Double Middlebox and Chrome's TLS fingerprint blocking in Iran

[xhdix]

In recent weeks, there have been many reports of VPNs being blocked in Iran. But that is not all. In recent days, the Islamic Republic has blocked Chrome TLS fingerprint towards all Amazon (AWS) IPs (except China) in most networks.

To do better investigate, I gave TraceVis a Client Hello packet for example.com in Chrome, and also changed the destination IP to an Amazon IP:

python ./tracevis.py -p --annot1 "example.com CH chrome" --paris -i "13.226.135.75"

(And I confirmed the question to do TCP Handshake before sending the packet.)

I also ran one with the Firefox packet, then combined the two results:

Here pink is for the Chrome packet and turquoise is for Firefox. And as shown in the graph, all subsequent requests are null routed after 10.202.6.90. (you can see the interactive graph with HTML file)

Next, I did two more tests.

DNS test (example.com = pink, twitter.com = turquoise) :

python ./tracevis.py --dns -i "13.226.135.75" -m 30 --paris

As well as a Chrome packet with twitter.com in SNI:

python ./tracevis.py -p --annot1 "twitter.com chrome" -i "13.226.135.75"

And as shown in the graph, all subsequent requests are null routed before 10.202.6.90.

As a result, it can be concluded that two different middleboxes are in the path.

To me, it looks like: Even Censors Have a Backup: Examining China’s Double HTTPS Censorship System (PDF, Video) But in Iran

And in some points, it's same as: https://github.com/net4people/bbs/issues/39

All tests results (json) and graphs (HTML) and config files (conf) to examine and re-run are attached:

tracevis_data_fpblocking.zip