matter what you think about America's other positions, it doesn't need your personal 'moral high-ground' sign-off to be in the right on this one.
I almost stopped reading at "neo-liberal", man that term is getting boring, especially when used in non-sequitur fashion like "The most severe disruption is when the regime turns off all cell towers and all local Internet. They just pull the plug and it's game over for any neo-liberal smart-arse that thinks v2ray/tor/shadowsocks is the solution". WTF does that even mean? What does the author think it means?
The top says this, which doesn't sound like a joke.
> The Internet is easily censored. The neo-liberals got their arses kicked. The big players like Google/Apple/AWS are partly to blame. China runs the GFI as a service.
Since the basis of their entire project [1] was given to them as the
output of an obscure DARPA project ostensibly aimed at securing
democracy in the world. It's not written into a contract, just a sorta
"moral obligation" to, you know... not shit on the values of the
people who put you where you are.
In aggregate, you will find that the population of Silicon Valley, and wealthy locations in general, under-enlist, tend to vote against military appropriations, and if they do vote for increased military appropriations, they tend to vote for larger non-lethal military capabilities (e.g. they favor military healthcare and retirement benefits). A lot of this is obvious blue-state voting. For the enlistment rate, the easiest one to point to is Texas vs California. Texas accounts for 12.1% of Army recruitment from a population of 29M, while California accounts for 9.9% of Army recruitment from a population of 39M. New York is even lower with 4.6% from a population of 19M. By comparison, North Carolina has 4.7% population on a population of 10.5M.
A detestable person that thinks he can circumvent the regime? Presumably a paleo-conservative (or whatever the opposite of neo-liberal is in the mind of the blogger) would not be so naive and would look at real "solutions", as opposed to the neo-liberal, who is interested in non-solutions.
Pretty awful ideas floating around in this guy's head.
I'm not sure what he means by that. Is it just a tongue-in-cheek description for the opposition to the Iranian party? Is it used by the party to describe pro-western people locally? Or is this just another overused Redditism?
It is a play on neo-con, which is a term that was used to great affect in American conservative political circles to ostracize those who would cooperate with the opposition party - a.k.a. moderates. It is now used with similar goals by the American far left (to the extent that such a thing exists..). Both terms are often coopted by the the opposition party to demonize moderate counterparts.
That said, it sounds cool to mouth-breathers so they often use it completely out of context, like this author did.
I don't see how it's any less meaningful than "liberal," or "conservative." Each of these terms labels a set of family resemblances and is dependent on context.
There are other meaningful political categories besides the ones that designate parties. Irving Kristol, the closest the movement has to a founder, himself embraced the label. And it's pretty uncontroversial which people decidedly belong and which don't: Richard Perle is one, Pat Buchanan is not; Jeane Kirkpatrick and James Q. Wilson are, Samantha Power and Noam Chomsky aren't.
To be honest, I'll have to take your word for it, because I don't know a single person you listed. Maybe they're from an older generation.
Seems like this was a real movement but isn't so relevant anymore, and now people are misusing the term. Now "hawkish" or "interventionist" is pretty close to the old meaning of neocon. I'm willing to accept it as a term for a historical movement, but if someone tells me X newly relevant person is a neocon, I'll basically discard that.
That sense of "neoliberal" is peculiar to American politics, as far as I can tell. I'd say it's more likely the blogger means a person who wants free trade, deregulation, etc.
I would say, given the sum total output we've seen by the author (a blog with two articles), they have no idea what it means, other than a vague sense that it is some kind of sick burn. [Edit - look, I know the term has an academic origin, but we aren't discussing academic papers, I'm talking about how it is abused everyday in the vernacular]
I'm a liberal by most definitions but I didn't reject a decent technical article by presumably an advocate of political freedom in Iran because of my sensitive sensibility.
Did your sensibilities keep you from reading the rest of my comment? Sadly, it didn't keep me from reading the article - which had no interesting information on the GFI in particular or even firewalls in general. I should have went with my gut on this one.
It's just a media-friendly way to call people who believe that money doesn't stink, and that to each what he deserves. Which is true for most “successful” corporate functionaries whose exuberance naturally depends on that same tight control over user devices.
The Iranian regime classifies enemies ("counter revolutionaries" in the old days). We have the hypocrites "MEK", monarchists, a newly minted "meddlesome Shia" (mainly Iraqis but basically any Shia who disagrees Khamenei is God's Shadow on earth smh), and westernized youth "neo-liberals". So OP's sentence makes perfect sense actually.
p.s.
Basically the occupation theocratic regime of IR positions itself in its propaganda to demoralize Iranian resistance by prophecies of doom and gloom for Iran should it be cured of the IR disease: there is ISIS or Daesh [or "it will Syria 2.0"] (aka terror); there is that crafty prince in KSA that wants Iran to parition; there is the crafty sultan in Turkie (sic) that has pan turk on his mind; and should the country remain intact let there be no doubt that "neo-liberals" will do a Greece or whatever to Iran.
Eh, I don't like neo-liberal either, but its usage here made me chuckle. I'm probably a "neo-liberal" since I generally believe in human rights (including free speech) and also that capitalism (for all its faults) has a dramatically better track record than socialism or communism.
I was super confused by the authors use of neoliberal and I'm also confused by how you use the term.
A liberal is someone who values individual freedoms and human rights.
A neoliberal is someone who values deregulated economy, privatization of all things, free markets, free trade, and open economic borders.
The Iranian regime would be a conservative one, where they value limited social rights that favor some social morals over the individuals own, like what women/men can and can't do, what you can and can't eat, what you can and can't drink, what you can and can't teach or believe in, etc.
The Iranian economic model is a mixed bag, kind of a social-caputalist mix, with lots of state owned and managed enterprise, but also allowing private ones. That said it comes with a lot of regulations to have them enforce the conservative social norms.
The most generous interpretation so far, but the bar is low. To accept that applies here is to accept that what is going on in Iran right now is entirely being orchestrated by outside forces and the citizen protesters have no agency. I'm familiar with this worldview, and I know the ilk that spread it.
This doesn't in any way solve the problem of getting traffic in/out of the country, where all local ISPs are legally obligated to singlehome themselves to the government ASN.
Unless we're talking about something like smuggled two way satellite terminals.
Why go for LTE when Wi-Fi is so much more feasible?
I mean, 10 bucks for an AP isn't far fetched whereas LTE antennas alone would explode in budget, even when considering to use OsmocomBB with super old hardware/phones.
And every phone these days got Wi-Fi anyways. Most meshnet solutions rely on Wi-Fi so you wouldn't even need to implement much software for peering.
You know what is crazy. I recently heard 20% of adult population in Iran is in Revolutionary Guard. This puts things into context for anyone who says "why don't people just overthrow the dictatorship". However, there were dictatorships with an even stronger hold on their population that fell. Usually for economic reasons. I hope Iran's regime will follow.
Hmm, that seems way too high? They're a branch of the military[1], which is the biggest standing army in the Middle East, but even the whole army comes to about a million for a country of 86M.
https://datatracker.ietf.org/doc/draft-ietf-tls-esni/
That said, CloudFlare, Firefox, and Chromium teams have all been working toward the evolving spec so one can hope that soon with eCH and DNS-over-HTTPS we will be able to have clients securely connect to servers without broadcasting the hostname to which they are connecting.