Open wkrp opened 1 year ago
According to the Wikipedia article Internet censorship in Pakistan, Wikipedia was blocked once before in Pakistan, in May 2010. That was before Wikipedia went HTTPS-only in 2015, and so presumably only certain articles were being blocked, using HTTP URL filtering.
Some of this might be out of my depth, sorry if it doesn't make sense.
From Ooni, seems like DNS succeeds, the original http
request and redirect to https
works, and then the https
request timed out. I wonder if they are blocking on IP address, SNI, or something else? My team has some measurements indicating that ECH is not being blocked on the ASNs where we have data from folks in Pakistan, so an SNI-based block might be easy to bypass. (DoH is also working).
Where I'm out of my depth: I know ECH is not super widely supported yet -- does Wikipedia support it? I can't find an easy way to check. Chrome and Firefox both support it, but require slightly scary-looking configuration tweaks to enable it, and I don't know the mobile browser story. But I was just thinking it might be a workaround here without needing a VPN or other circumvention tool.
Apart from that I don't see an HTTP→HTTPS redirect, I think your analysis is correct. From the network_events
of this measurement, I would not hesitate to say that the blocking trigger is TLS SNI. Right after the client's first write
of 283 bytes (the Client Hello), there is an immediate connection_reset
:
{
"address": "103.102.166.224:443",
"failure": null,
"operation": "connect",
"proto": "tcp",
"t": 1.6300511,
"tags": [
"tcptls_experiment"
]
},
{
"failure": null,
"operation": "tls_handshake_start",
"t": 1.630178704,
"tags": [
"tcptls_experiment"
]
},
{
"failure": null,
"num_bytes": 283,
"operation": "write",
"t": 1.6319786,
"tags": [
"tcptls_experiment"
]
},
{
"failure": "connection_reset",
"operation": "read",
"t": 1.6504359979999998,
"tags": [
"tcptls_experiment"
]
},
Compare to a similar pattern in #201, where after the first client write
it was instead generic_timeout_error
.
As for ECH, offhand I don't know a simple test to see if it's supported, but hiding the SNI would likely be sufficient to avoid this blocking—but since Wikimedia has their own servers, it may be possible for the censors to change to an IP-based block.
Any circumvention system or VPN will likely work, too, though a solution that doesn't require Wikipedia readers to install special software will have more reach.
Seems like the block has been lifted, https://lists.wikimedia.org/hyperkitty/list/wikimedia-l@lists.wikimedia.org/message/3GVRDNDW4ILJ7GIGEK7W5KTR6SMQVHPV/
Related to the content, https://en.wikipedia.org/wiki/Wikipedia:Ahmadiyya_Caliphate_information
The OONI team has a report on the blocking of Wikipedia in Pakistan.
https://ooni.org/post/2023-pakistan-blocks-wikipedia-and-dw/#blocking-of-wikipedia
By looking at the anomalous measurements, we observe that most measurements collected on 1st and 2nd February resulted in timeout errors, which is consistent with PTA’s announced 48-hour degradation of Wikipedia services. Between 3rd to 6th February 2023, we observe that most measurements resulted in connection reset errors (which is consistent with what we observed in the blocking of
www.dw.com
), suggesting that ISPs switched to blocking access to Wikipedia on 3rd February 2023 (which is what both PTA and Wikimedia Foundation announced). This was also reported by Vinicius Fortuna (Engineering lead of Google’s Jigsaw Internet Freedom team), who analyzed OONI data and shared these findings on social media.
The same report also covers blocking of the Deutsche Welle main page, since 2023-01-16.
https://ooni.org/post/2023-pakistan-blocks-wikipedia-and-dw/#blocking-of-deutsche-welle
As of 16th January 2023, OONI data suggests that access to Deutsche Welle’s (DW) website (which provides an Urdu language service for Pakistan) has been blocked on multiple networks in Pakistan – and that the block remains ongoing. This was brought to our attention by Oliver Linow, an Internet Freedom Specialist working with DW, who tweeted about it sharing OONI data.
Hey can you use it with Tor?
The Pakistan Telecommunication Authority (PTA) has ordered that Wikipedia be blocked in Pakistan. It declared that access to Wikipedia would be "degraded" for 48 hours starting 2023-02-01, and thereafter blocked.
Stephen LaPorte of Wikimedia writes (archive):
The PTA published a press release on 2023-02-01 to announce the "degrading":
https://www.pta.gov.pk/ur/media-center/single-media/wikipedia-services-degraded-over-unlawful-content-010223 (archive
https://www.pta.gov.pk/en/media-center/single-media/wikipedia-services-degraded-over-unlawful-content-010223 (archive)
OONI measurements of www.wikipedia.org are sparse before the blocking, but there are many measurements after:
https://explorer.ooni.org/search?since=2023-01-05&until=2023-02-05&failure=false&domain=www.wikipedia.org&probe_cc=PK
@fortuna has done some analysis:
https://twitter.com/vinifortuna/status/1621648126372085760 (archive)
OONI measurements resulted in generic_timeout_error on 2023-02-02 and 2023-02-03, and connection_reset on 2023-02-04. From this we may guess that the "degrading" announced by the PTA was bandwidth throttling, and "blocking" is RST injection.
A few questions: