[liberationtech] SOPA and DNS-level Censorship Circumvention

Okhin okhin at okhin.fr
Tue Jan 10 01:45:33 PST 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello list, first post here (quick summary: I'm one of the telecomix
agent working on Syria).

On Mon, 09 Jan 2012 18:17:44 -0800
Jordan McCarthy <jrmccarthy at stanford.edu> wrote:

> As I was reading your email, it occurred to me that one of the (many) 
> detrimental by-products of this whole SOPA/PROTECT IP debacle may be
> to severely exacerbate the U.S.'s already-nasty malware problem.  As
> you point out, the second any legislation of this kind is enacted, a
> host of circumnavigation tools are going to immediately hit the
> market.  While the ones you describe (and have been so kind as to
> implement) are obviously well-intentioned, I can't imagine that it'll
> take more than three seconds for scam-artists of all stripes to jump
> on the bandwagon, and start putting out their own "auto-configuration
> anti-censorship utilities" based on their own poisoned DNS servers
> (ie, ones that direct wellsfargo.com to
> wellsfargo.com.%34%63%22...).  Of course, they've already done this
> sort of thing in various ways, but it seems very, very likely that
> SOPA will only make the phenomenon a whole lot worse.
> 
> For the purposes of this discussion, though, I suppose my main point
> is that any system of the kind under consideration should optimally
> have some sort of VERY easy-to-understand trust/authentication
> mechanisms built-in, and be accompanied by an extensive
> public-awareness campaign, to prevent unwitting users from being
> duped into sending their credit card numbers straight to the
> blackhats' databases (to an even greater extent than they already
> are).

What about DNSSEC? I think it can do it (if you can't provide the full
chain of signature to the root, then you're probably lying).

> 
> Nevertheless, I'm exceedingly grateful that people are starting to
> think about and code up some of these utilities.  It looks like we
> might need them.
> 

Telecomix have, for some times now, some censorproof DNS that are quite
usefull, you can find them at dns.telecomix.org and the address of the
resolver is: 91.191.136.152 and the host is in Sweden (so Swedish law
applies), I'm using it because we have some serious stuff with it over
there (due to law and regulation for online gambling that requires the
ISP to use the (sic) "blocking DNS protocol" to forbidd access to
illegal websites.

However, on a similar topic, we are noticing that Tarassul ISP in Syria
nowtries to enforce a mandatory DNS system on all the user box they
have. That implies they wan't to do some serious censorrship over
there. And I'm wondering if they can enforce the use of their own DNS
(I can do it using a quick iptables rule, so technically it's doable),
to shut down any other DNS alternatives.

Okhin

> 
> - Jordan
> 
> 
> My PGP Public Key <http://www.stanford.edu/%7Ejordanrm/pubkey.asc>
> Sent from a computer running Free and Open Source Software
> 
> On 01/09/2012 04:41 PM, Griffin Boyce wrote:
> > Hey all,
> >
> >   With the SOPA vote on the horizon, now seems to be a good time to 
> > talk about censorship at the DNS level.
> >
> > Computers use Domain Name Servers to make the connection to
> > websites. These large servers act as online address books for
> > websites, telling computers where the site they want to visit is
> > located.  So the flow is typically /Website Address -> DNS Server
> > -> Website's Host/. If SOPA passes, sites alleged to be infringing
> > copyright will be blocked from visitors in the US: /Website Address
> > -> US DNS Server -> Block Page/.
> >
> >   You can customize which servers your computer uses to fetch 
> > addresses, and bypass these types of blocks entirely. A good
> > tutorial on how to do that is here: 
> > http://code.google.com/speed/public-dns/docs/using.html Though keep
> > in mind that the server addresses mentioned on that tutorial are
> > located in the United States.  So anyone looking to
> > bypass /American/ censorship will need to use servers in an
> > uncensored country like Iceland or Belgium.
> >
> >   Another good option is using a browser plugin.  For FireFox,
> > there are two currently: Soapy and DeSopa.  DeSopa automatically
> > fetches server details for websites, but relies on a website that
> > is likely to be blocked once SOPA goes into effect. However, it
> > does work until blocked. I made Soapy with all of the rules it
> > needs to function built into it. With Soapy, every site that is
> > enabled must have redirection rules created for it, but it's also
> > quite light (<50kb, each site is ~200bytes) and easily updated with
> > new sites.
> >
> > DeSopa: https://addons.mozilla.org/en-US/firefox/addon/desopa/
> > Soapy: http://griftastic.com/soapy.html
> >
> >   These browser plugins are really quick hacks designed to get into 
> > people's hands quickly. (And there aren't any for Chrome, Opera, 
> > Safari, or IE yet).  There has to be a more elegant and robust 
> > solution that we can create for people affected by this type of 
> > censorship -- not just in the US, but around the world.  It's 
> > completely possible to run censorship-resistant DNS servers in 
> > uncensored countries, but the critical missing element is a highly 
> > usable piece of software that will adjust the user's network
> > settings without a major hassle.  DnsJumper might work, but isn't
> > open-source and users have to find unblocked servers to use.
> >
> >   What do you all think about this?
> >
> > All the best,
> > Griffin Boyce
> >
> > -- 
> > "I believe that usability is a security concern; systems that do
> > not pay close attention to the human interaction factors involved
> > risk failing to provide security by failing to attract users."
> > ~Len Sassaman
> >
> >
> > _______________________________________________
> > liberationtech mailing list
> > liberationtech at lists.stanford.edu
> >
> > Should you need to change your subscription options, please go to:
> >
> > https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >
> > If you would like to receive a daily digest, click "yes" (once you
> > click above) next to "would you like to receive list mail batched
> > in a daily digest?"
> >
> > You will need the user name and password you receive from the list
> > moderator in monthly reminders.
> >
> > Should you need immediate assistance, please contact the list
> > moderator.
> >
> > Please don't forget to follow us on
> > http://twitter.com/#!/Liberationtech
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJPDAi9AAoJEKpfDYQAUTlH6D4P+wff+VNvgJKmdxWAhYbJgImE
giRHt7nA/DPFCV3UZ0lWqVIqfwyfjV+CoBwGh1TKFRotRTkjBfleF8ZDb4CePrSN
Na2Vgn1xbZv5J0bd/77SjAkYqkjf5zDuExQ1jCAdRXccofIc70CySfHGlekN9exQ
Cvoazlr84A0HRbkbt9rygyyZ5lxlKV+om3jqxK/XK55z3egGcpkhn5vKzD2ZTmv7
COsbvwftfyUqfsPP0Zrz5KPS7Rol/LVDqpsH6RI2L0b2PQ5He39ZyoHlVkwzO7AM
o6g0uZ0/W06jJtlrodZpeyI8ey4HgMMTLtc/cln9utxF8kBuLkK4ZOjE9A3H/S7z
OR10JWeQpl2CwDXd75cU2WBAsBb8l6YR6Vvx1Mcv+/SQRjTNNs2ep4ijhAfbvHBq
LeWM7Ev5DFuPLIdW32D2aP9MT8C4PY3TitXHgj8hghuJMaVo/4yxm2YdyhCoHsdO
aLe7IE73r2mp5yfE6oxktH7gpNxkJqr5f4BYfZMSSvjJ2oVBsA/adQ3ko3nQFAMX
iweEsMHES4xr83WUYTLDHZDLpGHROPgkrw53NICuCnbfq1l716abjNQ8C3cnJBCQ
BQUmEPeVHeelPh4bAharp0XunnFmokUcAaXRLtFlbiW3qk8ynUkCwfZKV5yileMd
xMqyo0umJtq4EhRGHHNj
=oSbp
-----END PGP SIGNATURE-----

More information about the liberationtech mailing list