addons.mozilla.org is blocked in Kazakhstan

[StudioMaX]

Describe the problem and steps to reproduce it:

1. Live in Kazakhstan or use any proxy or VPN with location in Kazakhstan
2. Try to open https://addons.mozilla.org

Access to https://addons.mozilla.org is blocked from Kazakhstan.

What happened?

Firefox is closed the connection with PR_CONNECT_RESET_ERROR error.

What did you expect to happen?

https://addons.mozilla.org is opening as before.

Anything else we should know?

Results from website availability checker: https://ping-admin.ru/free_test/result/1610296480117c1cgs0a2359d8qow53.html Measurements from RIPE Atlas Probe to target=addons.mozilla.org with SNI=addons.mozilla.org: https://atlas.ripe.net/frames/measurements/28589165/#!probes - timeout reading hello Measurements from RIPE Atlas Probe to target=addons.mozilla.org with SNI=mozilla.org: https://atlas.ripe.net/frames/measurements/28589202/#!probes - everything is OK

[eviljeff]

Hi, can you confirm you are still unable to access https://addons.mozilla.org today? I just tried with a VPN to Kazakhstan and was able to connect.

[StudioMaX]

Yep, still doesn't work. addons.mozilla.org was resolved to these IP addresses: 44.239.254.46, 44.232.62.131, 52.35.164.186. New check from ping-admin (the result is still the same): https://ping-admin.ru/free_test/result/16104434905b637p87n89a875e75ju5.html From RIPE Atlas: https://atlas.ripe.net/measurements/28628100/#probes (I have added a few probes from Russia just as indication that it works outside of Kazakhstan at the same moment). You can also check this via RIPE Atlas Probe if you have any credits.

[eviljeff]

@bqbn can you look into this?

[willdurand]

If it's a peering issue I am not sure what we can do :/

[StudioMaX]

I have an assumption that the blocking occurs through the DPI by detecting addons.mozilla.org via SNI header inside TLS handshake. Since I can connect via telnet to the above IP addresses on port 443. And as indicated in the RIPE Atlas report, the connection was closed at the TLS client hello stage.

Does Mozilla have any plans to implement eSNI/ECH server-side support, even that its RFC is still in draft? Since browser support has been around for several years. I understand that this is not a quick/real solution and integration into your infrastructure can take many months.

[bqbn]

Is it the case that only probes in Kazakhstan use SNI to connect to AMO? Because from the links in the first comment, it looks like probes in other countries returned successfully.

AWS classic load balancers do not support Server Name Indication (SNI), and thus we use a SAN certificate as recommended by AWS.

We are planning to move AMO to load balancers that support SNI, but I can't disclose the details just yet.

[StudioMaX]

Since this is still a problem, could you please ask your support team to check for incoming emails in your internal systems (zendesk, etc.) for the last 1-2 months that mention "Kazakhstan" or "Казахстан"? If we assume that the regulatory authorities didn't like some addon (for example, related to VPN or ways to bypass locally censored websites), then theoretically they could have sent an email to some of your support email addresses with a request to remove/block this addon or something else.

[dragongling]

An unexpected issue for me. I couldn't find information about blocking this site where I usually can: https://www.gov.kz/memleket/entities/qogam/report-internet-content?lang=en , so this doesn't seem legal. Can anyone provide information about this (English, Russian, Kazakh)?

[StudioMaX]

@dragongling I sent an official request to the Ministry of Information and Social Development of the Republic of Kazakhstan with a question about the reason for blocking this domain, but so far I haven't received any response. Although I doubt that they will provide a reason or link to any specific page they wanted to block. Most likely there will be one more formal reply from them like "blocked due to prohibited content" or "we didn't block this domain".

[eviljeff]

I don't know if @kewisch has anything to add re: takedown requests received from Kazakhstan (they would have to come via Mozilla's legal department) but blocking the entire site seems extreme when we do have actions we can take around particular problem add-on(s) if legally required.

[dragongling]

Works for me today, can someone remeasure it? I don't have much experience with availability checkers.

[StudioMaX]

Yes, it works for me now. RIPE Atlas: https://atlas.ripe.net/measurements/28819900/#probes Ping-Admin: https://ping-admin.ru/free_test/result/161129379328nts6x4105fz104weg50w9.html It is better to wait for an official response from the Ministry to exclude the likelihood of re-blocking.

[StudioMaX]

Official response here: https://dialog.egov.kz/questioncontroller/view?id=661114

Министерство информации и общественного развития Республики Казахстан (далее – Министерство), рассмотрев Ваше обращение, сообщает следующее. Интернет-ресурс https://addons.mozilla.org был ограничен предписанием уполномоченного органа (исх. № 25-01-25/4 от 05.01.2021) на основании пункта 1-3 статьи 41-1 Закона Республики Казахстан «О связи» (запрещается работа сетей и (или) средств связи, оказание услуг связи, доступ к интернет-ресурсам и (или) размещенной на них информации в целях доступа к информации, запрещенной вступившим в законную силу решением суда или законами Республики Казахстан), а также решениями судов Республики Казахстан № 2-812-15 от 26 февраля 2015 года, № 2-811-15 от 26 февраля 2015 года, № 2-919/15 от 17 марта 2015 года, № 2-902/15 от 17 марта 2015 года, № 2-1158-15 от 03 апреля 2015 года, № 2-3176 от 10 сентября 2015 года, № 2-3690 от 12 сентября 2015 года, где сказано, что интернет-ресурсы, размещающие анонимайзеры, прокси-серверы типа TOR, VPN-серверы и др., используемые в целях обхода технических возможностей операторов связи, запрещены к распространению на территории Республики Казахстан. Вместе с тем, интернет-ресурс https://addons.mozilla.org является онлайн магазином расширений для популярного браузера Mozilla Firefox. В связи с блокировкой онлайн-магазина расширений для браузера Mozilla Firefox многочисленные приложения недоступны, а программные обеспечения могут быть подвергнуты опасности из-за отсутствия обновления. Согласно письму Верховного Суда Республики Казахстан от 25 мая 2012 года № 1-010000-12-29568 в случае, если интернет-ресурс удалил неправомерные контенты, содержащие незаконную информацию, вопрос о возобновлении доступа к данным электронным СМИ решается уполномоченным органом, на который возлагается исполнение решения суда о приостановлении либо прекращении распространения продукции. На основании вышеизложенного Министерство направило письмо в уполномоченный орган о возобновлении доступа к интернет-ресурсу https://addons.mozilla.org.

---

Google Translate:

The Ministry of Information and Social Development of the Republic of Kazakhstan (hereinafter - the Ministry), having considered your appeal, reports the following. The Internet resource https://addons.mozilla.org was limited by the order of the authorized body (out. No. 25-01-25 / 4 dated 05.01.2021) on the basis of paragraph 1-3 of Article 41-1 of the Law of the Republic of Kazakhstan "On Communications" (the operation of networks and (or) communication facilities, the provision of communication services, access to Internet resources and (or) information posted on them is prohibited in order to access information prohibited by a court decision that has entered into legal force or the laws of the Republic of Kazakhstan), as well as decisions courts of the Republic of Kazakhstan No. 2-812-15 of February 26, 2015, No. 2-811-15 of February 26, 2015, No. 2-919 / 15 of March 17, 2015, No. 2-902 / 15 of March 17, 2015 , No. 2-1158-15 of April 03, 2015, No. 2-3176 of September 10, 2015, No. 2-3690 of September 12, 2015, where it is said that Internet resources hosting anonymizers, proxy servers of the TOR type, VPN servers, etc., used to bypass the technical capabilities of telecom operators, are prohibited from distribution on the territory of the Republic of Kazakhstan. At the same time, the Internet resource https://addons.mozilla.org is an online store of extensions for the popular Mozilla Firefox browser. Due to the blocking of the online store of extensions for the Mozilla Firefox browser, numerous applications are unavailable, and software could be compromised due to lack of updates. According to the letter of the Supreme Court of the Republic of Kazakhstan dated May 25, 2012 No. 1-010000-12-29568, in the event that an Internet resource has deleted illegal content containing illegal information, the issue of resuming access to these electronic media is decided by the authorized body entrusted with the execution court decisions on suspension or termination of distribution of products. Based on the above, the Ministry sent a letter to the authorized body to resume access to the Internet resource https://addons.mozilla.org.