Due to the Internet censorship in Russia and following the Telegram ban, services Google and Amazon were blocked by the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor or RNK).
Where are you from? America? Europe? Anyone of the G20 countries? Obviously and probably you have a stable, fast and secured (haha, you think so) internet connection in your country. But also I’m sure you’re familiar with internet situation in China. It seems like internet censorship in Russia is becoming more and more strict too.
Roskomnadzor is a federal department which provides censorship on the internet. Actually, RNK is an alternative to the Chinese Golden Shield Project but with one difference – technically RNK is much simpler. The main aims of the service are to charge responsibility to Internet Providers and issue penalties for violations. If Internet Providers do not restrict access to blacklisted websites, it will pay a fine around $1738.
Therefore, RNK blocks nothing. It only makes a top list of banned resources and monitors if internet providers are blocking these resources. So, the process completely relies on IPSs (Internet Service Provider), which provide all filtration, blocking and internet traffic analysis.
In Feb 2017 over 60’000 websites were blocked in Russia, including the controversial ban of adult-video sites Brazzers and PornHub.
How is RNK firewall working?
As I have mentioned above, RNK does not block resources, it just makes a list of blacklisted websites and completely relies on IPS in the blocking process. RNK has a hardware and software complex called “Revizor” which analyzes all incoming traffic. The government spent around $1.3 million to develop and release Revisor by Oct 2015.
Thera are a few variants to use Revizor: virtual machine VMWare image based on OpenWRT 14.07 (1), Windows-based executing program, or a hardware called “Agent”. The Agent is TP-Link MR3020 router with pre-setup OpenWRT and necessary software. After the deep research (1) it was determined that Agent comprises multiple bash scripts, that perform URL matching mechanism.
[tweet https://twitter.com/rodomansky/status/989456737517428736]
The Agent makes an HTTP request to RNK’s API and retrieves actual website blacklist so RNK can provide regular comparing of all income URLs and Domains with the list. Technically, Agent retrieves tasks from RNK’s servers (called “Lens”) and performs a lot of verifications from checking IP range or specific IPs, domain names, to providing DNS spoofing verifications, ICMP requests, DPI analysis, etc. The Agent’s logic is resistant to the trivial security measures like additional spaces/tabs in http requests or header formattings.
Additionally, to avoid unhandled and unexpected bans RNK made a whitelist of websites which IPSs mustn’t block.
Is there a technical difference between RNK and Chinese Golden Shield Project?
The Great Firewall of China, a part of the Chinese Golden Shield Project, actually mirrors all content and provides parallel verification of a background. Technically, the logic is divided into four levels of protection: Manipulation DNS (DNS Blocks), Connection management, URL redirection (URL Blocks), and Content Blocks.
Earlier the DNS Blocks were verifying domain names with blacklists. After awhile all google.cn traffic was redirected to the large Chinese technology company Baidu, the most strict online censor on the market. So, now, doing a DNS lookup for banned resources you get a failure result and “not found” page content.
The Connection management takes responsibility for checking specific IPs or range of IPs and resetting of banned address connections.
The URL Block matches the blacklisted works on URL. I’m not sure if Golden Shield is doing reverse DNS lookups.
The last one, Content Block, has almost the same functions but works with a content. If blacklisted words are found in the website content, the connection will be refused. To initiate Content Block verification your requests should pass all previous verifications by DNS, IP, and URL.
All new resources are blocked temporarily just for a few minutes. With repeated requests, the blocking time will increase.
How Telegram’s block will affect other segments of the internet?
This blocking situation will affect mainly business and only if the business has some deals with Russian segment of the internet. In this case, you should find some ways to keep your app work stable. A lot of applications are already using VPN or Proxy/Socks. If RNK continues to block Amazon/Google’s IPs ranges, it will definitely affect the software work.
One of our friend companies developed a multi-player game and planned to release it during the next week. The game logic is using GameSparks engine which is owned by Amazon. Since Amazon IPs are blocked that affects GameSparks as well. The release has been postponed because VPN/Socks is not an appropriate variant for the multi-player game.
How Telegram’s cryptography works?
Looking technically deeper, in 2013 Telegram CTO Nikolai Durov implemented MTProto protocol. MTProto provides secured communication between clients in a way server knows nothing about package content.
For a better understanding of the end-to-end (or client-to-client) encryption, imagine that you need to send a private document to Bob who is in Europe. Also, you have a highly-secured suitcase and a personal highly-secured key. No one can open the suitcase or duplicate this key because it’s almost impossible and will take a lot of years.
You sent your document using this suitcase. Bob is not able to open the suitcase, but he can lock the suitcase with his personal key. So, now the suitcase has two private keys: your’s and Bob’s. When you get the suitcase back, you won’t be able to open it, since it was locked by Bob’s key too. But you can remove your own key from the suitcase. Then Bob will get the suitcase back, unlock it with his key and take out the document.
That is the asymmetric encryption and how Diffie-Hellman key exchange works. Every day, when you access any https website, your browser performs this key-exchange algorithm. Telegram provides end-to-end encryption for secret chats and secured backups for non-private chats. For instance, WhatsUp uses end-to-end encryption for any chats.
Compared to Telegram, we have “WhatsApp mitm” and “WhatsApp backdoor”. After message decryption on the client side, in a lot of cases, information will be automatically backed up to the Apple or any other cloud. The security problem is that backup is not encrypted. According to Telegram documentation, they store backups on the private secured backup servers.
So, Telegram is more secure than WhatsApp because of the client-to-client encryption and encrypted local storage for secret chats.
