Russia Ramps Up Censorship Beef With Twitter Using Deep Packet Inspection Tech

from the not-helping dept

Over the last decade Russia has accelerated the government's quest to censor the internet. That was most conspicuous with the passage of a 2016 surveillance bill that not only mandated encryption backdoors, but effectively banned VPN providers from operating in the country unless they were willing to spy and censor at Putin's behest. Many VPN providers weren't keen on that, so they simply stopped doing business in the country.

More recently, Russia has been engaged in a bit of a hissy fit over Twitter's unwillingness to censor things the Russian government doesn't like. And while Twitter has been trying to filter more illegal behavior and pornography at the government's behest, the company hasn't been censoring broader content at the rate Putin and pals prefer. So as punishment, Russia has taken to throttling user access to Twitter to a rather 1997-esque 128 kbps, or about the speed of an old IDSN line. Granted the ham-fisted gamesmanship Russia has been engaged in has already resulted in some notable collateral damage:

New data suggests (you can find the technical specifics here) that Russia is engaging in the throttling via the use of "middleboxes" that Russian ISPs have installed as close to the customer as possible. Russian authorities then feed data on which domain should be throttled and punished to the devices, which utilize deep packet inspection to identify targeted traffic. Ars Technica notes that the deep packet inspection technology (which US ISPs also use, though most frequently for targeted advertising) opens the door to a much more sophisticated tracking and censoring regime less prone to collateral damage:

"The middleboxes inspect both requests sent by Russian end users as well as responses that Twitter returns. That means that the new technique may have capabilities not found in older Internet censorship regimens, such as filtering of connections using VPNs, Tor, and censorship-circumvention apps. Ars previously wrote about the servers here.

The middleboxes use deep packet inspection to extract information, including the SNI. Short for “server name identification,” the SNI is the domain name of the HTTPS website that is sent in plaintext during a normal Internet transaction. Russian censors use the plaintext for more granular blocking and throttling of websites. Blocking by IP address, by contrast, can have unintended consequences because it often blocks content the censor wants to keep in place.

New reports suggest there are around seven countermeasures Russian companies and citizens can use to thwart these efforts, including ECH, or Encrypted ClientHello, an update for the Transport Layer Security protocol that prevents domain blocking and throttling. That forces government censors to rely on the more collateral damage-prone IP-level blocklists, which (might) act as a deterrent for censorship obsessed governments that don't want a whole lot of attention focused on the fact they're massive cowards afraid of the free exchange of information that might challenge their hegemony.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: censorship, deep packet inspection, russia, throttling
Companies: twitter


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    PaulT (profile), 8 Apr 2021 @ 6:48am

    "So as punishment, Russia has taken to throttling user access to Twitter to a rather 1997-esque 128 kbps"

    I know that Twitter now has a higher limit and it's used for video and other media now, but my first thought was that it's funny that they think that this is a meaningful response to a service that famously built its audience on plain text of 140 characters or less. Those milliseconds would sure stop people...

    Also, enjoy that game of whack a mole, I'm sure that this would just encourage non-Twitter services to set up to provide ways for people to access video content outside of Twitter, but which could be linked as text from Twitter itself.

    reply to this | link to this | view in chronology ]

    • This comment has been flagged by the community. Click here to show it
      identicon
      Anonymous Coward, 8 Apr 2021 @ 10:57am

      Re:

      cool story, bro

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 8 Apr 2021 @ 12:56pm

      Re:

      I know that Twitter now has a higher limit and it's used for video and other media now, but my first thought was that it's funny that they think that this is a meaningful response to a service that famously built its audience on plain text of 140 characters or less.

      Well, they no longer just give people the text. One has to run Javascript to see it—or substitute nitter.net for twitter.com, which might help the Russians.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Apr 2021 @ 7:25am

    I've heard the UK has put an order in for this technology.

    reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Bear Bear this bears repeating, 8 Apr 2021 @ 10:25am

    Site that CENSORS and advocates MORE corporate control sez:

    [Russia doesn't] want a whole lot of attention focused on the fact they're massive cowards afraid of the free exchange of information that might challenge their hegemony.

    Oh, really.

    You tiny little cowards here can't stand even my mild-mannered dissent because your "hegemony" of advocating globalist corporations over The Public falls apart with the least dissent.

    reply to this | link to this | view in chronology ]

    • icon
      sumgai (profile), 8 Apr 2021 @ 10:37am

      Re: Site that CENSORS and advocates MORE corporate control sez:

      Troll-buttoned, as it contributed nothing of value to the conversation, just accusations and innuendo.

      It is too fookin' bad that ignorance isn't painful.

      reply to this | link to this | view in chronology ]

      • This comment has been flagged by the community. Click here to show it
        identicon
        Anonymous Coward, 8 Apr 2021 @ 10:57am

        Re: Re: Site that CENSORS and advocates MORE corporate control s

        bork, bork, bork!

        you censor

        reply to this | link to this | view in chronology ]

      • This comment has been flagged by the community. Click here to show it
        identicon
        Anonymous Coward, 8 Apr 2021 @ 11:03am

        Re: Re: Site that CENSORS and advocates MORE corporate control s

        hey, "sumgai", has it occurred to you that TD censoring in a piece about censoring is to show itself WAY below hypocrisy?

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 8 Apr 2021 @ 11:17am

          Re: Re: Re: Site that CENSORS and advocates MORE corporate contr

          reply to this | link to this | view in chronology ]

        • icon
          sumgai (profile), 8 Apr 2021 @ 6:08pm

          Re: Re: Re: Site that CENSORS and advocates MORE corporate contr

          And has it occurred to you that TD didn't do it, I did. Or more properly, I helped to do it. As a community-moderated forum, it takes more than one person to actually trigger the "Hide/Show" action, each person can only state his/her opinion via the Troll button.

          And while opinions can be hypocritical, more than a few people expressing the same opinion starts to look less like hypocrisy, and more like a majority opinion. It shouldn't have to be said, but I strongly doubt you'll find any long-timers in this comment area that endorses, or loves, or even just tolerates spam, trollishness, or even just plain old ordinary bullshit, no matter the source. (Perhaps excepting scatological references, we're sometimes a weird bunch here.)

          But thanks for playing, better luck next time. Next contestant, please!

          reply to this | link to this | view in chronology ]

          • icon
            Scary Devil Monastery (profile), 9 Apr 2021 @ 5:34am

            Re: Re: Re: Re: Site that CENSORS and advocates MORE corporate c

            "And has it occurred to you that TD didn't do it, I did. Or more properly, I helped to do it. As a community-moderated forum, it takes more than one person to actually trigger the "Hide/Show" action, each person can only state his/her opinion via the Troll button."

            It probably never has. In Baghdad Bob's dystopian la-la land "Techdirt" is a CIA or Google front set up exclusively to suppress him personally, by way of censorship and astroturfers commanded by Mike Masnick.

            The way he sees the world we're all just one and the same person (Mike Masnick) and all of techdirt just a scam meant to...uh...stop him from posting here, or something.

            Judging by his rhetoric I wouldn't be too surprised to learn that the day he disappears from these forums will have been the day he heads off to a water tower with a rifle.
            All we can hope for is that he's a nonviolent madman. Because it's pretty clear he went off the deep end long ago.

            reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Apr 2021 @ 10:41am

    The Ars Technica article is based on a Censored Planet report that has lots of technical details.

    • The throttler is triggered upon observing Twitter-related domains (*.twimg.com, twitter.com, and t.co) in the SNI extension of a TLS client hello record.
    • The throttling operates by traffic policing. After the throttler is triggered, data packets transferred in either direction (download/upload) will be dropped once the rate limit is reached.
    • The throttling devices are placed close to end users and they are not co-located with the blocking devices, suggesting they are separately administered.
    • Throttling behaviors are consistent across different ISPs, suggesting a single implementation deployed widely or that the throttling devices are centrally managed.
    • Throttling can only be triggered for TCP connections that originate from within Russia (i.e. the client is in Russia). However, once such a connection is made, throttling can be triggered by a Twitter SNI sent in either direction.
    • Contrary to previous reports, the relaxed string matching rule of the throttler is still in effect for some domain strings, causing collateral damage, even though *t.co* and more recently, *twitter.com have been patched. For example, garbage.twimg.com is throttled suggesting that *.twimg.com is still a matching rule.
    • The throttler is stateful and drops states for inactive connections after around 10 minutes. Moreover, for each new connection it inspects beyond the initial packet, possibly as a countermeasure against circumvention attempts.
    • The throttling can be circumvented based on ad-hoc modifications to the session, TCP-level fragmentation, or TLS packet stuffing (splitting Client hello across packets).
    • We recommend that browsers and websites implement support for TLS Encrypted Client Hello (ECH, and its predecessor ESNI) to make it more difficult for censors to throttle based on SNI.
    • Monitoring throttling is challenging and existing censorship detection platforms aren’t equipped to cover it. This incident of Russia throttling Twitter serves as a wakeup call.

    An interesting observation is that this recent throttling is more centralized in its implementation than network censorship in Russia has historically been. ISPs in Russia have long had to implement site blocking according to the central authority Roskomnadzor's blocklist, but they were free to implement the blocks in whatever technical way they chose (see Censored Planet's earlier report). In contrast, evidence suggests that the throttling devices are (1) separate from ISPs' own site-blocking hardware, and (2) centrally controlled and operated by Roskomnadzor.

    reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 8 Apr 2021 @ 11:04am

    Back after blocked!

    You pretend can't see any similarity to own practice in stifling dissent, and the larger societal problem of mere corporations made immune and unaccountable to The Public's clear interest in having free and fair forums.

    reply to this | link to this | view in chronology ]

    • This comment has been flagged by the community. Click here to show it
      identicon
      Anonymous Coward, 8 Apr 2021 @ 11:04am

      Re: Back after blocked!

      The mechanism may vary, but the intended result of your fascist notions will be that public discourse is controlled, and perhaps even more effectively than if gov't.

      Just your "hiding" of on-topic comments well within civil discourse shows you're WAY under hypocrisy.

      reply to this | link to this | view in chronology ]

    • This comment has been flagged by the community. Click here to show it
      identicon
      Anonymous Coward, 8 Apr 2021 @ 11:06am

      Re: Back after blocked!

      And persistence pays.

      Why do you clowns try to CENSOR in this HOLEY system? You are just pointing up what try to hide! -- If only there were a name for that attempt...

      reply to this | link to this | view in chronology ]

    • This comment has been flagged by the community. Click here to show it
      identicon
      Anonymous Coward, 8 Apr 2021 @ 11:08am

      Re: Back after blocked!

      And to be clear, three browser sessions just stopped working after one comment, so clearly poisoned by Admin click, NOT the "mighty filters", which eventually let all the text in, now scattered, but hey, that's the way Techdirt wants to play, and I like the HOOTS of seeing it play whack-a-mole!

      reply to this | link to this | view in chronology ]

    • icon
      sumgai (profile), 8 Apr 2021 @ 6:29pm

      Re: Back after blocked!

      Here's your problems bunky, in a nutshell. You babble on about something that simply isn't true, and the rest of us don't buy into your conspiracy theory.

      The point of the Hide/Show button is not to censor you in any manner, it's to teach you that you've overstepped your bounds, said boundaries being to be somewhat polite, recognize that others also have opinions, agendas, and their own conspiracy theories, the latter which might not match up to yours 100%.

      Think of it this way: If Mike wanted to, he could institute a "reputation points" or a "Karma points" system, whereby your post would still be fully visible, but your Karma score would also be visible. If you don't earn Karma, then it doesn't come your way, pure and simple. And readers can see that a Karma score of some negative number probably indicates a non-productive posting, and can be safely skipped over.

      I couldn't care less whichever way Mike wants to to it, I'm just glad that he lets the rest of us chime in with our opinions of some posters, good or bad. But that word "productive" is your indicator - if you aren't contributing something worthwhile to the conversation, then you're probably going to be Troll-buttoned, just that simple.

      tl;dr:

      Instead of jumping to the conclusion that you've been censored, you should think to yourself "Why did these people think that my post had something wrong with it?".

      reply to this | link to this | view in chronology ]

      • icon
        Scary Devil Monastery (profile), 9 Apr 2021 @ 5:39am

        Re: Re: Back after blocked!

        "Think of it this way: If Mike wanted to, he could institute a "reputation points" or a "Karma points" system, whereby your post would still be fully visible, but your Karma score would also be visible."

        That would require Baghdad Bob to post under one and the same nick - a login account.

        The very second Mike introduces such a system Baghdad Bob will do as he did back on torrentfreak and quietly vanish in smoke - because he keeps getting his accounts banned when he goes off on a rant about how <minority X> should all get raped in prison or how <minority Y> is all about grift, or how everyone insisting there must be observed jurisprudens between suspicion and sentencing is an evil pirate.

        He can't post or comment on any site which requires a login of any kind.

        reply to this | link to this | view in chronology ]

        • icon
          sumgai (profile), 9 Apr 2021 @ 10:21am

          Re: Re: Re: Back after blocked!

          SDM,

          I had to think for a moment on what you said about logins, and I realized that I did a dis-service to ACs. But I don't believe that an account would be required insomuch as Karma points will quite likely encourage the creation of an account. This is because as soon as someone posts under AC, he/she will accrue all of the negative points thus far assigned, properly deserved or not. Mike would have no incentive to keep setting AC back to zero Karma.... or perhaps he would, I can't really say for sure. I do know that at least two different persons are posting here under the AC moniker whom I think post wisely, and I agree that it would be a sad day for the comments section to see them leave because they simply don't want to acquire an account. (I myself used a fictitious name to sign up, why can't others do the same?)

          So there is no absolute "best way to do it", but I'm pretty happy with the way things are setup at this point in time. I didn't originally espouse that Mike should change to a different system, I was only using that as an example of how the Troll-button should be considered, namely as a "teaching device, to improve one's ability to discuss topics of interest with other community members without giving giving offense, inadvertently or otherwise".

          I trust we're on the same page here. Thanks for the note.

          reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Apr 2021 @ 4:01pm

    With VPNs, roll-rour-own is the best.

    'Set up your own private server and don't use commercial VPN services

    That is why I do on road trips to Mexico and Canada, so can, say, listen to IHeart radio while driving and I will not be detected by iHeart as using a VPN. Since my VPN is private are not commercial, I will not be on any IP ban list of any commercial VPN providers, so iHeart, Netflix, etc, will never know I am abroad and coming in via the VPN on my home network.

    Just do that when going to Russia, if you have broadband service at home which allows servers.

    Even though SoftEther is meant for operating a public free VPN, it can be be used as a private VPN as well. Just make sure that tbe box for listing your VPN on the Softether web site is not checked and your VPN will remain private.

    SoftEther, in private mode, works great, and just as good as a commercial product.

    Since it is open source, you don't have to pay for "seat licensing", like commercial VPN products.

    The only problem I have ever had with is is the SSL VPN on port 443 can be cracked.

    Taco Bell can apparently crack it. I have found that when I use the SSL VPN at the local Taco Bell, I will still be filtered, even though I am running an SSL connection to my server.

    Taco Bell has figured out a way to crack and sniff SSL VPN connections if you are using SoftEther to connect to your own private VPN

    Though I one trick I found was to connect to SoftEther on the SSL, and the connect to the PPTP VPN using the internal address on my network, instead of the public IP address, and that totally bypasses their blocking of PPTP VPNs. That prevents the Bell from being able to crack and sniff my connection

    And before anyone says anything, using that method to bypass the 'Bell's filtering like that does break either California law, or the CFAA.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.