[tor-dev] Networks Blocking Tor's SSL Connections

David Fifield david at bamsoftware.com
Wed Oct 7 03:34:16 UTC 2015


On Wed, Oct 07, 2015 at 10:06:00AM +1100, Tim Wilson-Brown - teor wrote:
> Hi All,
> 
> This morning I observed a “free wifi” network blocking tor’s SSL connections.
> While other SSL connections from my machine went through, I observed multiple
> network traces of tor completing a TCP 3-way handshake, and then getting no
> reply to the first SSL packet it sent.
> 
> I think they may have been blocking unknown or untested certificates, but I
> can’t be sure.
> 
> Still, I was able to use meek(-google) to access tor.
> 
> Has anyone else seen this kind of blocking behaviour?
> (Is this the right list?)

I don't know about specific instances in the free wifi scenario, but
some national censorship systems work that way, observing something
about the handshake rather than blacklisting the IP addresses of
directory authorities or relays.

Iran filters Tor by ssl handshake, Sept 2011
https://bugs.torproject.org/4014

GFW probes based on Tor's SSL cipher list (Dec 2011)
https://bugs.torproject.org/4744

Ethiopia blocks Tor based on ServerHello (Jun 2012)
https://bugs.torproject.org/6045

Kazakhstan uses DPI to block Tor (Jun 2012)
https://bugs.torproject.org/6140

UAE uses DPI to block Tor (Jun 2012)
https://bugs.torproject.org/6246

The Philippines are blocking Tor? (Jun 2012)
https://bugs.torproject.org/6258

How is Iran blocking Tor? (Oct 2012)
https://bugs.torproject.org/7141

SSL handshake filtered when MAX_SSL_KEY_LIFETIME_ADVERTISED is 365 days (Mar 2013)
https://bugs.torproject.org/8443


More information about the tor-dev mailing list