On 2021-07-02, a user at NTC reported new blocking of domains twitter.com, vk.com, and skype.com in Uzbekistan (AS8193 Uzbektelekom). The blocking of these domains differs from that of other domains that have been known to be blocked for years (see below). @fortuna had the user run Jigsaw's measure.sh tool to test the new domains.
A summary of the characteristics of the new blocking:
Blocking is unidirectional: to experience blocking, you need a vantage point inside the country.
This is in contrast to other domains, that had already been blocked, which can be tested from outside.
Blocking is on TLS SNI only, and results in a timeout retrieving the Server Hello.
This is in contrast to existing blocked domains that receive an injection of Object not found\r\n for both TLS and HTTP.
There is no sign of DNS interference, and plain HTTP requests worked in most cases.
Other domains that had already been blocked
The above observations apply to newly blocked domains including twitter.com, vk.com, and skype.com. @fortuna also looked at Censored Planet data and found a number of other blocked domains whose blocking can, unlike the previously mentioned domains', be measured from outside the country. According to the NTC user, these existing blocks are well-known and have been in place as far back as 2010.
The old domains, whether accessed over HTTP or HTTPS, receive an injected TCP FIN packet with the 20-byte payload Object not found\r\n\r\n. You can easily test these domains yourself using curl, by forcing it to connect to an address in Uzbektelekom. For example, one of the blocked domains is www.jmarshall.com (home of CGIProxy, a long-established circumvention tool):
$ dig +short uztelecom.uz
185.74.5.99
$ curl --connect-to ::185.74.5.99: http://www.jmarshall.com/ -D - --trace -
== Info: Expire in 0 ms for 6 (transfer 0x5560862c8c20)
== Info: Connecting to hostname: 185.74.5.99
== Info: Trying 185.74.5.99...
== Info: TCP_NODELAY set
== Info: Expire in 200 ms for 4 (transfer 0x5560862c8c20)
== Info: Connected to 185.74.5.99 (185.74.5.99) port 80 (#0)
=> Send header, 81 bytes (0x51)
0000: 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a GET / HTTP/1.1..
0010: 48 6f 73 74 3a 20 77 77 77 2e 6a 6d 61 72 73 68 Host: www.jmarsh
0020: 61 6c 6c 2e 63 6f 6d 0d 0a 55 73 65 72 2d 41 67 all.com..User-Ag
0030: 65 6e 74 3a 20 63 75 72 6c 2f 37 2e 36 34 2e 30 ent: curl/7.64.0
0040: 0d 0a 41 63 63 65 70 74 3a 20 2a 2f 2a 0d 0a 0d ..Accept: */*...
0050: 0a .
<= Recv data, 18 bytes (0x12)
0000: 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 Object not found
0010: 0d 0a ..
<= Recv data, 2 bytes (0x2)
0000: 0d 0a ..
Object not found
== Info: Closing connection 0
The newly blocked domains unfortunately cannot be tested in this way, apparently. The requests make it all the way to the server in Uzbekistan, which responds as it would to any unknown domain.
Частичные и полные блокировки сервисов Twitter, Tik-Tok, ВКонтакте, Skype в Узбекистане
Partial and complete blocking of Twitter, Tik-Tok, VKontakte, Skype in Uzbekistan
On 2021-07-02, a user at NTC reported new blocking of domains twitter.com, vk.com, and skype.com in Uzbekistan (AS8193 Uzbektelekom). The blocking of these domains differs from that of other domains that have been known to be blocked for years (see below). @fortuna had the user run Jigsaw's measure.sh tool to test the new domains.
A summary of the characteristics of the new blocking:
Object not found\r\n
for both TLS and HTTP.Other domains that had already been blocked
The above observations apply to newly blocked domains including twitter.com, vk.com, and skype.com. @fortuna also looked at Censored Planet data and found a number of other blocked domains whose blocking can, unlike the previously mentioned domains', be measured from outside the country. According to the NTC user, these existing blocks are well-known and have been in place as far back as 2010.
The old domains, whether accessed over HTTP or HTTPS, receive an injected TCP FIN packet with the 20-byte payload
Object not found\r\n\r\n
. You can easily test these domains yourself using curl, by forcing it to connect to an address in Uzbektelekom. For example, one of the blocked domains is www.jmarshall.com (home of CGIProxy, a long-established circumvention tool):See
Objec
at the beginning of the TLS response:The newly blocked domains unfortunately cannot be tested in this way, apparently. The requests make it all the way to the server in Uzbekistan, which responds as it would to any unknown domain.
In OONI measurements, the
Object not found\r\n
injection often manifests as amalformed HTTP status code "not"
error.