[ooni-talk] Google is blocked in Egypt

Leonid Evdokimov leon at darkk.net.ru
Wed Jan 11 17:09:20 UTC 2017

I'd like to share some information I have regarding Google being blocked
by one of Egyptian ISPs for a short period of time in the beginning of
January 2017.

I've seen some Facebook reports from humans claiming observation of
timeout errors and later it converted to connection reset errors.

I got some packet captures regarding TCP connection resets from one
Egyptian vantage point (AFAIK, it was TE Data ISP). These captures show
that connection was reset depending on SNI field in TLS ClientHello. The
connection was reset for `google.com.eg`, but it was not reset when the
client presented no SNI field (like `openssl s_client` CLI tool does
without `-servername` option).

SNI-based blocking was reproducible, but the data did not pass sanity
checks due to confusing metadata: latency and TCP/IP headers were
suggesting that the blocking could possibly happen within user's network
as well (compromised PC? compromised router? bogus anti-virus or
firewall software?), so I am not confident enough to release any
"public" statement based on the data I had at that moment, so I'm just
sharing it to ooni-talk@ for historical & archiving reasons.

Also, as far as I know, the blocking was gone somewhere between Jan 05
09:00 UTC and 10:40 UTC.

It's unclear if the blocking was observable from Google's point of view,
it's not obviously existing in aggregated traffic stats[1]. One can
suggest that non-smooth lines correspond to blocking being turned on and
off, but it's hard to state that for sure as the same spiky pattern may
be observed in the month-old data[2] as well.

[1] https://www.google.com/transparencyreport/traffic/explorer/?r=EG&l=WEBSEARCH&csd=1482580800000&ced=1483790400000
[2] https://www.google.com/transparencyreport/traffic/explorer/?r=EG&l=WEBSEARCH&csd=1479938817218&ced=1481170017218

Open Whisper Systems (developers of encrypted messaging app Signal)
claim[3], that the block may be caused by an attempt to tune existing[4]
equipment to block Signal messenger. IMHO, it's rather bold claim as it
implies absence of good testing environment for the fingerprinting and
blocking ruleset :-)

[3] https://twitter.com/whispersystems/status/817062093094604800
[4] https://ooni.torproject.org/post/egypt-network-interference/

WBRBW, Leonid Evdokimov, xmpp:leon at darkk.net.ru http://darkk.net.ru tel:+79816800702
PGP: 6691 DE6B 4CCD C1C1 76A0  0D4A E1F2 A980 7F50 FAB2

More information about the ooni-talk mailing list