Iran is well known as a country that censors Internet access for its citizens. Like China and a handful of other countries, the Government there considers a lot of activities online to be against the regime. With 20 million Internet users in that country, Iran has deployed more and more filters to make it very difficult for dissidents to talk freely online.

That’s why projects like TOR are very important. The basic premise of TOR is to provide online anonymity. Using it protects your privacy, and prevents your traffic from being monitored. According to the TOR metrics, thousands of people in Iran use the software to protect themselves.

It’s no wonder then that regimes like Iran have been trying to cut all TOR traffic. But the TOR protocols are incredibly well done, and blend themselves amongst regular traffic. They use traditional HTTPS connections to bypass filters, and look like any secure, encrypted connection. But last week, Iran successfully found a way to detect TOR and block it.

To understand how they did it, you need to understand how SSL connections are established. For a secure link to be made, a server has to authenticate itself using a certificate, signed by a trusted Certificate Authority (CA). This ensures that the website is who it says it is, and that there’s no impersonation going on. TOR mimics this, but there are some differences. For a start, it doesn’t use CAs. Iran looked into the way the SSL handshake is done to spot one such difference: the expiration date on the certificate.

Typically, a certificate is issued for one or two years. But in the case of TOR, the certificates used are session certificates, used for a single connection, and the expiration date on them was set to two hours instead. So the new Iran filter simply looked at these times and started blocking traffic of all connections that had a certificate with a small valid window of time. This successfully cut off all TOR users from the rest of the Internet.

Within a day however, the TOR Project was notified, and realized what had happened. They published a fix to simply increase the expiration date on session certificates, and the problem was resolved inside of a day. And since certificates are issued by servers, in TOR’s case relays, and not clients, that means people inside Iran don’t have to upgrade, only the relays around the world do. When enough relays have upgraded, connections will resume normally.

Meanwhile though, this event sparked quite a lot of discussion on the TOR mailing lists. It’s conceivable that Iran, or any other country, could block TOR again based on other differences that they could find in the certificates. So more solutions are being proposed, permanent solutions that would make TOR even stealthier.

One such proposal would remove the ability for TOR links to renegotiate their TLS connections, which would mean the certificate would only be exchanged at the beginning, then they would use another method to keep authenticating between both nodes. This would make it harder to track the various TOR connections.

Another proposal to the developers intends to randomize much of the information contained on those certificates, to avoid having easy-to-detect data. A hard-to-detect cover channel would be instigated through which relays would signal that they support the latest TOR protocol.

Finally, a longer term proposal suggests removing SSL from the core TOR project, and instead allow multiple transport protocols to be plugged in and used at will, such as VPN. This would allow relays and clients to negotiate which protocol they want to use, and switch if one becomes filtered out.

Still, the quick reaction of the developers was received with a lot of praise, as evidenced by the comments on the TOR blog. Many people from Iran depend on anonymity to speak their mind without fear of being imprisoned, and yet again they are now able to do so. But the work is never done, and censorship is always a cat and mouse game. There are companies working on TOR detectors all around the world.

With the proposed changes likely being implemented in the coming months, hopefully this will make this software even more immune to blocking and filtering, and promote freedom of expression, as was the original intent by its creators.

Also read:

Online anonymity: Balancing the needs to protect privacy and prevent cybercrime (Deb Shinder)

Compromised certificate authorities: How to protect yourself (Patrick Lambert)