The snooping of unencrypted SNI in the TLS handshake is a known weakness that is still mostly unresolved despite four years of standardization effort. The encrypted SNI work has been revised and updated to encrypted ClientHello and is still technically an IETF draft and not yet formalized in an RFC:
That said, CloudFlare, Firefox, and Chromium teams have all been working toward the evolving spec so one can hope that soon with eCH and DNS-over-HTTPS we will be able to have clients securely connect to servers without broadcasting the hostname to which they are connecting.
Pretty crazy that a country can just completely block all internet outside of what they want to be accessible...
One app that came to my mind reading this is Briar [1] - no real internet required, can connect to other briar participants via bluetooth and WiFi. Sadly only for Android...
The only real solution long-term is completely peer-to-peer ad-hoc networking that doesn't depend on BGP.
A few projects are in similar territory but none I've seen are working at the layer of bypassing BGP. Many are just acting as an overlay; which works to an extent. https://github.com/yggdrasil-network/yggdrasil-go
It's probably begging for a different model of the "internet" and where data lives.
My requirements:
1. Offline-first applications that sync via a pub/sub DHT of trusted peers. More details here but basically allows bypassing BGP.
2. Trusted peers are routable via a determinstic pathing algoritm without exposing the recipient. (content addressable everything).
3. Automatically distribute storage and compute on all local devices a user has and or needs (it's so dumb and wasteful that I only use one computer at a time when I have hundreds at my home at different levels of compute from thermostat to fridge to laptop to desktop).
I've thought about this for a long time and planned many requirements out. I was very committed to working on it but then I lost motivation because I don't get along with most humans today and where the world seems to be going. It also sucks to have people think your ideas are crazy.
Most of the things you mentioned are implemented in the "Browser" that I've built. It's using multicast DNS to discover neighboring running instances and it has an offline cache first mentality, which means that e.g. download streams are shared among local peers.
Global peer discovery is solved via mapping of identifiers via the reserved TLD, and via mutual TLS for identification and verification. So peers are basically pinned client certificates in your local settings.
Works for most cases, had to implement a couple of breakout tunnel protocols though, so that peer discovery works failsafe when known IPs/ASNs are blocked.
Relaying and scattering traffic works automatically, so that no correlation of IPs to scraped websites can be done by an MITM. Tunnel protocols are all generically implemented, DNS exfiltration, HTTPS smuggling, ICMP tunnels, and pwnat work already pretty failsafe.
What's missing is UPnP support so that it behaves a little more gracefully when a router would be cooperative in nature, but after trying to implement the "specification" a bunch of times I skipped it for now.
Lots of work to be done though, and had to focus on couple of other things first before I can get back to the project.
The browser is part of a larger network that's trying to automate cyber threat intelligence on a peer to peer level, so clients, servers, websites and domains have a trust ratio and a history of trust to prevent misclassification of a new domain owner that e.g. defaced a website or tries to inject their malicious assets up unto previously trusted peers.
How exactly are you going to "bypass BGP" on the global Internet? Reaching your trusted peers depends on routing, which means BGP (at least for anything outside of your ASN.)
I guess this would require everyone to use a government-sanctioned DNS and that would require traffic on udp 53 to non-gov-dns servers blocked? I felt like this was glossed over a bit too quickly in the article
Probably more like all the local ISPs DNS servers resolve that, or that there's potentially some DNS rewriting going on. Its not too hard to rewrite basic DNS traffic. DNS is not encrypted, its payloads are very structured, and quite small.
FWIW here [1] is an option that should still work. I would be curious to hear from people in Iran if this no longer works and they are blocking SSH to VPS nodes.
Air dropping starlink terminals onto protesters is the solution.
In fact, if you live anywhere outside of the US, owning one "just in case" is good for future proofing your freedom, IMHO. Kind of like being armed.
Edit: in fact, starlink v2 global LTE-from-space coverage will be a true game changer for world freedom. We can only hope this comes to be sooner rather than later.
Until having a starlink terminal on your roof becomes punishable by death. You can try to hide them visually, but Iran could always detect them electronically if they want to put in the effort.
There's a pretty long history of dropping radio transmitters for people to use in violently authoritarian environments. Not without specialized uses but declaring it 'the solution' seems like overpromising things a bit.
Why not airdrop AKM assault rifles and lots of ammo then? The protesters could use the weapons to overthrow the government. Much more effective than Starlink when your government has a monopoly on violence.
I tried helping my Iranian friend to get around the internet restrictions. I have to agree with the author most big players could not give a flying f*ck. Even signal can't be bothered to address verification SMS issue.
Key word is bad days. Expats in China have noticed the same thing, with VPNs sporadically not working during summits, around certain holidays, etc but resuming afterwards. Also, for some reason certain VPNs work more consistently than others even though they use the same protocols as blocked services. Some speculate that the ones that continue to work are either honeypots or the companies behind them have (social) connections
Also, it's kind of poor taste to call those who want free(dom) internet there as "neo liberals"
This is a common and natural misconception. When the firewall gains a feature (i.e. the ability to block certain traffic) the VPN providers then have to figure out some technique to bypass it. This happens over and over again. The firewall isn't relaxing after the event, it is staying the same and the VPN provider has improved.
On your second point, I can't comment for all providers, but I've heard this rumour in a more specific context and can say that it is definitely at least sometimes false.
Neoliberal is usually used as a pejorative towards "liberals" who prioritise economic growth/profit over human dignity/freedom. Think: the Blair administration in the UK.
>Also, it's kind of poor taste to call those who want free(dom) internet there as "neo liberals"
Thanks, sincerely, for the note on language. I've used that insult a lot in the past.
I also had a string of international students do things like complain I was racist for asking questions and answers be repeated back in English, not just Mandarin. (And they weren't from Taiwan.)
It's true that America has no official language, but when folks like myself expressed that sentiment in the policy space, it was with the intent if someone speaks French, Spanish, or one of the many languages of the Native Americans could be given services in a manner they understad, as is their human right.
It was not a rhetorical devie meant to me wielded by agents of a foreign power.
I ended up accepting an alaprazolam script, following a string of failed antidepressants, navigating the social mileau of "they treat me like an international student because I know who the spies are and refuse to just... hire me somewhere... as their system crashes around them"
This was in the lead up to, and during, the Summer of Snowden -- I was really pissed that no one would hire me into private industry and civil society... well all I can say about so called "civil" society is Epstein didn't kill himself.
> Instead, the TCP 3-way handshake won't complete (the syn-ack is dropped).
Sounds like my internet connection in grad student housing about 10% of the time, except the initial SYN is dropped. Pings and everything else are fine.
I remember one guy in my company had hard-on on blocking every way to tunnel out of our network (...that was not required by anyone, he was just security nut).
We had sites blacking out because he decided DNS tunnelling bad so he blocked anything with low TTL. Meanwhile simple POC DNS tunnel worked fine..
This is difficult to read. The author confuses nouns and proper nouns and isn't clear about who it is they're referring to (who are the neo-liberals, for instance?).
I understand that not everyone is as good at writing as others, but it really doesn't take much effort to ask someone to proofread.
Otherwise, this is a good start, even though it lacks details and examples.
I recollect few years ago when the US ordered all western services to be blocked to Iranian citizens, it was a big outcry when Gitlab and Github published blogs confirming their implementation of the Iran blockade. To me the west lost all moral arguments criticizing Iran for doing the same within their own country.
I almost stopped reading at "neo-liberal", man that term is getting boring, especially when used in non-sequitur fashion like "The most severe disruption is when the regime turns off all cell towers and all local Internet. They just pull the plug and it's game over for any neo-liberal smart-arse that thinks v2ray/tor/shadowsocks is the solution". WTF does that even mean? What does the author think it means?
This doesn't in any way solve the problem of getting traffic in/out of the country, where all local ISPs are legally obligated to singlehome themselves to the government ASN.
Unless we're talking about something like smuggled two way satellite terminals.
Why go for LTE when Wi-Fi is so much more feasible?
I mean, 10 bucks for an AP isn't far fetched whereas LTE antennas alone would explode in budget, even when considering to use OsmocomBB with super old hardware/phones.
And every phone these days got Wi-Fi anyways. Most meshnet solutions rely on Wi-Fi so you wouldn't even need to implement much software for peering.
You know what is crazy. I recently heard 20% of adult population in Iran is in Revolutionary Guard. This puts things into context for anyone who says "why don't people just overthrow the dictatorship". However, there were dictatorships with an even stronger hold on their population that fell. Usually for economic reasons. I hope Iran's regime will follow.
Hmm, that seems way too high? They're a branch of the military[1], which is the biggest standing army in the Middle East, but even the whole army comes to about a million for a country of 86M.
[+] [-] dweekly|3 years ago|reply
https://datatracker.ietf.org/doc/draft-ietf-tls-esni/
That said, CloudFlare, Firefox, and Chromium teams have all been working toward the evolving spec so one can hope that soon with eCH and DNS-over-HTTPS we will be able to have clients securely connect to servers without broadcasting the hostname to which they are connecting.
[+] [-] whatsthatabout|3 years ago|reply
[1] https://briarproject.org
[+] [-] pyinstallwoes|3 years ago|reply
A few projects are in similar territory but none I've seen are working at the layer of bypassing BGP. Many are just acting as an overlay; which works to an extent. https://github.com/yggdrasil-network/yggdrasil-go
It's probably begging for a different model of the "internet" and where data lives.
My requirements:
1. Offline-first applications that sync via a pub/sub DHT of trusted peers. More details here but basically allows bypassing BGP.
2. Trusted peers are routable via a determinstic pathing algoritm without exposing the recipient. (content addressable everything).
3. Automatically distribute storage and compute on all local devices a user has and or needs (it's so dumb and wasteful that I only use one computer at a time when I have hundreds at my home at different levels of compute from thermostat to fridge to laptop to desktop).
I've thought about this for a long time and planned many requirements out. I was very committed to working on it but then I lost motivation because I don't get along with most humans today and where the world seems to be going. It also sucks to have people think your ideas are crazy.
Oh well.
[+] [-] cookiengineer|3 years ago|reply
Global peer discovery is solved via mapping of identifiers via the reserved TLD, and via mutual TLS for identification and verification. So peers are basically pinned client certificates in your local settings.
Works for most cases, had to implement a couple of breakout tunnel protocols though, so that peer discovery works failsafe when known IPs/ASNs are blocked.
Relaying and scattering traffic works automatically, so that no correlation of IPs to scraped websites can be done by an MITM. Tunnel protocols are all generically implemented, DNS exfiltration, HTTPS smuggling, ICMP tunnels, and pwnat work already pretty failsafe.
What's missing is UPnP support so that it behaves a little more gracefully when a router would be cooperative in nature, but after trying to implement the "specification" a bunch of times I skipped it for now.
Lots of work to be done though, and had to focus on couple of other things first before I can get back to the project.
The browser is part of a larger network that's trying to automate cyber threat intelligence on a peer to peer level, so clients, servers, websites and domains have a trust ratio and a history of trust to prevent misclassification of a new domain owner that e.g. defaced a website or tries to inject their malicious assets up unto previously trusted peers.
[1] https://github.com/tholian-network/stealth
[+] [-] icedchai|3 years ago|reply
[+] [-] drummer|3 years ago|reply
[+] [-] valeg|3 years ago|reply
[+] [-] ghostpepper|3 years ago|reply
I guess this would require everyone to use a government-sanctioned DNS and that would require traffic on udp 53 to non-gov-dns servers blocked? I felt like this was glossed over a bit too quickly in the article
[+] [-] vel0city|3 years ago|reply
[+] [-] justsomehnguy|3 years ago|reply
Block tcp/853 and most common public DNS servers and you can control resolving on 98% of devices.
[+] [-] tenebrisalietum|3 years ago|reply
[+] [-] LinuxBender|3 years ago|reply
[1] - https://news.ycombinator.com/item?id=33025954
[+] [-] keyme|3 years ago|reply
In fact, if you live anywhere outside of the US, owning one "just in case" is good for future proofing your freedom, IMHO. Kind of like being armed.
Edit: in fact, starlink v2 global LTE-from-space coverage will be a true game changer for world freedom. We can only hope this comes to be sooner rather than later.
[+] [-] missedthecue|3 years ago|reply
[+] [-] pvg|3 years ago|reply
[+] [-] petre|3 years ago|reply
[+] [-] honkler|3 years ago|reply
[+] [-] joisig|3 years ago|reply
[+] [-] buzzwords|3 years ago|reply
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] neither_color|3 years ago|reply
Key word is bad days. Expats in China have noticed the same thing, with VPNs sporadically not working during summits, around certain holidays, etc but resuming afterwards. Also, for some reason certain VPNs work more consistently than others even though they use the same protocols as blocked services. Some speculate that the ones that continue to work are either honeypots or the companies behind them have (social) connections
Also, it's kind of poor taste to call those who want free(dom) internet there as "neo liberals"
[+] [-] computerfriend|3 years ago|reply
This is a common and natural misconception. When the firewall gains a feature (i.e. the ability to block certain traffic) the VPN providers then have to figure out some technique to bypass it. This happens over and over again. The firewall isn't relaxing after the event, it is staying the same and the VPN provider has improved.
On your second point, I can't comment for all providers, but I've heard this rumour in a more specific context and can say that it is definitely at least sometimes false.
[+] [-] nibbleshifter|3 years ago|reply
[+] [-] dontbenebby|3 years ago|reply
Thanks, sincerely, for the note on language. I've used that insult a lot in the past.
I also had a string of international students do things like complain I was racist for asking questions and answers be repeated back in English, not just Mandarin. (And they weren't from Taiwan.)
It's true that America has no official language, but when folks like myself expressed that sentiment in the policy space, it was with the intent if someone speaks French, Spanish, or one of the many languages of the Native Americans could be given services in a manner they understad, as is their human right.
It was not a rhetorical devie meant to me wielded by agents of a foreign power.
I ended up accepting an alaprazolam script, following a string of failed antidepressants, navigating the social mileau of "they treat me like an international student because I know who the spies are and refuse to just... hire me somewhere... as their system crashes around them"
This was in the lead up to, and during, the Summer of Snowden -- I was really pissed that no one would hire me into private industry and civil society... well all I can say about so called "civil" society is Epstein didn't kill himself.
(Happy spooky season!)
[+] [-] paulcarroty|3 years ago|reply
Nope, thanks, do not promote this shitty KGB-affiliated service.
Also if you're talking seriously about privacy - forget about all services hard-locked on SMS or phone numbers.
[+] [-] gbarut|3 years ago|reply
[+] [-] arbitrage|3 years ago|reply
[+] [-] hot_gril|3 years ago|reply
Sounds like my internet connection in grad student housing about 10% of the time, except the initial SYN is dropped. Pings and everything else are fine.
[+] [-] ilyt|3 years ago|reply
We had sites blacking out because he decided DNS tunnelling bad so he blocked anything with low TTL. Meanwhile simple POC DNS tunnel worked fine..
[+] [-] animitronix|3 years ago|reply
[+] [-] EMIRELADERO|3 years ago|reply
[+] [-] TulliusCicero|3 years ago|reply
[+] [-] drummer|3 years ago|reply
[+] [-] johnklos|3 years ago|reply
I understand that not everyone is as good at writing as others, but it really doesn't take much effort to ask someone to proofread.
Otherwise, this is a good start, even though it lacks details and examples.
[+] [-] deusum|3 years ago|reply
But the whole, "neo-liberal arses" bit gave it the sense of an unhinged author or untrustworthy narrator.
[+] [-] nibbleshifter|3 years ago|reply
The weird use of the term neoliberal is pretty common in European liberal-as-in-freedom left leaning circles.
[+] [-] meitham|3 years ago|reply
[+] [-] DeathArrow|3 years ago|reply
[+] [-] arcticbull|3 years ago|reply
[edit] This is the same way that if I go out and throw someone into my basement it's 'kidnapping' but when the police do it to me, it's an arrest.
Jokingly this comment has the same vibes. [1]
[1] https://twitter.com/dril/status/473265809079693312?s=20&t=gD...
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] LastTrain|3 years ago|reply
[+] [-] keyme|3 years ago|reply
Hacked femtocells? SDR? Something more clever?
Distribute eSIMs to everyday people.
The pirate operator takes all the risk and technical difficulties.
[+] [-] walrus01|3 years ago|reply
Unless we're talking about something like smuggled two way satellite terminals.
[+] [-] cookiengineer|3 years ago|reply
I mean, 10 bucks for an AP isn't far fetched whereas LTE antennas alone would explode in budget, even when considering to use OsmocomBB with super old hardware/phones.
And every phone these days got Wi-Fi anyways. Most meshnet solutions rely on Wi-Fi so you wouldn't even need to implement much software for peering.
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] throwaway0x7E6|3 years ago|reply
the ultimate fate of the internet
[+] [-] Roark66|3 years ago|reply
[+] [-] blacksmith_tb|3 years ago|reply
1: https://en.wikipedia.org/wiki/Islamic_Revolutionary_Guard_Co...
[+] [-] athinggoingon|3 years ago|reply