1 00:00:01,280 --> 00:00:16,000 [Music] 2 00:00:16,000 --> 00:00:19,279 we are here and we will have a talk from 3 00:00:19,279 --> 00:00:20,640 asim 4 00:00:20,640 --> 00:00:21,439 who 5 00:00:21,439 --> 00:00:24,000 came over here to tell us about all the 6 00:00:24,000 --> 00:00:26,000 censoring that we see in some countries 7 00:00:26,000 --> 00:00:27,920 not here maybe so much but in other 8 00:00:27,920 --> 00:00:29,920 countries the centering of the internet 9 00:00:29,920 --> 00:00:31,679 and he's showing us even in a very 10 00:00:31,679 --> 00:00:33,280 practical manner 11 00:00:33,280 --> 00:00:34,399 how 12 00:00:34,399 --> 00:00:35,600 you 13 00:00:35,600 --> 00:00:37,520 even if you're not a technician 14 00:00:37,520 --> 00:00:40,559 can bypass these centerings so we will 15 00:00:40,559 --> 00:00:43,280 even have a live demo 16 00:00:43,280 --> 00:00:45,600 have fun with asim 17 00:00:45,600 --> 00:00:47,600 hey thank you 18 00:00:47,600 --> 00:00:48,440 thank you 19 00:00:48,440 --> 00:00:51,440 [Applause] 20 00:00:51,440 --> 00:00:54,719 hello everyone uh this is a theme and 21 00:00:54,719 --> 00:00:57,120 probably if you live in this region you 22 00:00:57,120 --> 00:00:58,960 wouldn't have experienced any kind of 23 00:00:58,960 --> 00:01:01,760 censorship because i was trying to run 24 00:01:01,760 --> 00:01:03,600 an application to test if any of the 25 00:01:03,600 --> 00:01:05,920 websites are blocked or not and i didn't 26 00:01:05,920 --> 00:01:08,080 find any so i'll be showing the results 27 00:01:08,080 --> 00:01:10,880 towards the end of the presentation 28 00:01:10,880 --> 00:01:13,280 and the talk the topic is censoring the 29 00:01:13,280 --> 00:01:16,479 internet and how to bypass it so 30 00:01:16,479 --> 00:01:18,320 uh uh 31 00:01:18,320 --> 00:01:19,360 a lot of 32 00:01:19,360 --> 00:01:21,360 you might think that it would be a very 33 00:01:21,360 --> 00:01:23,920 technical one which is which is which it 34 00:01:23,920 --> 00:01:26,080 is but uh there are a lot of small 35 00:01:26,080 --> 00:01:28,000 integrity things that 36 00:01:28,000 --> 00:01:29,520 you can 37 00:01:29,520 --> 00:01:31,920 as a normal person who wants to bypass 38 00:01:31,920 --> 00:01:33,920 it you can use it like if you have an 39 00:01:33,920 --> 00:01:35,840 android device i would have some 40 00:01:35,840 --> 00:01:38,079 settings that you can add to your device 41 00:01:38,079 --> 00:01:40,640 so as to get a totally sensitive 42 00:01:40,640 --> 00:01:43,119 internet or an internet that's not being 43 00:01:43,119 --> 00:01:46,159 monitored by your isp so isp stands for 44 00:01:46,159 --> 00:01:49,040 internet service provider 45 00:01:49,040 --> 00:01:52,479 so yeah let's get started um 46 00:01:52,479 --> 00:01:56,240 who am i uh so myself i also 47 00:01:56,240 --> 00:01:58,079 teach about cyber security on my youtube 48 00:01:58,079 --> 00:02:00,640 channel called hacking simplified 49 00:02:00,640 --> 00:02:02,159 professionally i work as a security 50 00:02:02,159 --> 00:02:04,079 engineer in a us-based startup called 51 00:02:04,079 --> 00:02:06,399 rippling i sometimes hack government 52 00:02:06,399 --> 00:02:08,318 websites and private organizations as 53 00:02:08,318 --> 00:02:10,080 well as part of their bug bounty 54 00:02:10,080 --> 00:02:12,560 programs 55 00:02:12,879 --> 00:02:14,720 so you can scan this if you want the 56 00:02:14,720 --> 00:02:17,440 slides and read through it but i think 57 00:02:17,440 --> 00:02:19,280 you can easily see it on the screen 58 00:02:19,280 --> 00:02:21,040 itself 59 00:02:21,040 --> 00:02:22,640 let's skip 60 00:02:22,640 --> 00:02:24,080 this 61 00:02:24,080 --> 00:02:27,280 on these are some this 62 00:02:32,080 --> 00:02:33,120 so yeah 63 00:02:33,120 --> 00:02:35,280 so i'll start with the question as to 64 00:02:35,280 --> 00:02:38,319 what happens when you type a url in your 65 00:02:38,319 --> 00:02:40,480 browser and you press the enter button 66 00:02:40,480 --> 00:02:43,599 what all goes in the back of it so if 67 00:02:43,599 --> 00:02:45,280 you are a software developer you might 68 00:02:45,280 --> 00:02:47,519 have experienced this question in your 69 00:02:47,519 --> 00:02:49,519 interviews because this is one of the 70 00:02:49,519 --> 00:02:52,160 very common questions that you get asked 71 00:02:52,160 --> 00:02:54,319 the in the later half i will talk about 72 00:02:54,319 --> 00:02:55,200 how 73 00:02:55,200 --> 00:02:56,560 the whole process once you understand 74 00:02:56,560 --> 00:02:58,319 the whole process you would get to know 75 00:02:58,319 --> 00:03:00,959 where are the places where you can be 76 00:03:00,959 --> 00:03:03,360 censored and where you can be monitored 77 00:03:03,360 --> 00:03:05,440 because once you understand something 78 00:03:05,440 --> 00:03:08,319 only then it gets easy to bypass it or 79 00:03:08,319 --> 00:03:12,159 basically get over or get around it 80 00:03:12,159 --> 00:03:14,959 so there are like places the traffic can 81 00:03:14,959 --> 00:03:17,120 be censored those are usually two places 82 00:03:17,120 --> 00:03:19,280 there's a dns and then there's a http 83 00:03:19,280 --> 00:03:21,040 request i'll be talking about both of 84 00:03:21,040 --> 00:03:22,800 these in detail 85 00:03:22,800 --> 00:03:24,720 and after those are done we'll talk 86 00:03:24,720 --> 00:03:28,080 about the bypassing of these 87 00:03:29,760 --> 00:03:31,360 so 88 00:03:31,360 --> 00:03:33,599 how many of you know like what happens 89 00:03:33,599 --> 00:03:36,360 when you type let's say 90 00:03:36,360 --> 00:03:39,040 mch2022.org in your browser just to show 91 00:03:39,040 --> 00:03:40,560 fans 92 00:03:40,560 --> 00:03:42,799 cool how many of you know what our dns 93 00:03:42,799 --> 00:03:44,959 is 94 00:03:45,280 --> 00:03:48,400 cool so how many of you use cloud flare 95 00:03:48,400 --> 00:03:50,879 dns 96 00:03:50,959 --> 00:03:53,040 okay that's quite 97 00:03:53,040 --> 00:03:54,319 low in number 98 00:03:54,319 --> 00:03:55,840 okay how many of you 99 00:03:55,840 --> 00:03:57,959 okay how many of you know what 100 00:03:57,959 --> 00:04:01,040 8.8.8.8 is 101 00:04:01,040 --> 00:04:02,350 cool okay fine 102 00:04:02,350 --> 00:04:04,879 [Music] 103 00:04:04,879 --> 00:04:06,000 sorry 104 00:04:06,000 --> 00:04:08,799 uh yeah i have that but cod nine i think 105 00:04:08,799 --> 00:04:10,720 lesser number would know but yeah so 106 00:04:10,720 --> 00:04:11,760 yeah 107 00:04:11,760 --> 00:04:14,480 uh let's see what happens so this is an 108 00:04:14,480 --> 00:04:17,918 over simplified version of it so 109 00:04:17,918 --> 00:04:20,000 this is your browser and let's say you 110 00:04:20,000 --> 00:04:22,240 go to my website at seamstream.com so 111 00:04:22,240 --> 00:04:24,000 the very first thing that happens 112 00:04:24,000 --> 00:04:26,560 because machines understand only numbers 113 00:04:26,560 --> 00:04:28,960 they don't understand what a seamstress 114 00:04:28,960 --> 00:04:30,479 dot n is 115 00:04:30,479 --> 00:04:32,960 so this a seamstress.10 website gets 116 00:04:32,960 --> 00:04:35,040 translated to a number that number is 117 00:04:35,040 --> 00:04:37,759 the ip address ip address is the 118 00:04:37,759 --> 00:04:39,919 internet protocol address 119 00:04:39,919 --> 00:04:42,000 that number is basically the address 120 00:04:42,000 --> 00:04:44,479 where my website is hosted 121 00:04:44,479 --> 00:04:46,960 and on the right far right if you see 122 00:04:46,960 --> 00:04:48,960 that is the server uh the web server 123 00:04:48,960 --> 00:04:50,479 where the machine 124 00:04:50,479 --> 00:04:52,800 my website is hosted so now the browser 125 00:04:52,800 --> 00:04:55,199 has got the ip address from the dns 126 00:04:55,199 --> 00:04:57,919 server it tries to send the request to 127 00:04:57,919 --> 00:04:58,880 that 128 00:04:58,880 --> 00:05:00,560 machine that hey please give me the 129 00:05:00,560 --> 00:05:03,360 website that's a seamstress.net the 130 00:05:03,360 --> 00:05:05,759 website complies and gives back the html 131 00:05:05,759 --> 00:05:07,440 web page 132 00:05:07,440 --> 00:05:09,759 this is the http flow 133 00:05:09,759 --> 00:05:11,680 let's say an oversimplified version of 134 00:05:11,680 --> 00:05:14,880 an https flow the first part remains the 135 00:05:14,880 --> 00:05:17,360 same in the second part there's some 136 00:05:17,360 --> 00:05:19,360 mathematical calculation which we call 137 00:05:19,360 --> 00:05:20,720 as encryption 138 00:05:20,720 --> 00:05:23,039 and that basically what it does is when 139 00:05:23,039 --> 00:05:26,479 the html web page comes to the browser 140 00:05:26,479 --> 00:05:29,360 that is encrypted so that anyone who is 141 00:05:29,360 --> 00:05:31,919 in between the browser and the machine 142 00:05:31,919 --> 00:05:34,400 that where my server my website is 143 00:05:34,400 --> 00:05:36,639 hosted no one can see that data so 144 00:05:36,639 --> 00:05:39,280 suppose you are using a website that has 145 00:05:39,280 --> 00:05:41,600 payment data or you are entering your 146 00:05:41,600 --> 00:05:42,560 let's say 147 00:05:42,560 --> 00:05:44,160 paypal credential or your stripe 148 00:05:44,160 --> 00:05:46,479 credentials or credit card number so 149 00:05:46,479 --> 00:05:48,320 those are usually encrypted and you see 150 00:05:48,320 --> 00:05:50,880 that https on the url with a green 151 00:05:50,880 --> 00:05:52,880 padlock usually 152 00:05:52,880 --> 00:05:55,600 so that's the http is slow 153 00:05:55,600 --> 00:05:58,880 now let me show you the actual flow 154 00:05:58,880 --> 00:06:01,280 so this is the actual flow you don't 155 00:06:01,280 --> 00:06:03,280 directly talk to the dns so you don't 156 00:06:03,280 --> 00:06:05,039 directly talk to the machine there is 157 00:06:05,039 --> 00:06:07,039 usually an isp 158 00:06:07,039 --> 00:06:09,360 like if you check the isp currently 159 00:06:09,360 --> 00:06:11,120 where you if you're connected to mch 160 00:06:11,120 --> 00:06:14,080 wi-fi you would see stitch internet 161 00:06:14,080 --> 00:06:15,280 something the organization name is 162 00:06:15,280 --> 00:06:17,520 stitch and something so that is the one 163 00:06:17,520 --> 00:06:19,440 who is providing the whole internet 164 00:06:19,440 --> 00:06:22,000 infrastructure to this area if i go to 165 00:06:22,000 --> 00:06:22,880 my 166 00:06:22,880 --> 00:06:25,120 country india there would be airtel geo 167 00:06:25,120 --> 00:06:26,960 or any other mobile network providers 168 00:06:26,960 --> 00:06:28,560 they are usually the internet service 169 00:06:28,560 --> 00:06:30,000 provider 170 00:06:30,000 --> 00:06:31,919 so the traffic if you can see this slow 171 00:06:31,919 --> 00:06:35,039 the browser first requests the isp isp 172 00:06:35,039 --> 00:06:38,960 does all that part on behalf of you 173 00:06:42,160 --> 00:06:43,680 now this is 174 00:06:43,680 --> 00:06:44,960 quite an apt 175 00:06:44,960 --> 00:06:46,319 like this is the answer to the question 176 00:06:46,319 --> 00:06:48,479 what happens when you enter a url into 177 00:06:48,479 --> 00:06:50,639 the browser and press enter this is a 178 00:06:50,639 --> 00:06:52,479 very detailed one i won't be talking 179 00:06:52,479 --> 00:06:55,039 about it but it's a very good one uh 180 00:06:55,039 --> 00:06:57,199 thanks to wasim chekham i found it 181 00:06:57,199 --> 00:06:58,479 online 182 00:06:58,479 --> 00:06:59,360 but 183 00:06:59,360 --> 00:07:00,880 go through it because it would have the 184 00:07:00,880 --> 00:07:02,400 sites it's quite interesting to know 185 00:07:02,400 --> 00:07:04,240 what happens and 186 00:07:04,240 --> 00:07:05,919 how easy you feel that you just press 187 00:07:05,919 --> 00:07:08,000 and enter and it happens in the snap of 188 00:07:08,000 --> 00:07:10,400 a second but this whole thing happens in 189 00:07:10,400 --> 00:07:13,520 that snap of a second 190 00:07:15,520 --> 00:07:18,240 now you might ask okay so what like i 191 00:07:18,240 --> 00:07:20,639 got the flow i got the https flow now 192 00:07:20,639 --> 00:07:24,000 what what more 193 00:07:24,720 --> 00:07:27,520 so let's see which places traffic can be 194 00:07:27,520 --> 00:07:28,880 censored now 195 00:07:28,880 --> 00:07:31,039 so now if you see the isp's color has 196 00:07:31,039 --> 00:07:33,120 been changed to red that signifies that 197 00:07:33,120 --> 00:07:34,720 there is a danger 198 00:07:34,720 --> 00:07:35,599 so 199 00:07:35,599 --> 00:07:39,120 because the isp is in control of the dns 200 00:07:39,120 --> 00:07:40,960 request that is going and it's also in 201 00:07:40,960 --> 00:07:43,440 the control of which server the 202 00:07:43,440 --> 00:07:44,960 web page from where the web page is 203 00:07:44,960 --> 00:07:47,680 being fetched what is being returned all 204 00:07:47,680 --> 00:07:49,039 this is 205 00:07:49,039 --> 00:07:50,720 you are on the mercy of the isp so 206 00:07:50,720 --> 00:07:51,919 basically everything is going through 207 00:07:51,919 --> 00:07:52,879 them 208 00:07:52,879 --> 00:07:55,120 so that's where like these are the two 209 00:07:55,120 --> 00:07:57,280 end point the dns thing and the http 210 00:07:57,280 --> 00:08:00,160 https request for http request these are 211 00:08:00,160 --> 00:08:02,240 the two places where 212 00:08:02,240 --> 00:08:04,879 the isp can basically come into picture 213 00:08:04,879 --> 00:08:07,680 and try to modify or censor the data 214 00:08:07,680 --> 00:08:11,000 that you are getting 215 00:08:20,080 --> 00:08:20,879 okay 216 00:08:20,879 --> 00:08:24,000 so dns level sending fake dns responses 217 00:08:24,000 --> 00:08:26,080 and http request is the host header and 218 00:08:26,080 --> 00:08:28,560 the http intercepting so i'll talk about 219 00:08:28,560 --> 00:08:31,599 both of these so dns level is when 220 00:08:31,599 --> 00:08:34,399 you're trying to get the ip address so 221 00:08:34,399 --> 00:08:35,919 imagine the case where you're trying to 222 00:08:35,919 --> 00:08:37,039 let's say 223 00:08:37,039 --> 00:08:38,799 access a website that 224 00:08:38,799 --> 00:08:40,958 is supposedly that should be blocked or 225 00:08:40,958 --> 00:08:42,080 let's say 226 00:08:42,080 --> 00:08:43,839 there's a website of a terrorist 227 00:08:43,839 --> 00:08:45,760 organization that your country doesn't 228 00:08:45,760 --> 00:08:47,680 want you to see so what they would try 229 00:08:47,680 --> 00:08:49,279 to do is they would try to send you a 230 00:08:49,279 --> 00:08:51,200 different ip address that doesn't belong 231 00:08:51,200 --> 00:08:54,800 to the terrorist organization's website 232 00:08:54,800 --> 00:08:56,880 in the same case when you have the http 233 00:08:56,880 --> 00:08:59,040 request so in that part what happens is 234 00:08:59,040 --> 00:09:01,839 if it's an http not it's a non-encrypted 235 00:09:01,839 --> 00:09:04,399 uh traffic they can directly modify the 236 00:09:04,399 --> 00:09:06,399 traffic and send you let's say a notice 237 00:09:06,399 --> 00:09:08,160 that this website is banned or something 238 00:09:08,160 --> 00:09:09,920 like that i'll show you some examples 239 00:09:09,920 --> 00:09:13,440 later in the slides so how 240 00:09:13,440 --> 00:09:16,480 html response is being modified i also 241 00:09:16,480 --> 00:09:19,600 have a wireshark packet capture which 242 00:09:19,600 --> 00:09:21,920 basically shows the flow of the tcp as 243 00:09:21,920 --> 00:09:24,320 to how that data is being modified 244 00:09:24,320 --> 00:09:27,279 don't get overall about all these terms 245 00:09:27,279 --> 00:09:30,720 it's very simple i mean 246 00:09:30,720 --> 00:09:33,040 tcp and all it gets 247 00:09:33,040 --> 00:09:34,800 over 248 00:09:34,800 --> 00:09:36,959 okay let's 249 00:09:36,959 --> 00:09:39,279 i think yeah 250 00:09:39,279 --> 00:09:40,480 so 251 00:09:40,480 --> 00:09:43,120 on the dns level sensoring uh there are 252 00:09:43,120 --> 00:09:44,880 two methods that that are usually 253 00:09:44,880 --> 00:09:47,839 employed by these isps the first one is 254 00:09:47,839 --> 00:09:49,680 they try to 255 00:09:49,680 --> 00:09:50,880 once you get a 256 00:09:50,880 --> 00:09:53,120 internet connection from your local isp 257 00:09:53,120 --> 00:09:56,000 or home server you are basically um 258 00:09:56,000 --> 00:09:57,440 giving the lease for your internet 259 00:09:57,440 --> 00:09:59,040 connection let's say you are in u.s and 260 00:09:59,040 --> 00:10:01,279 you get comcast or let's say you're in 261 00:10:01,279 --> 00:10:03,200 india you get airtel geo any other 262 00:10:03,200 --> 00:10:04,640 internet service provider so they give 263 00:10:04,640 --> 00:10:06,000 you a router 264 00:10:06,000 --> 00:10:07,600 and you basically get the wi-fi 265 00:10:07,600 --> 00:10:09,120 connection using that 266 00:10:09,120 --> 00:10:12,240 so this router has predefined dns 267 00:10:12,240 --> 00:10:15,440 service ip embedded into that and that's 268 00:10:15,440 --> 00:10:18,320 where i would come to the cloud fair dns 269 00:10:18,320 --> 00:10:20,480 and 8.8.8.8 270 00:10:20,480 --> 00:10:22,880 so these isps when they give you the 271 00:10:22,880 --> 00:10:25,040 router and the internet connection they 272 00:10:25,040 --> 00:10:28,000 already have their own dns server as the 273 00:10:28,000 --> 00:10:30,640 default server where your request would 274 00:10:30,640 --> 00:10:31,360 go 275 00:10:31,360 --> 00:10:32,880 so if they have to do any kind of 276 00:10:32,880 --> 00:10:34,480 filtering they would just 277 00:10:34,480 --> 00:10:36,720 send you like an invalid response or a 278 00:10:36,720 --> 00:10:38,800 fake response or a different response 279 00:10:38,800 --> 00:10:40,560 instead of going through all the hassle 280 00:10:40,560 --> 00:10:41,920 of like 281 00:10:41,920 --> 00:10:43,920 encrypted like intercepting your traffic 282 00:10:43,920 --> 00:10:45,680 and doing all that so that is the very 283 00:10:45,680 --> 00:10:48,000 basic that they do they also do this 284 00:10:48,000 --> 00:10:50,399 because sometimes um it's easier for 285 00:10:50,399 --> 00:10:53,519 them or to cash it on the isp level and 286 00:10:53,519 --> 00:10:54,880 basically 287 00:10:54,880 --> 00:10:56,959 you can get all the dns responses on 288 00:10:56,959 --> 00:10:59,200 their own isp so the traffic they don't 289 00:10:59,200 --> 00:11:01,200 have to forward the internet traffic 290 00:11:01,200 --> 00:11:04,240 from your device to a public dns server 291 00:11:04,240 --> 00:11:05,920 for example let's say 292 00:11:05,920 --> 00:11:08,560 uh you get a connection from a local isp 293 00:11:08,560 --> 00:11:10,320 and 294 00:11:10,320 --> 00:11:12,560 they are running their own dns server so 295 00:11:12,560 --> 00:11:14,720 you request for google.com so what 296 00:11:14,720 --> 00:11:15,920 happens is 297 00:11:15,920 --> 00:11:18,480 where we saw the previous slide so the 298 00:11:18,480 --> 00:11:20,880 google.com request goes through the isp 299 00:11:20,880 --> 00:11:24,079 isp has their own dns server running it 300 00:11:24,079 --> 00:11:26,480 returns the ip address of google.com and 301 00:11:26,480 --> 00:11:28,160 then basically your machine makes a 302 00:11:28,160 --> 00:11:29,600 connection to that 303 00:11:29,600 --> 00:11:30,320 so 304 00:11:30,320 --> 00:11:32,000 what happens let's say you are trying to 305 00:11:32,000 --> 00:11:33,600 access this website which is banned 306 00:11:33,600 --> 00:11:34,959 let's say a terrorist organization 307 00:11:34,959 --> 00:11:36,560 website or any kind of website that your 308 00:11:36,560 --> 00:11:38,399 country feels is not 309 00:11:38,399 --> 00:11:40,480 to be shown to their citizens so what 310 00:11:40,480 --> 00:11:41,600 they would 311 00:11:41,600 --> 00:11:43,839 like give a notice to the isp is that 312 00:11:43,839 --> 00:11:45,680 when you get a request to this change 313 00:11:45,680 --> 00:11:47,760 the ip address or return the non-valid 314 00:11:47,760 --> 00:11:49,600 ip address instead of 315 00:11:49,600 --> 00:11:53,040 giving a valid ip address response so 316 00:11:53,040 --> 00:11:54,720 there are two ways they do it either 317 00:11:54,720 --> 00:11:57,200 they have one is called the sinkhole 318 00:11:57,200 --> 00:11:58,800 sinkhole is basically they have their 319 00:11:58,800 --> 00:12:00,959 own machine which serves uh government 320 00:12:00,959 --> 00:12:03,680 notice that this this website is locked 321 00:12:03,680 --> 00:12:05,600 so any request that goes through them 322 00:12:05,600 --> 00:12:07,120 they return the ip address of that 323 00:12:07,120 --> 00:12:08,800 machine so that is called the sinkhole 324 00:12:08,800 --> 00:12:09,920 so all the requests go through that 325 00:12:09,920 --> 00:12:10,959 sinkhole 326 00:12:10,959 --> 00:12:13,519 the other method is they return a nx 327 00:12:13,519 --> 00:12:16,160 domain response so nx domain is no 328 00:12:16,160 --> 00:12:18,639 domains exist so the browser feels that 329 00:12:18,639 --> 00:12:20,639 there is no domain as such 330 00:12:20,639 --> 00:12:22,160 so 331 00:12:22,160 --> 00:12:24,079 to replicate this you can just type 332 00:12:24,079 --> 00:12:26,639 random characters let's say abcdefgh 333 00:12:26,639 --> 00:12:28,320 whatever you want to type and then dot 334 00:12:28,320 --> 00:12:30,480 com so the browser would show that nx 335 00:12:30,480 --> 00:12:32,800 domain this domain does not exist 336 00:12:32,800 --> 00:12:34,800 so that is what they do 337 00:12:34,800 --> 00:12:37,120 the other thing that is quite 338 00:12:37,120 --> 00:12:39,519 like creepy i would say the transparent 339 00:12:39,519 --> 00:12:42,480 dn is proxing what happens in that case 340 00:12:42,480 --> 00:12:43,200 you 341 00:12:43,200 --> 00:12:44,720 so 342 00:12:44,720 --> 00:12:46,560 that comes because the first case when 343 00:12:46,560 --> 00:12:48,160 you have the default dns you can change 344 00:12:48,160 --> 00:12:51,680 the default dns to a dns provider of 345 00:12:51,680 --> 00:12:53,279 your choosing let's say you choose 346 00:12:53,279 --> 00:12:56,000 google's dns provider or cloudflare dns 347 00:12:56,000 --> 00:12:58,399 provider because you know that those 348 00:12:58,399 --> 00:13:00,320 providers won't block these are public 349 00:13:00,320 --> 00:13:02,800 dns providers so you enter their ip 350 00:13:02,800 --> 00:13:05,120 address as your dns resolver so let's 351 00:13:05,120 --> 00:13:07,839 say you add 8.8.8.8 as your dns 352 00:13:07,839 --> 00:13:10,000 resolvers so any website that your 353 00:13:10,000 --> 00:13:12,320 browser wants to fetch they would fetch 354 00:13:12,320 --> 00:13:15,120 from google's public dns resolver that 355 00:13:15,120 --> 00:13:17,920 is 8.8.8.8 356 00:13:17,920 --> 00:13:19,200 coordinate 357 00:13:19,200 --> 00:13:21,440 what happens in this case because now 358 00:13:21,440 --> 00:13:23,680 isp is not control of your dns traffic 359 00:13:23,680 --> 00:13:25,920 so they can't censor that they can't 360 00:13:25,920 --> 00:13:28,720 monitor that so what they do is 361 00:13:28,720 --> 00:13:29,680 uh 362 00:13:29,680 --> 00:13:32,079 here comes the technical part of it so 363 00:13:32,079 --> 00:13:35,360 dns works on port 53 every machine has 364 00:13:35,360 --> 00:13:38,240 like 65 000 ports and using these ports 365 00:13:38,240 --> 00:13:39,680 your machine makes connection to the 366 00:13:39,680 --> 00:13:42,399 outer world so dns or domain name system 367 00:13:42,399 --> 00:13:44,480 that works on a particular port called 368 00:13:44,480 --> 00:13:47,279 port number 53 that's a port number 369 00:13:47,279 --> 00:13:49,920 so what these isp do they monitor 370 00:13:49,920 --> 00:13:52,800 traffic on this port 53 and 371 00:13:52,800 --> 00:13:55,600 well and what they do is they route all 372 00:13:55,600 --> 00:13:57,199 the data all the traffic that is going 373 00:13:57,199 --> 00:14:00,240 to port 53 to their own servers so even 374 00:14:00,240 --> 00:14:03,120 if you set google as your dns server the 375 00:14:03,120 --> 00:14:04,959 request doesn't go to google rather they 376 00:14:04,959 --> 00:14:07,279 go to the dns providers and because the 377 00:14:07,279 --> 00:14:09,600 whole in internet traffic is going 378 00:14:09,600 --> 00:14:11,440 through them so they can easily do it 379 00:14:11,440 --> 00:14:13,440 without like transparently do it and you 380 00:14:13,440 --> 00:14:15,199 wouldn't you wouldn't know any better of 381 00:14:15,199 --> 00:14:18,160 it the other thing that happens 382 00:14:18,160 --> 00:14:20,000 and sometimes because people know okay 383 00:14:20,000 --> 00:14:21,600 they are transparently proxying their 384 00:14:21,600 --> 00:14:22,639 dns 385 00:14:22,639 --> 00:14:25,920 what isp do is if it's a blocked website 386 00:14:25,920 --> 00:14:27,040 they won't 387 00:14:27,040 --> 00:14:29,920 like proxy it like in india recently i 388 00:14:29,920 --> 00:14:32,320 think two years back what happened was 389 00:14:32,320 --> 00:14:35,360 uh some websites those dns was being 390 00:14:35,360 --> 00:14:37,279 provided by cloudflare whereas the other 391 00:14:37,279 --> 00:14:39,680 was being routed to the isps so they 392 00:14:39,680 --> 00:14:42,160 were transparently proxying those i'll 393 00:14:42,160 --> 00:14:43,760 show you a diagram that would help you 394 00:14:43,760 --> 00:14:46,160 explain it 395 00:14:46,160 --> 00:14:48,160 um yeah so this is the first one the 396 00:14:48,160 --> 00:14:51,360 fake dns so let's say even if you have a 397 00:14:51,360 --> 00:14:53,040 vpn tunnel connected to your 398 00:14:53,040 --> 00:14:55,680 infrastructure the dns or the port 53 399 00:14:55,680 --> 00:14:57,199 request because it's not going through 400 00:14:57,199 --> 00:14:59,920 the vpn by default so that goes to the 401 00:14:59,920 --> 00:15:02,160 isp and the isp changes the response to 402 00:15:02,160 --> 00:15:04,639 that so even if you the major traffic 403 00:15:04,639 --> 00:15:07,839 the http http traffic https traffic goes 404 00:15:07,839 --> 00:15:10,240 through vpn it goes to the wrong ip 405 00:15:10,240 --> 00:15:11,920 address or it goes to the wrong server 406 00:15:11,920 --> 00:15:13,519 so you would get a different response 407 00:15:13,519 --> 00:15:16,000 either way 408 00:15:16,079 --> 00:15:18,720 it's also called a dns leak because 409 00:15:18,720 --> 00:15:21,279 this helps the companies to know which 410 00:15:21,279 --> 00:15:22,800 websites you are using even though you 411 00:15:22,800 --> 00:15:25,199 are using a vpn so the whole purpose of 412 00:15:25,199 --> 00:15:27,920 vpn is to provide you anonymity and like 413 00:15:27,920 --> 00:15:29,360 so that no one knows what you're 414 00:15:29,360 --> 00:15:32,000 actually viewing but using this dns leak 415 00:15:32,000 --> 00:15:34,880 the isps know which particular website 416 00:15:34,880 --> 00:15:36,720 you are browsing even though they don't 417 00:15:36,720 --> 00:15:38,079 know what you are browsing or what you 418 00:15:38,079 --> 00:15:39,519 are doing there but they know okay a 419 00:15:39,519 --> 00:15:41,600 request is being made to 420 00:15:41,600 --> 00:15:44,480 so and so website 421 00:15:44,480 --> 00:15:47,519 this is a transparent dns proxy so in 422 00:15:47,519 --> 00:15:50,639 this case even if you have a public dns 423 00:15:50,639 --> 00:15:52,880 set as your proxy you would still your 424 00:15:52,880 --> 00:15:56,000 request would still be routed to the 425 00:15:56,000 --> 00:15:58,000 isp dns and you would get a response 426 00:15:58,000 --> 00:16:00,480 from them 427 00:16:02,880 --> 00:16:05,120 yeah so if you have a mobile phone right 428 00:16:05,120 --> 00:16:06,240 now you can 429 00:16:06,240 --> 00:16:08,560 go to this website dnsleaktest.com and 430 00:16:08,560 --> 00:16:10,720 you can see if your dns requests are 431 00:16:10,720 --> 00:16:12,959 getting leaked to the isp or is it going 432 00:16:12,959 --> 00:16:15,279 through cloudflare or whichever dns you 433 00:16:15,279 --> 00:16:16,399 have chosen 434 00:16:16,399 --> 00:16:19,759 uh i think i have it up here so this is 435 00:16:19,759 --> 00:16:22,639 the website that's how it looks 436 00:16:22,639 --> 00:16:23,600 so 437 00:16:23,600 --> 00:16:25,600 there's a standard test and there's an 438 00:16:25,600 --> 00:16:27,680 extended test so 439 00:16:27,680 --> 00:16:29,519 i hope it's visible yeah so in the 440 00:16:29,519 --> 00:16:31,519 standard test they do one round of 441 00:16:31,519 --> 00:16:33,279 testing where they send requests to 442 00:16:33,279 --> 00:16:35,839 their own unique domains and try to find 443 00:16:35,839 --> 00:16:38,800 whether you are trying to access that 444 00:16:38,800 --> 00:16:40,639 your you are trying to access that 445 00:16:40,639 --> 00:16:42,079 domains or 446 00:16:42,079 --> 00:16:44,240 the isp is trying to access that and 447 00:16:44,240 --> 00:16:46,079 give you the response so let me just 448 00:16:46,079 --> 00:16:48,560 show you that 449 00:16:48,560 --> 00:16:49,759 so 450 00:16:49,759 --> 00:16:51,839 in 451 00:16:51,920 --> 00:16:53,839 so you can see i have the isp set as 452 00:16:53,839 --> 00:16:55,839 cloudflare so you get a responses 453 00:16:55,839 --> 00:16:58,800 cloudflare amsterdam if it was being 454 00:16:58,800 --> 00:17:00,480 blocked or if it was going through the 455 00:17:00,480 --> 00:17:02,880 isp you would see the isp's response 456 00:17:02,880 --> 00:17:05,280 isp's name here 457 00:17:05,280 --> 00:17:07,520 this is a good website they have 458 00:17:07,520 --> 00:17:09,919 like quite a detailed thing and how it 459 00:17:09,919 --> 00:17:12,000 is working and you can read about it i 460 00:17:12,000 --> 00:17:13,839 have these in the 461 00:17:13,839 --> 00:17:18,240 or they say in the references slide 462 00:17:18,240 --> 00:17:20,640 if you want to know how it works and 463 00:17:20,640 --> 00:17:22,400 there's a way that you can even if 464 00:17:22,400 --> 00:17:23,839 you're using cloud file you can still 465 00:17:23,839 --> 00:17:25,280 modify that and 466 00:17:25,280 --> 00:17:27,039 manipulate it to show that you're using 467 00:17:27,039 --> 00:17:29,520 air trail dns it's i mean it's very easy 468 00:17:29,520 --> 00:17:31,200 to work if you want you can 469 00:17:31,200 --> 00:17:33,440 talk to me about that later we can see 470 00:17:33,440 --> 00:17:35,440 how that works 471 00:17:35,440 --> 00:17:37,840 um 472 00:17:37,840 --> 00:17:40,559 now let's see how you can bypass these 473 00:17:40,559 --> 00:17:42,559 checks 474 00:17:42,559 --> 00:17:44,720 so the very first thing is if you are in 475 00:17:44,720 --> 00:17:46,640 the first if the isps in the first 476 00:17:46,640 --> 00:17:48,400 category where they're just having the 477 00:17:48,400 --> 00:17:49,919 default uh 478 00:17:49,919 --> 00:17:52,160 dns server you can just choose any of 479 00:17:52,160 --> 00:17:55,120 these dns's let's say cloudflare opendns 480 00:17:55,120 --> 00:17:56,799 or quad9 so 481 00:17:56,799 --> 00:17:58,559 you can set it in your mobile setting or 482 00:17:58,559 --> 00:18:00,320 in your browser setting and the dns 483 00:18:00,320 --> 00:18:02,080 request would go to them it is for the 484 00:18:02,080 --> 00:18:04,400 first case when the isp has set a 485 00:18:04,400 --> 00:18:06,480 default dns 486 00:18:06,480 --> 00:18:09,039 server into your router 487 00:18:09,039 --> 00:18:11,360 you can also clear your dns case so what 488 00:18:11,360 --> 00:18:13,600 dns case does is let's say you are going 489 00:18:13,600 --> 00:18:15,760 to google.com again and again so your 490 00:18:15,760 --> 00:18:17,919 browser won't be sending a dns request 491 00:18:17,919 --> 00:18:19,360 every time you go to google rather it 492 00:18:19,360 --> 00:18:21,200 would save the ip address of google and 493 00:18:21,200 --> 00:18:23,120 it would just continue with that but 494 00:18:23,120 --> 00:18:25,280 let's say your isp has already poisoned 495 00:18:25,280 --> 00:18:27,520 that website and it's sending their ip 496 00:18:27,520 --> 00:18:29,840 address instead of actual google website 497 00:18:29,840 --> 00:18:32,160 so that would like continue to show in 498 00:18:32,160 --> 00:18:34,400 your browser until unless you clear that 499 00:18:34,400 --> 00:18:36,320 cache it's called the cache so that's 500 00:18:36,320 --> 00:18:38,400 why you need to clear the cache and 501 00:18:38,400 --> 00:18:40,840 there's a link how you can do 502 00:18:40,840 --> 00:18:43,760 that i'll just quickly show where you 503 00:18:43,760 --> 00:18:46,000 can set this settings for different 504 00:18:46,000 --> 00:18:47,520 browsers 505 00:18:47,520 --> 00:18:48,799 um 506 00:18:48,799 --> 00:18:51,120 okay first let me talk about the second 507 00:18:51,120 --> 00:18:52,559 case so that was the first case where 508 00:18:52,559 --> 00:18:54,720 you add the default dns set by the row 509 00:18:54,720 --> 00:18:56,799 by the isp the second case is where 510 00:18:56,799 --> 00:18:59,120 there is a transparent proxy so any 511 00:18:59,120 --> 00:19:00,960 traffic that you are sending on port 53 512 00:19:00,960 --> 00:19:02,080 that is being 513 00:19:02,080 --> 00:19:04,640 transferred to the proxy and being like 514 00:19:04,640 --> 00:19:06,640 like a fake response is being reverted 515 00:19:06,640 --> 00:19:07,679 from that 516 00:19:07,679 --> 00:19:10,000 so to bypass that we have technical 517 00:19:10,000 --> 00:19:12,880 solutions like dns over https and dns 518 00:19:12,880 --> 00:19:14,160 over tls 519 00:19:14,160 --> 00:19:17,360 i'm stressing more on dns over https for 520 00:19:17,360 --> 00:19:19,360 a reason i'll just talk about it let's 521 00:19:19,360 --> 00:19:22,320 first talk about dns over tls so tls is 522 00:19:22,320 --> 00:19:24,880 basically what powers the https the 523 00:19:24,880 --> 00:19:28,000 security layer of https and that's how 524 00:19:28,000 --> 00:19:29,280 your whole 525 00:19:29,280 --> 00:19:31,520 network whole data that's going through 526 00:19:31,520 --> 00:19:33,760 your website or the encrypted web page 527 00:19:33,760 --> 00:19:35,679 that you get and the reason why no one 528 00:19:35,679 --> 00:19:37,360 is able to sniff your credit card 529 00:19:37,360 --> 00:19:40,320 details that is because of tls so tls 530 00:19:40,320 --> 00:19:42,000 make sure that your connection between 531 00:19:42,000 --> 00:19:43,600 your browser and the website that you 532 00:19:43,600 --> 00:19:46,240 are going that's encrypted and the same 533 00:19:46,240 --> 00:19:48,799 is happening on dns now that you can 534 00:19:48,799 --> 00:19:50,640 basically encrypt that data and so 535 00:19:50,640 --> 00:19:53,120 that's why it's called dns over tls 536 00:19:53,120 --> 00:19:55,280 the reason people don't prefer dns over 537 00:19:55,280 --> 00:19:58,000 tls is because it's limited to a port 538 00:19:58,000 --> 00:20:01,039 called port port number 853 539 00:20:01,039 --> 00:20:03,440 so again what the 540 00:20:03,440 --> 00:20:05,360 isps can do is they can route the 541 00:20:05,360 --> 00:20:08,960 traffic to port 853 to their website 542 00:20:08,960 --> 00:20:10,559 their dns server and give you a fake 543 00:20:10,559 --> 00:20:13,039 response over that so that's why dns 544 00:20:13,039 --> 00:20:15,840 over https is preferred because in dns 545 00:20:15,840 --> 00:20:18,640 or http tps it's a normal http 546 00:20:18,640 --> 00:20:20,400 connection or rather https connection 547 00:20:20,400 --> 00:20:23,120 which is sent to our port 443 so it's 548 00:20:23,120 --> 00:20:26,159 like a normal browser traffic so it goes 549 00:20:26,159 --> 00:20:27,919 through the cloudflare or whichever dns 550 00:20:27,919 --> 00:20:29,360 over https 551 00:20:29,360 --> 00:20:31,840 server you have chosen and the whole 552 00:20:31,840 --> 00:20:34,320 dns request or getting the ip address is 553 00:20:34,320 --> 00:20:37,919 sent as a http https request so to block 554 00:20:37,919 --> 00:20:40,080 that they would have to route all the 555 00:20:40,080 --> 00:20:42,640 port 443 traffic that would be humongous 556 00:20:42,640 --> 00:20:43,520 and 557 00:20:43,520 --> 00:20:45,360 i mean the volume itself won't be able 558 00:20:45,360 --> 00:20:47,600 to like you won't be able to know which 559 00:20:47,600 --> 00:20:49,440 data is inside it because the whole of 560 00:20:49,440 --> 00:20:51,600 the dns request is encrypted inside the 561 00:20:51,600 --> 00:20:53,200 http bracket 562 00:20:53,200 --> 00:20:55,679 so that's the reason why dns over https 563 00:20:55,679 --> 00:20:57,280 is preferred 564 00:20:57,280 --> 00:20:59,200 cloudflare has their domain cloudflare 565 00:20:59,200 --> 00:21:01,120 iphonedns.com 566 00:21:01,120 --> 00:21:02,480 dns query 567 00:21:02,480 --> 00:21:04,799 so you might ask yeah see in the 568 00:21:04,799 --> 00:21:08,320 previous cases we saw that dns was 1.1.1 569 00:21:08,320 --> 00:21:10,799 or it was a ip address but here you have 570 00:21:10,799 --> 00:21:14,880 the https so it's because this whole 571 00:21:14,880 --> 00:21:16,960 fetching the dns responses or fetching 572 00:21:16,960 --> 00:21:19,120 the ip address of the machine it's it is 573 00:21:19,120 --> 00:21:20,480 in itself 574 00:21:20,480 --> 00:21:24,240 uh what is it it is in itself an http 575 00:21:24,240 --> 00:21:26,320 the packet thing the getting an html 576 00:21:26,320 --> 00:21:28,320 page kind of thing 577 00:21:28,320 --> 00:21:30,400 you can also have open dns and quad 9 on 578 00:21:30,400 --> 00:21:33,520 the same on desktop firefox you can even 579 00:21:33,520 --> 00:21:36,159 have doh by from the network setting 580 00:21:36,159 --> 00:21:37,039 itself 581 00:21:37,039 --> 00:21:39,840 doh is not enabled on android till now 582 00:21:39,840 --> 00:21:42,720 you can have dns or tls i have it on my 583 00:21:42,720 --> 00:21:45,039 mobile phone in some countries that's 584 00:21:45,039 --> 00:21:46,640 not preferred like while i was coming 585 00:21:46,640 --> 00:21:47,679 from 586 00:21:47,679 --> 00:21:49,919 india i had a layover in abu dhabi so 587 00:21:49,919 --> 00:21:52,080 their private dns or dns over tls was 588 00:21:52,080 --> 00:21:53,679 not working so i had to switch back to 589 00:21:53,679 --> 00:21:57,120 the normal dns but in other cases 590 00:21:57,120 --> 00:21:59,120 the reason i told you like dns over tls 591 00:21:59,120 --> 00:22:01,760 can be monitored and can be stopped but 592 00:22:01,760 --> 00:22:03,919 dns over https can't be because it's the 593 00:22:03,919 --> 00:22:06,320 same as https traffic 594 00:22:06,320 --> 00:22:08,559 so for android i think they have started 595 00:22:08,559 --> 00:22:10,960 experimentally in android 12 but it's 596 00:22:10,960 --> 00:22:13,520 not yet rolled out 597 00:22:13,520 --> 00:22:17,039 uh yeah so this is the firefox screen uh 598 00:22:17,039 --> 00:22:18,640 let me just quickly show you where you 599 00:22:18,640 --> 00:22:19,760 can do this 600 00:22:19,760 --> 00:22:22,080 so here's the settings for this you just 601 00:22:22,080 --> 00:22:24,320 search for dns here 602 00:22:24,320 --> 00:22:26,880 in the settings you can see enable dns 603 00:22:26,880 --> 00:22:29,600 over https cloudflare next dns and the 604 00:22:29,600 --> 00:22:31,760 custom in the custom you can add quad 9 605 00:22:31,760 --> 00:22:33,679 and other kinds of stuff 606 00:22:33,679 --> 00:22:36,320 i have dns over https 607 00:22:36,320 --> 00:22:38,080 in this 608 00:22:38,080 --> 00:22:41,280 then if you use brave or chrome any of 609 00:22:41,280 --> 00:22:44,000 those in the security settings privacy 610 00:22:44,000 --> 00:22:45,200 and security 611 00:22:45,200 --> 00:22:48,640 you have this use secure dns and inside 612 00:22:48,640 --> 00:22:51,520 you can have cloudflare 1.1.1 and other 613 00:22:51,520 --> 00:22:54,640 kinds of privacy in the san 614 00:22:54,640 --> 00:22:56,240 things like that 615 00:22:56,240 --> 00:22:58,799 for android this is the screen uh in 616 00:22:58,799 --> 00:23:01,520 iphone i think it's the dns over https 617 00:23:01,520 --> 00:23:03,280 is already there i 618 00:23:03,280 --> 00:23:04,960 have not tested it but i think it's 619 00:23:04,960 --> 00:23:07,840 there from android 9 and above you have 620 00:23:07,840 --> 00:23:09,840 this option in the wi-fi and network 621 00:23:09,840 --> 00:23:10,960 settings 622 00:23:10,960 --> 00:23:13,440 so this is a screen in my mobile phone 623 00:23:13,440 --> 00:23:15,520 this is what the settings are i have 624 00:23:15,520 --> 00:23:18,240 cloudflare enabled onto that for 625 00:23:18,240 --> 00:23:22,600 tls you need to have 1.1.1 626 00:23:26,880 --> 00:23:28,559 and these are the instructions for it 627 00:23:28,559 --> 00:23:30,799 you can also have 1.1 dot in the 628 00:23:30,799 --> 00:23:34,679 alphanumeric way 629 00:23:36,799 --> 00:23:38,240 okay 630 00:23:38,240 --> 00:23:41,440 um you can go and set up dns over tls 631 00:23:41,440 --> 00:23:43,919 for this 632 00:23:44,720 --> 00:23:46,559 now if you want to check check your 633 00:23:46,559 --> 00:23:49,039 current dns security you can just go to 634 00:23:49,039 --> 00:23:51,200 this website let me show you here i 635 00:23:51,200 --> 00:23:53,279 already have it up 636 00:23:53,279 --> 00:23:55,520 so 637 00:23:56,720 --> 00:23:59,039 so you can see it is checking and 638 00:23:59,039 --> 00:24:01,600 connectivity resolver so 639 00:24:01,600 --> 00:24:02,840 as name 640 00:24:02,840 --> 00:24:06,080 cloudflare is it connected to 1.1.1.1 641 00:24:06,080 --> 00:24:06,960 yeah 642 00:24:06,960 --> 00:24:10,799 and is it using dns over https yes 643 00:24:10,799 --> 00:24:12,080 let me just 644 00:24:12,080 --> 00:24:14,880 disable this and see if that's actually 645 00:24:14,880 --> 00:24:16,799 working or not 646 00:24:16,799 --> 00:24:18,960 let's refresh this 647 00:24:18,960 --> 00:24:23,360 so you can see dns over std basis no 648 00:24:23,360 --> 00:24:28,120 let me just re-enable this 649 00:24:32,000 --> 00:24:33,760 okay cool 650 00:24:33,760 --> 00:24:35,520 now let's come to the second part of it 651 00:24:35,520 --> 00:24:37,919 which is the http censoring 652 00:24:37,919 --> 00:24:40,240 this has been seen in like i've been 653 00:24:40,240 --> 00:24:41,840 collecting uh 654 00:24:41,840 --> 00:24:43,760 network data in india through a 655 00:24:43,760 --> 00:24:46,400 different a lot of different isps and 656 00:24:46,400 --> 00:24:47,760 i've seen it 657 00:24:47,760 --> 00:24:50,080 being done in one form or the other by 658 00:24:50,080 --> 00:24:52,640 almost all of these isps because the 659 00:24:52,640 --> 00:24:54,960 government mandates that some websites 660 00:24:54,960 --> 00:24:56,880 need to be blocked so one in one way or 661 00:24:56,880 --> 00:24:58,640 the other there is some kind of http 662 00:24:58,640 --> 00:25:00,799 censoring so if you see on the screen in 663 00:25:00,799 --> 00:25:02,880 the bottom side this is cloudy dot pk 664 00:25:02,880 --> 00:25:04,960 it's a pakistani website 665 00:25:04,960 --> 00:25:08,240 i think it hosts free movie content and 666 00:25:08,240 --> 00:25:10,320 things like that so if you see here 667 00:25:10,320 --> 00:25:12,159 there's this message this website has 668 00:25:12,159 --> 00:25:13,760 been logged as per the order of ministry 669 00:25:13,760 --> 00:25:15,200 of electronics and information 670 00:25:15,200 --> 00:25:17,679 technology under it 2000 671 00:25:17,679 --> 00:25:18,480 so 672 00:25:18,480 --> 00:25:21,360 and if in if you see here there's a not 673 00:25:21,360 --> 00:25:24,000 secure sign so it's an html website and 674 00:25:24,000 --> 00:25:25,440 that's why they're able to modify the 675 00:25:25,440 --> 00:25:27,679 content of the website whereas if you go 676 00:25:27,679 --> 00:25:29,679 to the https version of it you would 677 00:25:29,679 --> 00:25:31,520 straight away get a connection regis 678 00:25:31,520 --> 00:25:34,080 connection reset packet i'll have a 679 00:25:34,080 --> 00:25:36,080 screenshot of that as well 680 00:25:36,080 --> 00:25:37,760 so that's what i was talking about we'll 681 00:25:37,760 --> 00:25:39,360 talk about how this is happening and how 682 00:25:39,360 --> 00:25:41,200 they're able to do it 683 00:25:41,200 --> 00:25:43,200 so 684 00:25:43,200 --> 00:25:44,080 yeah 685 00:25:44,080 --> 00:25:45,360 so 686 00:25:45,360 --> 00:25:47,039 how many of you have seen 687 00:25:47,039 --> 00:25:50,240 why shark or know about wireshark 688 00:25:50,240 --> 00:25:51,039 cool 689 00:25:51,039 --> 00:25:52,400 a lot of guys 690 00:25:52,400 --> 00:25:54,960 okay so wireshark is a tool that helps 691 00:25:54,960 --> 00:25:59,120 you capture your raw network packets and 692 00:25:59,120 --> 00:26:01,279 you can basically the thing that you see 693 00:26:01,279 --> 00:26:03,200 on your browser it's the http request 694 00:26:03,200 --> 00:26:04,240 but 695 00:26:04,240 --> 00:26:06,000 before that there are a lot of things 696 00:26:06,000 --> 00:26:08,480 that happen on the tcp ip stack and a 697 00:26:08,480 --> 00:26:09,520 lot of 698 00:26:09,520 --> 00:26:11,360 different kinds of what you say it's 699 00:26:11,360 --> 00:26:13,520 called packets that transmit data to 700 00:26:13,520 --> 00:26:15,440 make that thing happen 701 00:26:15,440 --> 00:26:17,840 so this is a screenshot of it i already 702 00:26:17,840 --> 00:26:20,000 have a uh let me show you i have a 703 00:26:20,000 --> 00:26:21,679 wireshark 704 00:26:21,679 --> 00:26:24,159 thing running 705 00:26:24,159 --> 00:26:26,880 where is that 706 00:26:29,360 --> 00:26:30,720 um 707 00:26:30,720 --> 00:26:32,080 yep 708 00:26:32,080 --> 00:26:34,320 so 709 00:26:34,720 --> 00:26:38,120 let me just 710 00:26:40,159 --> 00:26:41,200 cool 711 00:26:41,200 --> 00:26:42,159 so 712 00:26:42,159 --> 00:26:44,400 yeah 713 00:26:46,720 --> 00:26:47,679 okay 714 00:26:47,679 --> 00:26:50,400 so if you see these are raw packets so 715 00:26:50,400 --> 00:26:53,520 from one it's starting from here and 716 00:26:53,520 --> 00:26:55,760 some requests are being captured because 717 00:26:55,760 --> 00:26:58,799 the your machine so it captures all the 718 00:26:58,799 --> 00:27:01,200 data that is getting all the basically 719 00:27:01,200 --> 00:27:02,480 network request that is being 720 00:27:02,480 --> 00:27:04,240 transmitted from your device to outside 721 00:27:04,240 --> 00:27:06,080 internet so that's how you see a lot of 722 00:27:06,080 --> 00:27:08,159 these things there in the green one if 723 00:27:08,159 --> 00:27:10,880 you see there's this get request and let 724 00:27:10,880 --> 00:27:14,400 me just try to follow this so this 725 00:27:14,400 --> 00:27:16,240 follow tcp stream basically what it 726 00:27:16,240 --> 00:27:17,919 would do is it would just 727 00:27:17,919 --> 00:27:19,600 show you that particular stream or 728 00:27:19,600 --> 00:27:21,279 requests and responses for that 729 00:27:21,279 --> 00:27:24,480 particular ip address and destination so 730 00:27:24,480 --> 00:27:26,080 otherwise you would have a lot of data 731 00:27:26,080 --> 00:27:28,080 from other places as well so if you see 732 00:27:28,080 --> 00:27:30,000 in the top there's this 733 00:27:30,000 --> 00:27:31,679 get request 734 00:27:31,679 --> 00:27:37,039 and it's http 1.1 host is cloudy dot pk 735 00:27:37,039 --> 00:27:40,000 and in the response you see http 1.1 200 736 00:27:40,000 --> 00:27:42,399 okay 200 okay is the status quo when you 737 00:27:42,399 --> 00:27:44,559 get a like a valid response from the 738 00:27:44,559 --> 00:27:45,840 server 739 00:27:45,840 --> 00:27:47,840 so everything looks fine content length 740 00:27:47,840 --> 00:27:49,600 is 252. 741 00:27:49,600 --> 00:27:52,000 if you see the content actual content 742 00:27:52,000 --> 00:27:54,000 you can see this that 743 00:27:54,000 --> 00:27:56,480 um let me show you yeah 744 00:27:56,480 --> 00:28:00,159 there's this iframe which is src airtel 745 00:28:00,159 --> 00:28:02,559 dot in slash dot 746 00:28:02,559 --> 00:28:04,559 and then there's this 301 moved 747 00:28:04,559 --> 00:28:06,799 permanently title and 748 00:28:06,799 --> 00:28:09,679 the document has moved this is 749 00:28:09,679 --> 00:28:10,720 so 750 00:28:10,720 --> 00:28:12,799 it might get confusing that it also 751 00:28:12,799 --> 00:28:14,559 shows the document has moved to this 752 00:28:14,559 --> 00:28:17,039 https website so let me just tell you 753 00:28:17,039 --> 00:28:18,640 what happened here 754 00:28:18,640 --> 00:28:20,240 uh this 755 00:28:20,240 --> 00:28:22,000 bottom part 756 00:28:22,000 --> 00:28:23,679 this bottom part is the actual thing 757 00:28:23,679 --> 00:28:25,840 that was being sent from the server 758 00:28:25,840 --> 00:28:28,080 because it was an http website so it was 759 00:28:28,080 --> 00:28:30,720 being redirected to its https version 760 00:28:30,720 --> 00:28:32,480 and the way it was being 761 00:28:32,480 --> 00:28:34,159 like the way it was being done was by 762 00:28:34,159 --> 00:28:37,120 showing uh what you say a small http 763 00:28:37,120 --> 00:28:38,799 html webpage where it was showing that 764 00:28:38,799 --> 00:28:40,320 this document has moved to this 765 00:28:40,320 --> 00:28:42,080 particular website which was the https 766 00:28:42,080 --> 00:28:43,279 version of it 767 00:28:43,279 --> 00:28:45,679 what the internet servers provider did 768 00:28:45,679 --> 00:28:48,399 was it added on top of all that html 769 00:28:48,399 --> 00:28:51,279 content yeah it added its own meta tag 770 00:28:51,279 --> 00:28:53,360 and then iframe which shows this thing 771 00:28:53,360 --> 00:28:55,200 let me show you what what's there on 772 00:28:55,200 --> 00:28:56,799 this 773 00:28:56,799 --> 00:28:59,799 um 774 00:29:01,200 --> 00:29:05,200 i think let me just continue 775 00:29:07,039 --> 00:29:09,520 so yeah this is the thing that you're 776 00:29:09,520 --> 00:29:12,799 seeing and that's why you see that 777 00:29:12,799 --> 00:29:14,159 you see that 778 00:29:14,159 --> 00:29:16,080 message on the page when you go to 779 00:29:16,080 --> 00:29:18,720 cloudy.pk 780 00:29:18,720 --> 00:29:21,440 so basically in this case what happened 781 00:29:21,440 --> 00:29:22,960 was the isp because it was an 782 00:29:22,960 --> 00:29:25,039 unencrypted traffic so the isp was able 783 00:29:25,039 --> 00:29:27,360 to determine that it's a blocked website 784 00:29:27,360 --> 00:29:29,279 this is something that i have to censor 785 00:29:29,279 --> 00:29:30,880 and once they figured out that okay this 786 00:29:30,880 --> 00:29:32,399 is something i have to censor they added 787 00:29:32,399 --> 00:29:34,880 their own iframe and basically discarded 788 00:29:34,880 --> 00:29:38,480 all the html after that 789 00:29:38,480 --> 00:29:41,840 so yep 790 00:29:42,480 --> 00:29:43,360 so 791 00:29:43,360 --> 00:29:45,039 uh you see that 792 00:29:45,039 --> 00:29:47,440 one of the very basic bypasses is to use 793 00:29:47,440 --> 00:29:50,240 the https version because these isps 794 00:29:50,240 --> 00:29:52,640 they are usually very old technology 795 00:29:52,640 --> 00:29:55,440 they don't always monitor they don't 796 00:29:55,440 --> 00:29:57,679 block on all these phases so i've seen 797 00:29:57,679 --> 00:29:59,600 in cases in some cases where if you go 798 00:29:59,600 --> 00:30:01,279 to the https version of the website 799 00:30:01,279 --> 00:30:04,080 directly you sometimes get access to it 800 00:30:04,080 --> 00:30:06,480 that's not a foolproof way so i would 801 00:30:06,480 --> 00:30:08,559 talk about how we can do that the other 802 00:30:08,559 --> 00:30:10,720 method to bypass is you can use a vpn 803 00:30:10,720 --> 00:30:12,240 which is a very common way 804 00:30:12,240 --> 00:30:13,840 a lot of people would already know or 805 00:30:13,840 --> 00:30:15,360 have been using it 806 00:30:15,360 --> 00:30:17,679 there are places in and countries where 807 00:30:17,679 --> 00:30:20,720 you can you can't use vpn like 808 00:30:20,720 --> 00:30:22,720 and also there are places where if you 809 00:30:22,720 --> 00:30:24,799 are using a vpn you would have to tell 810 00:30:24,799 --> 00:30:27,440 the government collects all the vpn logs 811 00:30:27,440 --> 00:30:30,080 so any activity that you do would be 812 00:30:30,080 --> 00:30:32,559 basically monitored by the government so 813 00:30:32,559 --> 00:30:35,679 their ways around it or rather methods 814 00:30:35,679 --> 00:30:37,600 that you can use i would talk about it 815 00:30:37,600 --> 00:30:39,440 later 816 00:30:39,440 --> 00:30:40,960 i mean 817 00:30:40,960 --> 00:30:42,720 so in the https connection we saw 818 00:30:42,720 --> 00:30:44,159 initially that your traffic was 819 00:30:44,159 --> 00:30:46,640 encrypted so you might ask yes if that 820 00:30:46,640 --> 00:30:48,799 traffic is encrypted how are they gonna 821 00:30:48,799 --> 00:30:50,720 block my network traffic how are they 822 00:30:50,720 --> 00:30:53,120 gonna block the content that i'm seeing 823 00:30:53,120 --> 00:30:55,279 so in this case 824 00:30:55,279 --> 00:30:57,919 uh there's a host header that helps the 825 00:30:57,919 --> 00:31:00,720 web server determine that okay this is 826 00:31:00,720 --> 00:31:02,320 the particular website that the person 827 00:31:02,320 --> 00:31:04,960 is trying to access and 828 00:31:04,960 --> 00:31:08,000 that is what the isp also looks so 829 00:31:08,000 --> 00:31:10,080 let me ask you a question so 830 00:31:10,080 --> 00:31:12,880 uh you know what a web server is you 831 00:31:12,880 --> 00:31:14,799 see that okay there are websites or you 832 00:31:14,799 --> 00:31:16,240 might have your own website or something 833 00:31:16,240 --> 00:31:17,919 like that so 834 00:31:17,919 --> 00:31:19,279 you you might have seen wordpress 835 00:31:19,279 --> 00:31:22,320 websites um anyone who has not seen or 836 00:31:22,320 --> 00:31:23,919 who has seen a wordpress website just a 837 00:31:23,919 --> 00:31:25,600 show of fans 838 00:31:25,600 --> 00:31:26,559 cool 839 00:31:26,559 --> 00:31:28,480 okay so do you think that each of these 840 00:31:28,480 --> 00:31:30,159 websites are hosted on a different 841 00:31:30,159 --> 00:31:32,720 computer or a single computer let's say 842 00:31:32,720 --> 00:31:33,440 uh 843 00:31:33,440 --> 00:31:37,039 two gigs of ram and 25 gb of 844 00:31:37,039 --> 00:31:39,519 storage would it be sufficient for 845 00:31:39,519 --> 00:31:42,000 hosting hundreds of website 846 00:31:42,000 --> 00:31:43,919 i mean yep 847 00:31:43,919 --> 00:31:48,080 so it's fairly common to assume that a 848 00:31:48,080 --> 00:31:49,919 single web server single ip address 849 00:31:49,919 --> 00:31:52,080 would be hosting multiple hundreds of 850 00:31:52,080 --> 00:31:54,640 website if not right 851 00:31:54,640 --> 00:31:55,360 so 852 00:31:55,360 --> 00:31:56,480 how do 853 00:31:56,480 --> 00:31:58,480 how does the web server determine that 854 00:31:58,480 --> 00:32:00,080 okay you have given the ip address you 855 00:32:00,080 --> 00:32:01,519 have given that okay i want a sim 856 00:32:01,519 --> 00:32:03,120 straight dot in from this particular ip 857 00:32:03,120 --> 00:32:05,200 address but how would that machine know 858 00:32:05,200 --> 00:32:07,519 which website to serve because let's say 859 00:32:07,519 --> 00:32:09,840 if it's an encrypted what do you say if 860 00:32:09,840 --> 00:32:11,919 it's an encrypted traffic between you 861 00:32:11,919 --> 00:32:14,000 and the machine the machine should know 862 00:32:14,000 --> 00:32:15,760 how to encrypt that traffic because the 863 00:32:15,760 --> 00:32:17,279 machine is already hosting hundreds of 864 00:32:17,279 --> 00:32:19,360 website and each of these websites would 865 00:32:19,360 --> 00:32:21,120 have a unique way of encrypting the 866 00:32:21,120 --> 00:32:23,039 traffic that is called the key of that 867 00:32:23,039 --> 00:32:24,640 particular machine or that particular 868 00:32:24,640 --> 00:32:25,679 website 869 00:32:25,679 --> 00:32:26,880 so 870 00:32:26,880 --> 00:32:29,679 to do all this you the first request 871 00:32:29,679 --> 00:32:31,679 that you send from your machine to that 872 00:32:31,679 --> 00:32:33,200 particular server where you're getting 873 00:32:33,200 --> 00:32:34,000 the 874 00:32:34,000 --> 00:32:36,320 html page or webpage from you need to 875 00:32:36,320 --> 00:32:38,799 tell that machine without encrypting 876 00:32:38,799 --> 00:32:41,440 that hey i want a seamstream 877 00:32:41,440 --> 00:32:43,600 and further connection would be between 878 00:32:43,600 --> 00:32:46,559 me and that particular hosted website so 879 00:32:46,559 --> 00:32:48,960 that is where your isp sniffs that and 880 00:32:48,960 --> 00:32:51,039 gets to know that okay this is 881 00:32:51,039 --> 00:32:53,360 which website this particular 882 00:32:53,360 --> 00:32:55,440 person is trying to do and that is 883 00:32:55,440 --> 00:32:56,399 called 884 00:32:56,399 --> 00:32:59,360 uh it's called server name indication so 885 00:32:59,360 --> 00:33:00,799 it's uh 886 00:33:00,799 --> 00:33:03,519 extension of tls so tls is the transport 887 00:33:03,519 --> 00:33:06,559 layer security which gives us the https 888 00:33:06,559 --> 00:33:09,200 privilege that we have right now so the 889 00:33:09,200 --> 00:33:10,640 the packet i would show you the packet 890 00:33:10,640 --> 00:33:12,320 as well in the packet it's an 891 00:33:12,320 --> 00:33:14,559 unencrypted packet so a lot of things 892 00:33:14,559 --> 00:33:16,480 that happen in the tails initially 893 00:33:16,480 --> 00:33:17,440 before 894 00:33:17,440 --> 00:33:19,039 like before starting the encrypted 895 00:33:19,039 --> 00:33:21,519 connection that happens over clear text 896 00:33:21,519 --> 00:33:24,080 clear text meaning that happens over a 897 00:33:24,080 --> 00:33:26,159 non-encrypted channel and that's where 898 00:33:26,159 --> 00:33:28,000 these isps come into picture and they 899 00:33:28,000 --> 00:33:31,760 try to sniff that and try to basically 900 00:33:31,760 --> 00:33:35,120 block your access there 901 00:33:35,519 --> 00:33:38,559 yeah this is the flow of it 902 00:33:38,559 --> 00:33:39,360 so 903 00:33:39,360 --> 00:33:40,880 there's a synth you don't need to 904 00:33:40,880 --> 00:33:43,519 understand all that but let me just uh 905 00:33:43,519 --> 00:33:45,840 take you to the important parts client 906 00:33:45,840 --> 00:33:48,159 is you that's the server so there's a 907 00:33:48,159 --> 00:33:50,080 syn packet that's been sent there's an 908 00:33:50,080 --> 00:33:51,519 acknowledgement that comes from the 909 00:33:51,519 --> 00:33:54,000 server that's with us in act packet 910 00:33:54,000 --> 00:33:55,919 there's a packet here then 911 00:33:55,919 --> 00:33:58,240 this is the client hello this is an 912 00:33:58,240 --> 00:34:00,480 important one because this has 913 00:34:00,480 --> 00:34:04,000 a lot of things yeah this also has the 914 00:34:04,000 --> 00:34:05,840 server name indication thing which 915 00:34:05,840 --> 00:34:07,840 mentions that okay this is the 916 00:34:07,840 --> 00:34:09,040 particular host or this is the 917 00:34:09,040 --> 00:34:11,040 particular website that i want from you 918 00:34:11,040 --> 00:34:13,119 so it would send that packet the in 919 00:34:13,119 --> 00:34:14,879 response the server would send a server 920 00:34:14,879 --> 00:34:17,359 hello certificate and server hello done 921 00:34:17,359 --> 00:34:19,199 the certificate is the one that would 922 00:34:19,199 --> 00:34:21,119 help create the encrypted channel 923 00:34:21,119 --> 00:34:24,320 between your machine and the server 924 00:34:24,320 --> 00:34:26,480 so this part is the unencrypted one and 925 00:34:26,480 --> 00:34:28,480 this is where your isps come into 926 00:34:28,480 --> 00:34:30,879 picture 927 00:34:33,280 --> 00:34:36,320 are you able to read this 928 00:34:36,429 --> 00:34:37,520 [Music] 929 00:34:37,520 --> 00:34:40,320 i also have this okay let me just pull 930 00:34:40,320 --> 00:34:43,639 that up 931 00:34:54,480 --> 00:34:57,200 okay so this is the 932 00:34:57,200 --> 00:35:00,160 https version of cloudy.pk when i try to 933 00:35:00,160 --> 00:35:02,640 access it in india there's this if you 934 00:35:02,640 --> 00:35:04,240 see here there's this client hello 935 00:35:04,240 --> 00:35:07,280 packet and this is rst or the reset 936 00:35:07,280 --> 00:35:09,680 packet so reset packet happens whenever 937 00:35:09,680 --> 00:35:11,440 the server wants to terminate the 938 00:35:11,440 --> 00:35:12,880 connection or whenever they want to 939 00:35:12,880 --> 00:35:16,280 close the connection 940 00:35:17,200 --> 00:35:18,720 so yep 941 00:35:18,720 --> 00:35:21,440 but this is not um 942 00:35:21,440 --> 00:35:24,560 let me show you 943 00:35:24,560 --> 00:35:25,440 um 944 00:35:25,440 --> 00:35:27,920 rather i don't even need this one 945 00:35:27,920 --> 00:35:29,839 so if you go and click on the client 946 00:35:29,839 --> 00:35:32,160 hello packet and if i show you the tls 947 00:35:32,160 --> 00:35:33,440 part 948 00:35:33,440 --> 00:35:34,800 so 949 00:35:34,800 --> 00:35:37,440 inside this 950 00:35:38,320 --> 00:35:40,400 so you see a lot of extensions here this 951 00:35:40,400 --> 00:35:42,960 one is a server name indication 952 00:35:42,960 --> 00:35:44,800 and 953 00:35:44,800 --> 00:35:46,320 you can see the host name and there's 954 00:35:46,320 --> 00:35:48,480 this server name cloudy dot pk so this 955 00:35:48,480 --> 00:35:50,240 is an unencrypted traffic that goes 956 00:35:50,240 --> 00:35:52,800 through your isp so isp read this and 957 00:35:52,800 --> 00:35:54,480 once they read it and they found that 958 00:35:54,480 --> 00:35:56,480 it's in the blacklist they block this 959 00:35:56,480 --> 00:35:59,040 traffic altogether and the blocking 960 00:35:59,040 --> 00:36:00,720 happens by sending a reset packet 961 00:36:00,720 --> 00:36:02,720 because once the connection happens they 962 00:36:02,720 --> 00:36:04,320 won't be able to filter and add their 963 00:36:04,320 --> 00:36:05,040 own 964 00:36:05,040 --> 00:36:07,839 like this iframe that shows you a notice 965 00:36:07,839 --> 00:36:09,359 so that's why they just stop the 966 00:36:09,359 --> 00:36:11,359 connection any further 967 00:36:11,359 --> 00:36:13,920 and that's what's it's here 968 00:36:13,920 --> 00:36:16,000 post this if this goes through the 969 00:36:16,000 --> 00:36:17,599 encryption happens and further they 970 00:36:17,599 --> 00:36:20,079 can't be able to decrypt or add their 971 00:36:20,079 --> 00:36:22,400 data into it so they just reset the 972 00:36:22,400 --> 00:36:24,480 connection 973 00:36:24,480 --> 00:36:27,839 oh yeah that's what's mentioned here 974 00:36:27,839 --> 00:36:30,240 so now you would ask e now how do i 975 00:36:30,240 --> 00:36:32,240 bypass this so the very first thing is 976 00:36:32,240 --> 00:36:34,000 you can use a vpn but let's say you are 977 00:36:34,000 --> 00:36:36,320 in the place where vpn is banned or if 978 00:36:36,320 --> 00:36:38,960 using vpn is also a crime there are 979 00:36:38,960 --> 00:36:40,960 places like that i don't know if you had 980 00:36:40,960 --> 00:36:42,640 the privilege of going to those places 981 00:36:42,640 --> 00:36:43,440 but 982 00:36:43,440 --> 00:36:45,280 there are places where vpn is banned and 983 00:36:45,280 --> 00:36:47,440 even in india recently it happened that 984 00:36:47,440 --> 00:36:49,680 if you have vpn and the companies who 985 00:36:49,680 --> 00:36:51,680 are operating vpn they need to have vpn 986 00:36:51,680 --> 00:36:55,119 logs so i remember expressvpn they 987 00:36:55,119 --> 00:36:56,079 run on 988 00:36:56,079 --> 00:36:58,800 ram in in the ram vpn so they stopped 989 00:36:58,800 --> 00:37:00,720 operations in india i think so i'm not 990 00:37:00,720 --> 00:37:02,560 very sure but something like that 991 00:37:02,560 --> 00:37:03,440 happened 992 00:37:03,440 --> 00:37:06,240 so we are gonna do a diy so we are gonna 993 00:37:06,240 --> 00:37:10,240 make our own vpn even simpler because 994 00:37:10,240 --> 00:37:12,079 my it might be that vpn is a very 995 00:37:12,079 --> 00:37:13,839 complicated stuff for a lot of people 996 00:37:13,839 --> 00:37:16,079 although the other easy implementations 997 00:37:16,079 --> 00:37:18,000 are one click implementation for that 998 00:37:18,000 --> 00:37:20,400 but ssh is something that everyone or 999 00:37:20,400 --> 00:37:22,720 every system has that so we'll be i'll 1000 00:37:22,720 --> 00:37:24,160 be showing you how 1001 00:37:24,160 --> 00:37:26,320 i have been using it for some other 1002 00:37:26,320 --> 00:37:28,240 purposes but i found that they can also 1003 00:37:28,240 --> 00:37:30,160 be used to bypass censorship 1004 00:37:30,160 --> 00:37:32,880 so there's this thing called ssh tunnel 1005 00:37:32,880 --> 00:37:35,119 what happens is you have a 1006 00:37:35,119 --> 00:37:37,359 vps or a virtual private server or 1007 00:37:37,359 --> 00:37:38,800 machine in the country which is not 1008 00:37:38,800 --> 00:37:39,920 censored 1009 00:37:39,920 --> 00:37:42,079 and you basically do an ssh connection 1010 00:37:42,079 --> 00:37:43,359 so you do an 1011 00:37:43,359 --> 00:37:45,280 ssh connection to work on that machine 1012 00:37:45,280 --> 00:37:47,200 or maybe get a remote access to that 1013 00:37:47,200 --> 00:37:49,119 machine for any reason you do an ssh 1014 00:37:49,119 --> 00:37:51,440 connection so that same connection can 1015 00:37:51,440 --> 00:37:52,720 be used to 1016 00:37:52,720 --> 00:37:54,800 route all of your traffic from your 1017 00:37:54,800 --> 00:37:56,960 machine through that country and outside 1018 00:37:56,960 --> 00:37:59,040 the world so basically your whole 1019 00:37:59,040 --> 00:38:00,880 traffic is encrypted into the ssh 1020 00:38:00,880 --> 00:38:03,119 connection and you are basically able to 1021 00:38:03,119 --> 00:38:05,359 get a censorship free internet now i 1022 00:38:05,359 --> 00:38:07,040 don't need to say that the downsides are 1023 00:38:07,040 --> 00:38:08,240 you would get us 1024 00:38:08,240 --> 00:38:10,160 restricted bandwidth or lower bandwidth 1025 00:38:10,160 --> 00:38:11,280 but still 1026 00:38:11,280 --> 00:38:14,480 i mean for some use cases it's good 1027 00:38:14,480 --> 00:38:17,520 and all you need is this ssh tunnel 1028 00:38:17,520 --> 00:38:19,760 command you just run it on your machine 1029 00:38:19,760 --> 00:38:22,000 on your terminal on your powershell on 1030 00:38:22,000 --> 00:38:24,079 your cmd on your mac where whatever you 1031 00:38:24,079 --> 00:38:25,599 are using you just need to run this 1032 00:38:25,599 --> 00:38:26,560 command 1033 00:38:26,560 --> 00:38:29,280 and it's all there i mean 1034 00:38:29,280 --> 00:38:31,839 if you try it it won't work because ssh 1035 00:38:31,839 --> 00:38:34,000 tunnel is an alias 1036 00:38:34,000 --> 00:38:38,400 so let me just show you how that works 1037 00:38:40,400 --> 00:38:42,000 so yeah so 1038 00:38:42,000 --> 00:38:44,079 are you able to read this 1039 00:38:44,079 --> 00:38:47,320 let me 1040 00:38:47,920 --> 00:38:50,640 so ssr10 is an alias for this and let me 1041 00:38:50,640 --> 00:38:54,200 show you what 1042 00:39:01,440 --> 00:39:03,920 so basically the command is ssh hyphen 1043 00:39:03,920 --> 00:39:05,280 and hyphen d 1044 00:39:05,280 --> 00:39:07,920 port 8080 8181 you can use any port that 1045 00:39:07,920 --> 00:39:10,320 you want don't use port 443 because then 1046 00:39:10,320 --> 00:39:12,960 it would be tampering with your traffic 1047 00:39:12,960 --> 00:39:15,839 hyphen f bbty i would tell you what bbty 1048 00:39:15,839 --> 00:39:17,280 is you would have to use something 1049 00:39:17,280 --> 00:39:18,320 different 1050 00:39:18,320 --> 00:39:20,320 the later half is just to print out the 1051 00:39:20,320 --> 00:39:21,440 connection whether it has been 1052 00:39:21,440 --> 00:39:23,040 established or not 1053 00:39:23,040 --> 00:39:23,839 so 1054 00:39:23,839 --> 00:39:26,000 let first show you what it is it would 1055 00:39:26,000 --> 00:39:28,560 be easier to understand so yeah this is 1056 00:39:28,560 --> 00:39:30,320 the actual thing uh 1057 00:39:30,320 --> 00:39:33,040 hyphen f after that i have used bbty 1058 00:39:33,040 --> 00:39:35,760 it's uh i'll show you what that is but 1059 00:39:35,760 --> 00:39:37,440 instead you have to use the username at 1060 00:39:37,440 --> 00:39:40,960 the rate ip address or the remote host 1061 00:39:40,960 --> 00:39:43,040 let me just quickly show you 1062 00:39:43,040 --> 00:39:45,119 so 1063 00:39:45,119 --> 00:39:48,800 um this is my configuration file 1064 00:39:48,800 --> 00:39:51,680 so if you see bbty is a host that i have 1065 00:39:51,680 --> 00:39:52,640 it's a 1066 00:39:52,640 --> 00:39:54,320 server that i have set up on daily 1067 00:39:54,320 --> 00:39:56,320 lotion so i use it for a lot of things 1068 00:39:56,320 --> 00:39:57,440 including 1069 00:39:57,440 --> 00:40:00,000 my analytics on my website so i use it 1070 00:40:00,000 --> 00:40:00,800 for 1071 00:40:00,800 --> 00:40:03,280 routing traffic so let me just quickly 1072 00:40:03,280 --> 00:40:04,490 show you this 1073 00:40:04,490 --> 00:40:06,240 [Music] 1074 00:40:06,240 --> 00:40:09,520 so currently my ip address is amsterdam 1075 00:40:09,520 --> 00:40:11,920 one five one two one seven now let me 1076 00:40:11,920 --> 00:40:14,800 enable this asset tunnel 1077 00:40:14,800 --> 00:40:17,520 so yeah this is enabled port 8081 so 1078 00:40:17,520 --> 00:40:20,960 8181 i have this foxy proxy uh i have 1079 00:40:20,960 --> 00:40:23,119 this ss tunnel here 1080 00:40:23,119 --> 00:40:24,960 let me refresh this so you would see 1081 00:40:24,960 --> 00:40:27,599 this clifton nj us now my traffic is 1082 00:40:27,599 --> 00:40:29,839 being routed through a u.s server and 1083 00:40:29,839 --> 00:40:32,640 that's where my data lotion server is 1084 00:40:32,640 --> 00:40:35,040 you might ask what foxy proxy is and the 1085 00:40:35,040 --> 00:40:36,880 thing let me just show you quickly it's 1086 00:40:36,880 --> 00:40:39,680 basically it creates a 1087 00:40:39,680 --> 00:40:42,640 sox5 proxy for ip address is one two 1088 00:40:42,640 --> 00:40:45,599 seven zero zero one port is 8181 you can 1089 00:40:45,599 --> 00:40:47,680 do the same thing by going to settings 1090 00:40:47,680 --> 00:40:49,520 and manually setting this up and all 1091 00:40:49,520 --> 00:40:51,839 that foxy proxy is an extension that 1092 00:40:51,839 --> 00:40:54,160 helps me easily do that by just clicking 1093 00:40:54,160 --> 00:40:55,520 on this and switching the proxy 1094 00:40:55,520 --> 00:40:56,800 whichever i want 1095 00:40:56,800 --> 00:40:58,400 so that's why 1096 00:40:58,400 --> 00:41:00,560 let's come back to this 1097 00:41:00,560 --> 00:41:02,480 and the vps is cheap you can get that 1098 00:41:02,480 --> 00:41:04,720 for as low as five dollar per month you 1099 00:41:04,720 --> 00:41:06,720 can use a vpn that's also cheaper 1100 00:41:06,720 --> 00:41:09,119 whichever way you prefer 1101 00:41:09,119 --> 00:41:11,440 this is setting up your own diy of your 1102 00:41:11,440 --> 00:41:12,800 own vpn 1103 00:41:12,800 --> 00:41:14,640 it's a project by 1104 00:41:14,640 --> 00:41:17,440 google uh it's jigsaw is the project 1105 00:41:17,440 --> 00:41:19,520 which makes these kinds of things where 1106 00:41:19,520 --> 00:41:20,560 you have 1107 00:41:20,560 --> 00:41:22,560 ways of open internet of freedom of 1108 00:41:22,560 --> 00:41:25,040 speech thing so 1109 00:41:25,040 --> 00:41:26,319 they have this 1110 00:41:26,319 --> 00:41:28,319 what you call outline 1111 00:41:28,319 --> 00:41:30,400 get outline is the website i have the 1112 00:41:30,400 --> 00:41:32,480 link here you can just click download 1113 00:41:32,480 --> 00:41:34,880 the software you can add the credentials 1114 00:41:34,880 --> 00:41:37,440 of your data lotion vps or your google 1115 00:41:37,440 --> 00:41:40,079 cloud vps or amazon vps and sorry amazon 1116 00:41:40,079 --> 00:41:42,160 machine it would set up the vps onto 1117 00:41:42,160 --> 00:41:44,800 that and give you an access the good 1118 00:41:44,800 --> 00:41:46,880 part is that you don't have to do ssh or 1119 00:41:46,880 --> 00:41:48,560 anything and they have mobile clients 1120 00:41:48,560 --> 00:41:49,520 they have 1121 00:41:49,520 --> 00:41:51,760 mac linux clients so you can once you 1122 00:41:51,760 --> 00:41:53,760 have the vps setup on that you can run 1123 00:41:53,760 --> 00:41:55,520 it from any of your devices you can 1124 00:41:55,520 --> 00:41:58,960 access it from any of your devices 1125 00:41:59,440 --> 00:42:02,160 there's a tool that i was using to uh 1126 00:42:02,160 --> 00:42:03,920 it's a golang what do you say golang 1127 00:42:03,920 --> 00:42:05,680 tool i have been using it and for 1128 00:42:05,680 --> 00:42:07,040 collecting data 1129 00:42:07,040 --> 00:42:09,520 it basically sends get requests to 1130 00:42:09,520 --> 00:42:12,160 thousands or 1500 of these websites so 1131 00:42:12,160 --> 00:42:14,960 i'm using citizen labs test list so 1132 00:42:14,960 --> 00:42:16,960 certain citizen lab is a 1133 00:42:16,960 --> 00:42:18,720 organization that 1134 00:42:18,720 --> 00:42:20,800 works for human rights and those kinds 1135 00:42:20,800 --> 00:42:23,920 of things so they have a test list and 1136 00:42:23,920 --> 00:42:26,400 they have country wide country wise 1137 00:42:26,400 --> 00:42:28,160 assorted list where you can get the 1138 00:42:28,160 --> 00:42:30,240 websites that are blocked it's not very 1139 00:42:30,240 --> 00:42:32,640 up to date but yeah you can still find 1140 00:42:32,640 --> 00:42:34,720 quite websites quite like thousands or 1141 00:42:34,720 --> 00:42:36,720 500 of websites for each of these 1142 00:42:36,720 --> 00:42:39,280 countries and all so i mostly have used 1143 00:42:39,280 --> 00:42:41,440 global website list and i'll show you in 1144 00:42:41,440 --> 00:42:43,440 a minute how we can run this 1145 00:42:43,440 --> 00:42:46,160 the these are the results for the cam so 1146 00:42:46,160 --> 00:42:48,079 these are things that it does and if you 1147 00:42:48,079 --> 00:42:50,000 see here 1148 00:42:50,000 --> 00:42:51,760 in the bottom right there's a good isp 1149 00:42:51,760 --> 00:42:53,760 tick so if it's a good isp if it isn't 1150 00:42:53,760 --> 00:42:56,079 blocking any of these so it's a good isp 1151 00:42:56,079 --> 00:42:57,599 it is being determined you can check in 1152 00:42:57,599 --> 00:42:59,200 the code it is being determined on the 1153 00:42:59,200 --> 00:43:01,839 basis of the dns responses so if the dns 1154 00:43:01,839 --> 00:43:04,560 response is one of the isps dns then 1155 00:43:04,560 --> 00:43:06,720 it's basically filtering that if in the 1156 00:43:06,720 --> 00:43:08,640 response instead of the actual website 1157 00:43:08,640 --> 00:43:10,640 you are getting a notice kind of thing 1158 00:43:10,640 --> 00:43:12,240 then it's a blocked it's a censored 1159 00:43:12,240 --> 00:43:14,160 website if you are getting a connection 1160 00:43:14,160 --> 00:43:16,640 reset so then it's a sensor like it's a 1161 00:43:16,640 --> 00:43:19,040 censored isp so all these things are 1162 00:43:19,040 --> 00:43:20,880 being taken into account let me just 1163 00:43:20,880 --> 00:43:23,920 show you a quick demo 1164 00:43:24,839 --> 00:43:26,560 uh 1165 00:43:26,560 --> 00:43:28,799 so 1166 00:43:29,440 --> 00:43:31,440 it's kindly in the debug mode so it's 1167 00:43:31,440 --> 00:43:33,520 basically trying to check 1168 00:43:33,520 --> 00:43:35,920 go to hundreds of thousands of website 1169 00:43:35,920 --> 00:43:38,240 and trying to get the title of it and 1170 00:43:38,240 --> 00:43:40,800 all those things the status quo 1171 00:43:40,800 --> 00:43:43,280 so it's it's a bit modular whereas you 1172 00:43:43,280 --> 00:43:44,960 can write your own filters there's a 1173 00:43:44,960 --> 00:43:47,920 yaml file filtering.ml you can like 1174 00:43:47,920 --> 00:43:49,280 let's say you're working because i don't 1175 00:43:49,280 --> 00:43:51,200 know the different kind of notices being 1176 00:43:51,200 --> 00:43:53,119 served in different countries so you can 1177 00:43:53,119 --> 00:43:54,880 add your own text string that you find 1178 00:43:54,880 --> 00:43:57,119 that like in india you see this website 1179 00:43:57,119 --> 00:43:59,599 is blocked by the department of telecom 1180 00:43:59,599 --> 00:44:01,280 but in your country it might be in a 1181 00:44:01,280 --> 00:44:02,800 german language or invite via in a 1182 00:44:02,800 --> 00:44:04,960 different language so in that case you 1183 00:44:04,960 --> 00:44:06,880 can just add it into the yaml file and 1184 00:44:06,880 --> 00:44:10,560 you don't have to touch the code here 1185 00:44:11,440 --> 00:44:13,920 i have i think made this 1186 00:44:13,920 --> 00:44:16,640 repo public there are few issues that 1187 00:44:16,640 --> 00:44:19,920 i'm working around but yeah 1188 00:44:19,920 --> 00:44:22,160 let's come back to this file it's 1189 00:44:22,160 --> 00:44:24,879 closing up 1190 00:44:25,119 --> 00:44:28,880 so yeah this is a summary of all these 1191 00:44:28,880 --> 00:44:32,319 this bypass about dna script i haven't 1192 00:44:32,319 --> 00:44:34,640 mentioned about it because it might be a 1193 00:44:34,640 --> 00:44:36,400 bit complicated and i wanted that 1194 00:44:36,400 --> 00:44:38,560 something a solution that everyone can 1195 00:44:38,560 --> 00:44:40,480 use and like if you're a reporter if 1196 00:44:40,480 --> 00:44:41,839 you're activated or you're a journalist 1197 00:44:41,839 --> 00:44:44,400 and you want to send data to your back 1198 00:44:44,400 --> 00:44:45,920 organization and you're working a place 1199 00:44:45,920 --> 00:44:48,000 where you are your all data is being 1200 00:44:48,000 --> 00:44:49,839 monitored you can straight away use 1201 00:44:49,839 --> 00:44:52,000 these 1202 00:44:52,000 --> 00:44:54,319 uh that's the end of it there's a 1203 00:44:54,319 --> 00:44:56,560 further reading i have the links if you 1204 00:44:56,560 --> 00:44:58,800 want to 1205 00:44:58,800 --> 00:45:00,960 add resources 1206 00:45:00,960 --> 00:45:03,280 you sleep happily 1207 00:45:03,280 --> 00:45:03,760 if you want wait 1208 00:45:03,760 --> 00:45:06,079 connect with me further and i think 1209 00:45:06,079 --> 00:45:06,960 that's 1210 00:45:06,960 --> 00:45:11,520 almost on time if you have any questions 1211 00:45:11,520 --> 00:45:13,100 [Music] 1212 00:45:13,100 --> 00:45:19,040 [Applause] 1213 00:45:19,040 --> 00:45:21,520 thank you asim so are there questions 1214 00:45:21,520 --> 00:45:23,599 from the audience please if you have a 1215 00:45:23,599 --> 00:45:25,599 question line up at the microphone i 1216 00:45:25,599 --> 00:45:27,200 think there were no questions from the 1217 00:45:27,200 --> 00:45:28,880 internet yes there were no questions 1218 00:45:28,880 --> 00:45:30,480 from the internet maybe they were 1219 00:45:30,480 --> 00:45:32,800 blocked i don't know so we have a 1220 00:45:32,800 --> 00:45:34,880 question at the microphone 1221 00:45:34,880 --> 00:45:36,800 thank you for your presentation i was 1222 00:45:36,800 --> 00:45:38,800 wondering one of the reasons you said 1223 00:45:38,800 --> 00:45:40,000 that 1224 00:45:40,000 --> 00:45:42,000 well you made this presentation is 1225 00:45:42,000 --> 00:45:44,640 because there are well i know american 1226 00:45:44,640 --> 00:45:50,319 isps that monetize from your dns traffic 1227 00:45:50,319 --> 00:45:52,240 and one of the suggestions you make is 1228 00:45:52,240 --> 00:45:57,839 to either use cloudflare or google's dns 1229 00:45:57,920 --> 00:46:00,480 isn't there well 1230 00:46:00,480 --> 00:46:02,240 part of the same problem there that they 1231 00:46:02,240 --> 00:46:06,880 monetize on your dna dns traffic as well 1232 00:46:06,880 --> 00:46:09,280 i mean uh so the way the 1233 00:46:09,280 --> 00:46:11,599 the these isps monetize dns is that 1234 00:46:11,599 --> 00:46:13,200 let's say if you have a domain name 1235 00:46:13,200 --> 00:46:15,520 that's not being owned by anyone so they 1236 00:46:15,520 --> 00:46:17,520 would redirect to an advertisement page 1237 00:46:17,520 --> 00:46:18,960 kind of thing but if you go on 1238 00:46:18,960 --> 00:46:21,280 cloudflare and google dns they just give 1239 00:46:21,280 --> 00:46:22,000 you 1240 00:46:22,000 --> 00:46:24,400 not no domain response they don't like 1241 00:46:24,400 --> 00:46:27,200 they don't do that so i mean that's 1242 00:46:27,200 --> 00:46:29,359 right 1243 00:46:29,359 --> 00:46:32,480 i hope that answers 1244 00:46:33,599 --> 00:46:35,440 well if i can elaborate 1245 00:46:35,440 --> 00:46:37,359 i i agree but they do 1246 00:46:37,359 --> 00:46:39,760 monetize on your traffic 1247 00:46:39,760 --> 00:46:41,359 building a profile 1248 00:46:41,359 --> 00:46:42,960 um 1249 00:46:42,960 --> 00:46:45,839 around your well dns 1250 00:46:45,839 --> 00:46:47,040 and therefore 1251 00:46:47,040 --> 00:46:49,440 um i know specialized advertisements 1252 00:46:49,440 --> 00:46:51,680 they serve you and stuff like that 1253 00:46:51,680 --> 00:46:53,599 so there's like a privacy 1254 00:46:53,599 --> 00:46:55,920 i get it what do you mean say 1255 00:46:55,920 --> 00:46:58,480 it's a bit weak because the dns traffic 1256 00:46:58,480 --> 00:47:00,960 is a lot and in many cases like let's 1257 00:47:00,960 --> 00:47:02,720 say if you are going to google a common 1258 00:47:02,720 --> 00:47:04,960 news website that you go so in many 1259 00:47:04,960 --> 00:47:06,640 cases that's already caged on the 1260 00:47:06,640 --> 00:47:08,400 browser so the request doesn't go again 1261 00:47:08,400 --> 00:47:10,880 to cloudflare or they don't go against 1262 00:47:10,880 --> 00:47:13,440 google's dns servers so that's why you 1263 00:47:13,440 --> 00:47:15,280 can have it i mean that's why it's not 1264 00:47:15,280 --> 00:47:16,800 part of it 1265 00:47:16,800 --> 00:47:19,040 thank you we have time for another quick 1266 00:47:19,040 --> 00:47:22,000 question and answer 1267 00:47:23,280 --> 00:47:25,920 okay thank you for your talk um a brief 1268 00:47:25,920 --> 00:47:28,880 question if i'm about to use dns over 1269 00:47:28,880 --> 00:47:30,800 https 1270 00:47:30,800 --> 00:47:33,520 and let's assume i used cloud 1271 00:47:33,520 --> 00:47:36,480 counselor as an operator 1272 00:47:36,480 --> 00:47:39,680 and as you've shown the dms address is 1273 00:47:39,680 --> 00:47:42,000 being put into the field uh 1274 00:47:42,000 --> 00:47:44,800 of choosing dns over https which 1275 00:47:44,800 --> 00:47:48,400 resolver is being used to resolve that 1276 00:47:48,400 --> 00:47:51,359 address i mean you can use even the 1277 00:47:51,359 --> 00:47:53,280 i thought don't ask this question 1278 00:47:53,280 --> 00:47:55,920 because and so you can use the isp dns 1279 00:47:55,920 --> 00:47:57,839 also because you are basically resolving 1280 00:47:57,839 --> 00:47:59,599 a public domain like a cloudflare 1281 00:47:59,599 --> 00:48:01,680 dns.com or google.com let's say for 1282 00:48:01,680 --> 00:48:03,760 example so that's not blocked because 1283 00:48:03,760 --> 00:48:05,920 blocking that is blocking a major part 1284 00:48:05,920 --> 00:48:08,240 of the internet so once that's resolved 1285 00:48:08,240 --> 00:48:10,480 then the request goes to that so if you 1286 00:48:10,480 --> 00:48:12,160 don't have like let's say if you're 1287 00:48:12,160 --> 00:48:13,520 using the 1288 00:48:13,520 --> 00:48:16,079 cloudflare iphonedns.com so that request 1289 00:48:16,079 --> 00:48:18,480 goes through your what you say your isp 1290 00:48:18,480 --> 00:48:20,480 or your local dns that's there and then 1291 00:48:20,480 --> 00:48:22,160 that response comes together and if 1292 00:48:22,160 --> 00:48:24,079 they'll fake 1293 00:48:24,079 --> 00:48:27,440 the address of that 1294 00:48:27,520 --> 00:48:31,119 dns name and provide me with a valid 1295 00:48:31,119 --> 00:48:32,640 certificate 1296 00:48:32,640 --> 00:48:35,520 will that work i mean but how do you get 1297 00:48:35,520 --> 00:48:37,839 the valid ssl certificate for the let's 1298 00:48:37,839 --> 00:48:41,359 say a google.com dns over https 1299 00:48:41,359 --> 00:48:44,559 we are aware of malicious 1300 00:48:44,559 --> 00:48:47,440 sites in which you can arrange a faked 1301 00:48:47,440 --> 00:48:48,480 in 1302 00:48:48,480 --> 00:48:50,559 https uh 1303 00:48:50,559 --> 00:48:52,160 certificate i mean the fake ca 1304 00:48:52,160 --> 00:48:54,400 certificate yeah 1305 00:48:54,400 --> 00:48:55,359 and then 1306 00:48:55,359 --> 00:48:57,040 that then that would be a bigger problem 1307 00:48:57,040 --> 00:48:59,040 than just the dns part 1308 00:48:59,040 --> 00:49:00,079 i mean 1309 00:49:00,079 --> 00:49:02,319 the story was like that a couple of 1310 00:49:02,319 --> 00:49:03,920 times already 1311 00:49:03,920 --> 00:49:05,839 so sorry we are running out of time 1312 00:49:05,839 --> 00:49:08,000 please uh do this discussion after the 1313 00:49:08,000 --> 00:49:10,400 talk uh no we have no time for another 1314 00:49:10,400 --> 00:49:11,680 question sorry 1315 00:49:11,680 --> 00:49:13,440 uh thank you team 1316 00:49:13,440 --> 00:49:16,559 for telling us how to bypass censorship 1317 00:49:16,559 --> 00:49:18,559 and if you have a question please come 1318 00:49:18,559 --> 00:49:20,160 to him and discard it with him 1319 00:49:20,160 --> 00:49:23,160 afterwards