Hacker News new | ask | show | jobs
by alex1 4459 days ago
Can you do a traceroute to 8.8.4.4? If it's actually reaching Google's network, then yeah, they're doing deep packet inspection on DNS traffic. If not, they're probably just routing 8.8.4.4 to a DNS server they control.

If their goal is to manipulate traffic to www.youtube.com (probably to block access to certain videos), another solution would be for YouTube to require SSL for all connections coming from Turkish IPs. Of course, this wouldn't work if they got some Turkish (or other) CA to sign a bogus www.youtube.com certificate.

EDIT: As lawl points out, trying to require SSL on www.youtube.com won't work either, since they could just do an sslstrip type attack.

EDIT 2: Proof that they are in fact messing with routes to Google Public DNS anycast addresses (they're doing to same to OpenDNS): https://twitter.com/esesci/status/449902883933126659
3 comments
makmanalp 4459 days ago
Actually this seems likely, hmmm:

  traceroute to 8.8.4.4 (8.8.4.4), 64 hops max, 52 byte packets
   1  192.168.1.1 (192.168.1.1)  4.260 ms  0.969 ms  0.865 ms
   2  host-92-44-0-42.reverse.superonline.net (92.44.0.42)  7.465 ms  7.903 ms  7.384 ms
   3  host-82-222-174-177.reverse.superonline.net (82.222.174.177)  8.772 ms  13.703 ms  8.482 ms
   4  host-85-29-17-234.reverse.superonline.net (85.29.17.234)  7.736 ms  7.830 ms
      host-82-222-35-54.reverse.superonline.net (82.222.35.54)  11.449 ms
   5  212.156.45.29.static.turktelekom.com.tr (212.156.45.29)  30.518 ms  17.123 ms  8.674 ms
   6  inkilap-t2-1-kartal-t3-1.turktelekom.com.tr.220.212.81.in-addr.arpa (81.212.220.250)  9.945 ms *  15.140 ms
   7  * * *
   8  ulus-t3-4-ulus-t2-2.turktelekom.com.tr.223.212.81.in-addr.arpa (81.212.223.7)  18.020 ms  17.709 ms  15.444 ms
   9  * * *
  10  * * *
  11  * * *
  12  * * *
  13  * * *
link
alex1 4459 days ago
Yeah, looks like they're mucking with the routes for Google Public DNS anycast IPs.

EDIT: More evidence that this is what's happening (they're doing to same to OpenDNS's anycast addresses): https://twitter.com/esesci/status/449902883933126659

link
lawl 4459 days ago
> another solution would be for YouTube to require SSL for all connections coming from Turkish IPs.

What? NO! They are messing with the DNS results from 8.8.4.4 (Google DNS)

Too early for TLS to do anything. Maybe with HSTS, but I still doubt that HSTS is any effective against state level MITM.

link
alex1 4459 days ago
You're right. Maybe if they turned on and required SSL for everyone visiting www.youtube.com and added www.youtube.com to Chrome's preloaded HSTS list and somehow got everyone to use Chrome. Sadly, this probably won't happen, but DNSSEC adoption probably won't happen either. Even with DNSSEC, they could still do deep packet inspection on HTTP traffic going to YouTube IPs and initiate MITM attacks that way.
link
psykovsky 4459 days ago
Why not ditch the current DNS system and use Namecoin? If you have to force some piece of software into users computers, let's do it right at least...
link
GICodeWarrior 4459 days ago
Are you suggesting the government compromised a trusted SSL CA? Or are you just saying they blocked HTTPS?
link
codesuela 4459 days ago
Huh? The government of Turkey itself is a trusted CA http://www.mozilla.org/en-US/about/governance/policies/secur... Ctrl+F "Government of Turkey"
link
mrtksn 4459 days ago
how about this: http://i.imgur.com/2jEais0.png
link
darkhorn 4458 days ago
What application is this?
link