Circumventing internet censorship

In compliance with direction given by Uttharakhand high court,  Indian ISPs started blocking pornographic sites. In this article I will  dissect the implementation used to enforce the blockade as well as  techniques to circumvent. Finally we will discuss better implementations  that address the current pitfalls.

A while back one of my friends recommended the tv series, 24,  but I couldn’t find it on any of the streaming services, when inquired  she reverted back with a link to 123moviestime.com, which for some  reason was blocked in India. I started digging into the implementation  of the block.

When I tried to resolve the domain name with dig it gave the following response

$ dig 123moviestime.com  +noall +answer	
; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> 123moviestime.com @8.8.8.8 +noall +answer
;; global options: +cmd
123moviestime.com.	10	IN	A	202.83.21.15

A quick whois on the ip revealed that it belonged to the ISP. There  was no change in the response even when I forced dig to use google’s dns  resolver, confirming that the ISP was using DPI technique on DNS.

To circumvent, I configured my local-dns to the original ip by making  an entry in /etc/hosts and requested the website using http and https,  while the http request failed https worked. This behavior proves that  the ISP is inspecting http request headers and proxying the request when  it matches blocked sites, also confirming that the ISP is not  inspecting SNI header to block https traffic.

DNS has been one of the weakest links on the internet susceptible to  man in the middle attacks, and looks like the ISPs are exploiting it to  enforce the ban. It’s a smart strategy, inspecting DNS traffic is way  cheaper and more effective than analyzing other protocols(DNS traffic  will at least be 10x less than other protocols like http or https). But  this is gonna change soon, with the advent of DoH and DoT all DNS traffic will be encrypted while verifying the authenticity of the response. Mainstream browsers like Firefox and chrome started integrating this feature in their nightly code. On the mobile front Google added support for the same on Android Pie. Cloudflare released a dns daemon that runs on major platforms(Linux/Windows/MacOS), and proxies the dns  request via DoH, inturn rendering the embargo ineffective.

The above developments does not mean that ISPs will become incapable  of enforcing the ban. Mind that above workaround helps only when the  http traffic is encrypted i.e. when using https. ISPs could start DPI on https and lookout for blocked hostnames in SNI to effectively enforce it for the time-being. I mention for the ‘time-being’ because cloudflare announced its support for Encrypted SNI, as an extension of TLS/1.3, that will engender sni inspection fruitless.

As a philosophical foot note, I believe that ban on certain content  on the internet can only be implemented by exploiting the existing  vulnerabilities, while the academia and the industry works tirelessly to  ensure that they are mitigated. DoH,DoT,ESNI have been created to alleviate attacks such as DoS.  I also think that ban on content is by definition ineffective on the  distributed internet and in some cases backfires, I learned about the  documentary India’s daughter only when the government tried to ban it. I  will end this philosophical prose on a lighter note with a quote by mega reverend of the church Our Lady of Perpetual Exemption: John OliverInternet is like quicksand, the more aggressively you fight to remove from it, the deeper you sink down into it”.

Surya Teja Palavalasa

Surya Teja Palavalasa

I'm Surya, currently working as site reliability engineer at Media.net. My interests include building scalable, fault-tolerent, distributed systems, cryptography