It is well known that Tor can be used to prevent others from knowing the websites that you visit when on the internet giving the user anonymity online.
As well as providing defense against surveillance it can be used to access sites that may be blocked to the user, and block trackers so that cookies and ads cannot follow the user. Traffic is encrypted three times as it passes over the Tor network which is made up of thousands of servers known as relays.
Recently there has been evidence of an increase in the number of Iranians that are using Tor to access the internet meaning that Iran is now responsible for a bit part of the global use of Tor. This is not a surprise given government attempts of censorship of its citizens. It is well known that VPNs are very popular in Iran and using Tor is a step further in this direction of keeping low profile online.
A cause of the increase in Tor in Iran?
Despite my attempts to investigate, the cause of the sudden increase is still unknown. As can be seen in the graphs, the fast rise began in the middle of June. It is possible that this rise was in connection with Telegram use.
Telegram is widely used in Iran but there are only a small number of Telegram server IPs used and the government in Iran can request that Internet Service Providers (ISPs) block these. MTProto is a protocol from the MTProto family that was designed to instead allow encrypted Telegram messages to be sent through Telegram proxy servers. It is widely used by Iranians to access Telegram, so that other less secure Telegram forks (such as Telegram talaei and Hotgram) can be avoided.The traffic between the user and the proxy server should be encrypted, although this unproven encryption scheme has been criticized, and the proxy server should only see the user IP. The encrypted packets are then sent to Telegram.
However, there has been increasing in levels of fear that the MTProto proxy servers are not free from surveillance of the Iranian government. For example, in April the statement by Mohammad Javad Aza Jahromi, the Iranian Telecommunications Minister, indicated that as part of the government ambitions to stop citizens from circumventing filters, the government will start management and control over some of the MTProto proxy severs by placing them under the Ministry of Communications Technology infrastructure.
In my view, the increase in Tor users could be a response to this government management of MTProto proxy servers because this will make them more dangerous to use in the same way as the Telegram alternatives like Hotgram.
Evidence of government censorship
Unfortunately, as can bee seen in the graph that shows a great increase in users connecting directly to Tor, the number of users decreases suddenly on about 22nd June. It seems the government's censorship has also now made an impact. It is likely that they have blocked all the publicly known Tor entry (also called guard) nodes, which are known to the government because they are publicly listed in what is called the consensus file.
How to overcome government censorship: bridges and hiding Tor traffic flow
Using a bridge relay can enable those living in censored countries to continue using TOR. As shown in the graph of bridge users in Iran, there is not the same drop in the number of users that is clear from the directly connected Tor users graph. A bridge is a guard node that has not had its IP listed in the public directory of Tor nodes - and so even if the ISP is filtering connections to all the known Tor relays, they won't be able to block all the bridges.
Tor can be quite easily configurable to add a bridge. However, the Iranian government is likely to be using deep packet inspection of traffic - an advanced method of examining and management of the network traffic between the Tor user and bridge node. As the traffic should be encrypted, the content should not be visible, but it is possible that they could identify Tor traffic flow based on the protocol, even if the IP that the Tor user is connecting is a bridge and not a public Tor node. Fortunately pluggable transports (PTs) can be used to change the appearance of Tor traffic flow between the user and the bridge. This way anybody who is monitoring traffic between the user and the bridge will just see normal traffic, not Tor traffic.
Recommendations for using Tor in Iran and other censored countries
Tor can be configurable to add a PT quite easily through the configuration button of the Tor Network Settings. There are different options that use the PT API to talk to the Tor user and the Tor bridge. Obfs3 is a PT that was common, but is now quite old and mostly deprecated because the method that used to encrypt the traffic is no longer safe to use. In Iran, I would recommend the use of Obfs4 PT with a bridge as the best to use for avoiding censorship. This has much better encryption and to block use of this would really need the government to cut off the internet all together.
Using a PT called MEEK is another option. This uses a domain fronting technique - in which traffic is relayed through a third-party sever - usually a content delivery network (CDN) that hosts multiple domains - to make traffic look like it's associated with a web domain that isn't restricted. This relies on the expectations that the collateral damage of censoring it would be too high, as so many other sites would be impacted. However, it is vulnerable to statistical attack and government pressure on the third-party CDN. It is now no longer possible to use Amazon and Google for this method, leaving only Microsoft Azure as the best option and it is possible that the government could use deep packet inspection to identify the IP addresses reaching Azure, and then further examine those that they are suspicious of. However, MEEK is probably recommended in China where blocking of Obfs4 may occur.
