[liberationtech] Narus- american company helped Egyptian goevernment to spy on its citizens?
Jacob Appelbaum
jacob at appelbaum.net
Thu Feb 10 15:05:02 PST 2011
On 02/10/2011 02:41 PM, John Graham-Cumming wrote:
> What's the sign of SmartFilter in use? Is it a RST packet when you
> wouldn't expect one or proxying the HTTP connection and giving you
> some other page?
>
Generally it leaves a specific signature on the network. It isn't just a
RST packet if the user sees a block page. There is a redirection or a
full MITM that redirects to a special URL. I just went back to look at
some packet captures I have from Qatar. The main internet provider there
is Qtel and they they inject a HTTP 302 redirect. They actually use
Netsweeper:
http://www.netsweeper.com/index.php?page=netsw_prod_content_filtering
When I attempted to visit the Tor website, I was redirected. The
redirect sends me to this URL:
http://proxy1.isp.qa:8080/webadmin/deny/index.html?dpid=1&dpruleid=7&cat=105&ttl=0&groupname=filter&policyname=filter&username=filter_89_211_128_0_19_&userip=89.211.134.135&connectionip=89.211.134.135&nsphostname=CPU-4c1&protocol=device&dplanguage=-&url=http%3a%2f%2fwww%2etorproject%2eorg%2f
The source of the redirect is the same IP as the normal Tor webserver -
so Qtel is actually impersonating Tor's webserver. It creates a race
condition and the browser is redirected. Tor's webservers are of course
outside of Qatar and so we will always lose a race with the local network.
Note that my IP and other PII is in that URL. That should make framing
someone quite simple - just change the parameters!
> In fact, on a related note. Was it SmartFilter that did the
> JavaScript injection in Tunisia?
>
I do not have packet captures from Tunisia - I bet you could just ask
the censors - wired did an article on them recently.
All the best,
Jacob
More information about the liberationtech
mailing list