Babak Namdar

In intelligence, the where can be just as important as the what.

What I mean is, even if I don’t know what communication was exchanged, the mere fact that you met with someone is very valuable.

This paradigm also applies to internet traffic analysis.

While there are secure methods to exchange data online via HTTPS (the what), there are ways to cover up the where.

To get a better idea of how traffic analysis can yield the “where” information here’s a quick overview of a typical set of events that take place.

1. you type ‘marzeporgohar.org’ in your browser
2. your browser queries a DNS server asking what the IP address is
3. DNS server replies with the IP of marzeporgohar.org
4. browser requests data from the webserver with the ip

At this point you might be wondering what is this DNS server?

Let’s say the IP address of mpg’s site is 10.10.1.14.  Well, you can paste the IP address into your browser and the site will come up, but most people don’t memorize IP addresses, rather domain names. Memorizing marzeporgohar.org is a lot easier then 10.10.1.14

This is where a DNS server comes in, it basically maps an IP address to a domain.

Here’s a sample exchange:

Query
From (you): 192.168.0.10
To (DNS Server): 66.75.160.63
Standard query A marzeporgohar.org

Answer
From (DNS Server): 66.75.160.63
To (you): 192.168.0.10
marzeporgohar.org: type A, class IN, addr 64.34.168.37

So why should you care? Well lets say you are in Iran and you are look up https://marzeporgohar.org.  The Islamic Republic can’t intercept the HTTPS traffic because it is encrypted, however the initial DNS query to get the IP address of marzeporgohar.org can be.

So while they may not know what you are doing on mpg’s site, the mere fact that you visited may be enough to begin building a profile on you.

Even if you are using a proxy (I like SSH tunnel proxies), you are open to DNS traffic analysis.

So what is the solution?

One solution is to use SOCKS5 proxies and enable remote DNS proxy in firefox.

Now all your DNS queries will be done through the proxy server (which is obviously outside Iran).

A topic that comes up repeatedly in talks with Iranians inside and outside the motherland is how to surf the web more securely.

The topic itself is very broad and thus I’m just going to concentrate on one of the more easier ways you can view sites more securely.

I’m sure you’ve seen http and https before appear in the url bar of your favorite browser.

So what really is the difference between HTTP & HTTPS as far as security goes?

Here’s what the network traffic looks like for http:

Content-Disposition: form-data; name="emailto"

blah@blah.com
-----------------------------147344601515699300481942305708
Content-Disposition: form-data; name="emailpriority"

0
-----------------------------147344601515699300481942305708
Content-Disposition: form-data; name="emailcc"

-----------------------------147344601515699300481942305708
Content-Disposition: form-data; name="emailbcc"

-----------------------------147344601515699300481942305708
Content-Disposition: form-data; name="emailsubject"

this a test
-----------------------------147344601515699300481942305708
Content-Disposition: form-data; name="emailmessage"


this is just a test


-----------------------------147344601515699300481942305708--

Now lets take a look at a piece of the https traffic:

T.....QF..u...K...w.@....)U...d?.....|.....x..%..J{-.Y...(..W.R..C...p.n..v..h.(.J;.GA*.......
..Q^....A....L...t...*:}.#......8.\d...)Y.......&...]&..`..(ac...u.@..]..|.b.S..Q." ..U9.X;. u
......J....q..eo.....`o.N.$...3w..~..k(].....Az.J.j.R..t....).......+/or....qd85.7w6{~..?3.).
w$..-..9........{...|ZE0..qh.....Ktl.=7..E..1H....
8$N........WVP..mw.......&....t...L.*T.ujZc8..j.. ....0.......+.....Q..;2...\.+...J.I.Z..OeKB.
v.G[.U...Q%]@........I......G.EI...<..X..`]Z.Gf.#..M.^..+)<..)..#.G.@X\.....m.lPgx......%^.
.~..a....b\?.P....C".9py.w.k.'...8....x~>q..p...l.
..O.L..2.._...|.$....&.
...n.|O~Q....5h4.1m...=..V............p..L...O...<`.~3...[AT?N..w....L.....kf..et..J....r+..k
c.C:.K.
......n....o........p....qv;_......\.........D
1.R...j....O...:+.V...KHbM.M..w>v...~f;o..E..T........D/..k2g9...;g..b.E3A..`... ..g.
\>Q{6o...."H.....
......rH..Fb.`f...pf..X..l?..e....seS`0................TU...z.Z.z !.l.....1....3..w"h.-.
;_.l..<....Z8.....:'....Q{....,...E./.Q.u**].Z.
.*.R...]..a.......3*..#..J..!7N..........t_\..<.P....7.xF...r.UzvJW'X....2.
..+...]&\..K.......1l...n.......f.q.F.
.aRy..hZ..
...k.za..f.a..
.i..q8..d...>`.a.....Y..b...wx...e.$I..{...4v^....i...c.h..i....i./.T.D...Y.1........L.\
N....lgs9.<...w._.......:.Z`xH.|...J(.d.<.(........0.......%........e*7.....%.....*..\!T.c^.
|....a.v.."_.F.+.....1.......A...m.....O...%...t5=...Ld..K0Y....@.5.....}(.h.....Uz`{.5.
.3..!.^........1..t..O<.z.7.....5.....Z......<._.hU1.....b.N.9....A.X.=.#2.:+g.i:.&...c....6
#.>..2.s...lc..W....%.m.RN.0...?...............L.i{
..Eh........2x8.........$~..
....[..-.;.M...B..W..cE..CCCF........l.k.7m..}..:In;e...7.....{.<@.....'.......X.I>...
.P..7.dI.x5..oY.@.p.a.....y...M.Y&.hL.2F...r. ..34..G...../.h.+aW..
.A.f
...q.
........D.N.D..g.D|....~....\..-.....$.F...u..P.......qN.N ....1.,mt.W.m..z.e

You’ll notice the https traffic looks like gibberish.

The reason https looks illegible is because the information is first encrypted then sent to the server and vise-versa.

That’s why when you’re making credit card payments over the internet, you almost always see https.

Mining information from network traffic over http is a pretty trivial matter, especially for a regime like the Islamic Republic that is flush with oil money.  And there have been reports from inside Iran, how the Islamic Republic is using text-mining technologies to sift through network traffic and gleam information on political dissident in Iran.

Gmail has an option under “Settings” (at the very bottom) that says “Always use HTTPS” and so everytime you login Gmail will automatically use HTTPS.  Using HTTP would mean that while you’re reading / writing an email, a person with access to the network traffic could read what you are reading / writing.

When reading / writing emails or chatting on websites (like facebook), you should try to use HTTPS, as it will drastically lessen the ability for someone to intercept the network traffic and actually learn something from the data.

While using HTTPS is a good start, it is by no means the be-all-end-all for secure surfing.

I’ll try to post more entries about technologies you can use to minimize eavesdropping on your internet activities.