Hello,

Today OONI and India's Centre for Internet & Society (CIS) published a joint report investigating TLS blocking in India.

You can read the report here: https://ooni.org/post/2020-tls-blocking-india/

This investigation sought to understand whether there were cases of TLS blocking that were not only caused by the value of the Server Name Indication (SNI) field in the ClientHello TLS message, but also by the destination IP address. This was part of our efforts to expand our SNI blocking methodology (discussed here: https://ooni.org/post/2020-iran-sni-blocking/).

To this end, we wrote and ran a series of experiements (that will eventually be integrated into the OONI Probe measurement engine) to measure the blocking of four domains (facebook.com, google.com, collegehumor.com, and pornhub.com) on three popular Indian ISPs: ACT Fibernet (fixed line), Bharti Airtel, and Reliance Jio (mobile).

We recorded SNI-based blocking on both Bharti Airtel and Reliance Jio. We also discovered that Reliance Jio blocks TLS traffic not just based on the SNI value, but also on the web server involved with the TLS handshake.

We also noticed that ACT Fibernet’s DNS resolver directs users towards servers owned by ACT Fibernet itself. Such servers caused the TLS handshake to fail, but the root cause of censorship was the DNS.

We also found that one of the tested endpoints (for collegehumor.com:443) does not allow establishing a TCP connection from several vantage points and control measurements. Yet, in Reliance Jio, we saw cases where the connections to such endpoints completed successfully and a timeout occured during the TLS handshake. This is likely caused by some kind of proxy that terminates the TCP connection and performs the TLS handshake.

Please share our research with your networks: https://twitter.com/OpenObservatory/status/1280931688391065600

Thanks,

~ OONI team.