SSL under attack in Iran
Project Ainita is receiving reports in the past few days, showing the Iranian telecomm authorities are trying to interrupt SSL proxy using deep packet inspection.
We knew it for a fact that they monitor the SSL connections using DPI, and if a connection is fit the rules and flagged as " SSL used as Tunnel " they do throttle SSL to make it unusable for tunnelling purposes, but since a few days ago they managed to somehow "detect" if you are trying to do a SSL Proxy and terminate the SSL handshake. This is not happening on a wide scale and we suspect this is a test with a limited user base. Here is a sample summarized log of what happens:
[57:52] Testing Started. Proxy Server Address: XXXXXXXXXX Protocol: HTTPS
[57:52] Starting: Test 1: Connection to the Proxy Server [57:52] IP Address: XXXXXXXXXX [57:55] Connection established [57:55] Test passed. [57:55] Starting: Test 2: Connection through the Proxy Server [58:03] Error 10060: Connection timed out.. Connection: close [58:03] Test failed. [58:03] Testing Finished.
As you can see, the connection is established successfully, but as soon as proxifier client is trying to establish a SSL tunnel it looses the TCP connection to the proxy server.
The same thing is happening with TOR, a developer reported the DPI in Iran detects the 356 days expiry date time stamp on the SSL generated by TOR, and terminates the connection. The TOR DPI rule, is seems to be implemented at the country level and that's why TOR bridge connections dose not work since early March.