sepent

Recently the article "How the Iranian Government Shut Off the Internet"[1] on HN was almost popular. It talked about the complexity of the Iran's decentralized infrastructures with technical implants to give officials more influence. What this report totally overlooked was the people who designed and implemented this complex system.

Yesterday, I watched an interview[2] with a former Iran's "National information network" project employee, claiming his intentions was to improve the security of the country in general but he is deeply unhappy that it has helped the government to shut off the Internet while killing people.

As a developer and a security expert myself working for a private sector company in Iran there is almost no day in my life without thinking about the morality of my work. I have never (or even intended to) work on projects like "National information network" or other similar projects.

Alas the problem does not end here. In a country with all the infrastructures controlled by government, naturally most of our customers are important government-affiliated organizations. Because of our company's position and considering the NDAs, the developers are not supposed to know the customers. Alas, this is just theory. I know a lot of our customers and some of them are pretty bad, very very bad, with bloody hands even in this weeks suppressions.

I don't think our product is used for killing people, but what if it indirectly aids those organizations to achieve their nasty goals? This question drives me crazy and I am not alone. There are lots of ethical developers in my country working directly or indirectly for such organizations. I have lots of friends, former employees of companies with censorship/monitoring projects that has left the country for new jobs. Seriously, what other options do we have?

[1] https://www.wired.com/story/iran-internet-shutoff

[2] In Persian, https://www.bbc.com/persian/iran-50504210

[3] https://tools.ietf.org/html/rfc7258

How can a monkey in the middle stop you from going to encrypted Google search? How can they redirect you instead to plain old http://www.google.com?

So I'm doing a normal Google search like I do a hundred times everyday, and suddenly I get this message from Google:

"SSL search is off

This network has turned off SSL search, so you cannot see personalized results.

The security features of SSL search are not available. Content filtering may be in place."

I look up at my URL bar, and yes, it says http not https. I get curious. I search Google's support pages for some way the government can mess with my Google search (I live in Iran) and I find this: https://support.google.com/websearch/answer/186669?hl=en

To quote the relevant part: "To utilize the no SSL option for your network, configure the DNS entry for www.google.com to be a CNAME for nosslsearch.google.com."

I dug around a little and learned that all DNS queries are replied by a nearby spoofing server (nearby, because it responds so fast compared with what I have to endure in here!). I could do something like "nslookup www.google.com 1.2.3.4" (anything works instead of 1.2.3.4, whether a real DNS server or not) and get "216.239.32.20" which is the IP address for nosslsearch.google.com.

I tested this with four different servers around the country I have ssh access to. Everywhere it's the same.

DNS spoofing is a known government technique used for content blocking in Iran, but I haven't seen it be used for this purpose before. The government has long been lamenting Google's decision to go SSL. They have been looking for some way to get to see what people are searching again, and they seem to have found it.

The obvious way to get around this for me would be to add an entry in my /etc/hosts file or visit encrypted.google.com for searching. I suggest the same thing to other people living in Iran.