Via Spencer, an interesting article about the Iranian protesters’ use of Tor, The Onion Router. I’m a big fan of Tor, and have seen it successfully used to evade dictatorial regimes in the past (specifically the people running NBA League Pass). But it’s probably worth pointing out Tor’s limits as they pertain to the situation in Iran.
First, you really can’t count on Tor for anonymity or encryption. The right way to do encryption on the internet is for your machine and the server with which it’s communicating to agree on a cryptographic arrangement that begins with you and ends with it. If the server isn’t expecting to receive encrypted content, it won’t know what to make of any such content that it receives — that’s kind of the point of encryption, right? So at some point Tor needs to decrypt your traffic and send it out onto the internet in its original, exposed form. Before it does that it passes it back and forth between who-knows-how-many nodes, concealing its point of origin. But hiding your IP address won’t do you much good if malevolent actors get their hands on the eventually-decrypted content and it contains your email address, or Twitter login name, or whatever else.
And it’s not too hard for them to do this. Tor relies on kind-hearted souls to run “exit nodes” — the spots where traffic gets decrypted and sent back into the plain internet. And if you run an exit node, you can easily choose to look at all of the traffic coming through it. In 2007 one clever guy did just that, and managed to capture a sensitive information being emailed by embassy staffers. Looking at the Tor exit node instructions, it doesn’t look like any node-approval bureaucracy has been added since this incident (nor should there have been, in my opinion). So there’s nothing stopping the Iranian government from setting up some exit nodes, grabbing whatever fraction of total Iranian Tor traffic lands in their laps, pulling email addresses and names from it and going after those people.
Nor is there any reason why Tor can’t be blocked. SSL traffic — the most widely used, genuinely secure encryption on the internet (it’s what protects your credit card number from snoopers when you buy something from Amazon) — is blocked in Iran. Now, given that Tor is working while SSL isn’t, the latter is probably being blocked through the relatively crude measure of turning off traffic on port 443, which is the standard port associated with https:// URLs. But with a semi-modern firewall it’s possible to block encrypted traffic regardless of the port — I’ve worked in offices that do this. That would effectively kill SSH, SSL, Tor and any other way of concealing online activities from eavesdropping government agents.
Actually, the government could do far worse. They could allow traffic through, but flag encrypted traffic to non-commercial sites for investigation. Or they could set up man in the middle attacks and rely on users to approve the certificate warning they receive. Or they could create redirects that send people to phishing sites that resemble Twitter and capture passwords but seemlessly pass tweets through to the real Twitter and then use the credentials to secretly arrange tweetups and the attendees all think they’re walking into an underground storefront but then why is it so dark and the doors close and they’re in THE BACK OF A TRUCK and it pulls away toward who knows where! OMG! Cut to our hero!
But that would be a lot of trouble. And for all of the conspiracy theories floating around Twitter about Iranian sysops planting hashtags to splinter the online protest’s efficacy, the actual shape of Evil Iranian IT probably looks a lot less like the climactic scenes of Neuromancer. That’s not to say that the import of the online part of these protests is nil — I’ve pretty well been convinced that my initial skepticism was too extreme. But it is to say that we should resist writing any definitive-sounding encomiums about the tools being used to get internet traffic out of Iran. The sad truth is that if the monopoly ISP is run by repressive theocrats with adequate time and resources, aspiring online activists are kind of screwed. To the extent the authorities care, anything that works very well is going to stop working soon enough.