Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] SOPA and DNS-level Censorship Circumvention

Okhin okhin at
Tue Jan 10 01:45:33 PST 2012

Hash: SHA1

Hello list, first post here (quick summary: I'm one of the telecomix
agent working on Syria).

On Mon, 09 Jan 2012 18:17:44 -0800
Jordan McCarthy <jrmccarthy at> wrote:

> As I was reading your email, it occurred to me that one of the (many) 
> detrimental by-products of this whole SOPA/PROTECT IP debacle may be
> to severely exacerbate the U.S.'s already-nasty malware problem.  As
> you point out, the second any legislation of this kind is enacted, a
> host of circumnavigation tools are going to immediately hit the
> market.  While the ones you describe (and have been so kind as to
> implement) are obviously well-intentioned, I can't imagine that it'll
> take more than three seconds for scam-artists of all stripes to jump
> on the bandwagon, and start putting out their own "auto-configuration
> anti-censorship utilities" based on their own poisoned DNS servers
> (ie, ones that direct to
>  Of course, they've already done this
> sort of thing in various ways, but it seems very, very likely that
> SOPA will only make the phenomenon a whole lot worse.
> For the purposes of this discussion, though, I suppose my main point
> is that any system of the kind under consideration should optimally
> have some sort of VERY easy-to-understand trust/authentication
> mechanisms built-in, and be accompanied by an extensive
> public-awareness campaign, to prevent unwitting users from being
> duped into sending their credit card numbers straight to the
> blackhats' databases (to an even greater extent than they already
> are).

What about DNSSEC? I think it can do it (if you can't provide the full
chain of signature to the root, then you're probably lying).

> Nevertheless, I'm exceedingly grateful that people are starting to
> think about and code up some of these utilities.  It looks like we
> might need them.

Telecomix have, for some times now, some censorproof DNS that are quite
usefull, you can find them at and the address of the
resolver is: and the host is in Sweden (so Swedish law
applies), I'm using it because we have some serious stuff with it over
there (due to law and regulation for online gambling that requires the
ISP to use the (sic) "blocking DNS protocol" to forbidd access to
illegal websites.

However, on a similar topic, we are noticing that Tarassul ISP in Syria
nowtries to enforce a mandatory DNS system on all the user box they
have. That implies they wan't to do some serious censorrship over
there. And I'm wondering if they can enforce the use of their own DNS
(I can do it using a quick iptables rule, so technically it's doable),
to shut down any other DNS alternatives.


> - Jordan
> My PGP Public Key <>
> Sent from a computer running Free and Open Source Software
> On 01/09/2012 04:41 PM, Griffin Boyce wrote:
> > Hey all,
> >
> >   With the SOPA vote on the horizon, now seems to be a good time to 
> > talk about censorship at the DNS level.
> >
> > Computers use Domain Name Servers to make the connection to
> > websites. These large servers act as online address books for
> > websites, telling computers where the site they want to visit is
> > located.  So the flow is typically /Website Address -> DNS Server
> > -> Website's Host/. If SOPA passes, sites alleged to be infringing
> > copyright will be blocked from visitors in the US: /Website Address
> > -> US DNS Server -> Block Page/.
> >
> >   You can customize which servers your computer uses to fetch 
> > addresses, and bypass these types of blocks entirely. A good
> > tutorial on how to do that is here: 
> > Though keep
> > in mind that the server addresses mentioned on that tutorial are
> > located in the United States.  So anyone looking to
> > bypass /American/ censorship will need to use servers in an
> > uncensored country like Iceland or Belgium.
> >
> >   Another good option is using a browser plugin.  For FireFox,
> > there are two currently: Soapy and DeSopa.  DeSopa automatically
> > fetches server details for websites, but relies on a website that
> > is likely to be blocked once SOPA goes into effect. However, it
> > does work until blocked. I made Soapy with all of the rules it
> > needs to function built into it. With Soapy, every site that is
> > enabled must have redirection rules created for it, but it's also
> > quite light (<50kb, each site is ~200bytes) and easily updated with
> > new sites.
> >
> > DeSopa:
> > Soapy:
> >
> >   These browser plugins are really quick hacks designed to get into 
> > people's hands quickly. (And there aren't any for Chrome, Opera, 
> > Safari, or IE yet).  There has to be a more elegant and robust 
> > solution that we can create for people affected by this type of 
> > censorship -- not just in the US, but around the world.  It's 
> > completely possible to run censorship-resistant DNS servers in 
> > uncensored countries, but the critical missing element is a highly 
> > usable piece of software that will adjust the user's network
> > settings without a major hassle.  DnsJumper might work, but isn't
> > open-source and users have to find unblocked servers to use.
> >
> >   What do you all think about this?
> >
> > All the best,
> > Griffin Boyce
> >
> > -- 
> > "I believe that usability is a security concern; systems that do
> > not pay close attention to the human interaction factors involved
> > risk failing to provide security by failing to attract users."
> > ~Len Sassaman
> >
> >
> > _______________________________________________
> > liberationtech mailing list
> > liberationtech at
> >
> > Should you need to change your subscription options, please go to:
> >
> >
> >
> > If you would like to receive a daily digest, click "yes" (once you
> > click above) next to "would you like to receive list mail batched
> > in a daily digest?"
> >
> > You will need the user name and password you receive from the list
> > moderator in monthly reminders.
> >
> > Should you need immediate assistance, please contact the list
> > moderator.
> >
> > Please don't forget to follow us on
> >!/Liberationtech
Version: GnuPG v1.4.10 (GNU/Linux)


More information about the liberationtech mailing list