Mahsa Alimardani is an Iranian journalist; this post was originally published in Global Voices. Watchdogs Under Watch is a series of personal stories from journalists, bloggers, and activists around the world, as they encounter and combat surveillance and cyber security issues. This series and corresponding report, written for the Center for International Media Assistance, is in partnership with Radio Netherlands Worldwide.
The last time we had checked globalvoicesonline.org’s status in Iran was October 2014. It was not blocked inside Iran. We checked again this week, and indeed the redirect page came up.
Strange turn of events, but after consultation with security researcher Frederic Jacobs, it turns out that you can outsmart these particular Iranian filters and access our site by adding “https://” to the beginning of the URL. Below you can see two screenshots of requests made on a proxy inside of Iran. On the left is the re-direct page users inside Iran see when they request “globalvoicesonline.org”. On the right is the page Iranian users see when they request “https://globalvoicesonline.org”. Curious.
On the left is the re-direct page users inside Iran see when they request “globalvoicesonline.org”. On the right is the page Iranian users see when they request “https://globalvoicesonline.org”. Image provided by author.
In case you were wondering: This is what HTTPS is all about
This is a useful illustration of the value of HTTPS in comparison to HTTP. While for many Internet users, these are simply a set of letters at the beginning of every website URL, the distinction between the two is pretty big. When you visit a website using just HTTP, your activity is easily visible for anyone with a bit of tech savvy and access to your network — this would of course include government agencies. But when you visit a website using HTTPS, your activity is more secure (that’s what the S stands for). Your request to see a certain website travels through an encrypted channel — sort of like a tunnel — making it more difficult for outsiders to see what you’re doing.
What our little experiment proves is that Iran is conducting HTTP host-based blocking of the Global Voices website, likely along with many others. But the encrypted address located with the HTTPS request is not blocked.
Does this mean that you can do this on any website blocked inside Iran? No. Take Facebook for instance. Users trying to access Facebook in Iran are blocked both over HTTP and HTTPS. Jacobs explains that with Facebook, the government is taking more advanced blocking measures. “It’s not just HTTP host-based filtering, but IP addresses of Facebook are unreachable from Iran,” he says. It’s hard to predict how this might change in the future, but Jacobs surmises that it is likely tied to volume of users:
“Iran has however been deploying more advanced rules to block OpenVPN, Tor and other circumvention software. It’s a matter of economics, really. They probably won’t put more resources into blocking a specific website unless a lot of people start using circumvention techniques to access it.”
For an in-depth technical explanation of the Global Voices’ filtering case, we highly recommend reading Jacobs’ blog post, “A sneak peak into Iran’s blocking of Global Voices.” There are many great circumvention tools that can help readers reach globalvoicesonline.org if they live in a country that blocks the website. Jacobs suggests Tor with ScrambleSuit.
Special thanks to Frederic Jacobs for his technical investigations and writing on this topic.