Re: [Full-disclosure] Gmail and China's GFW



Gmail can be blocked by simply blocking Google's SSL certificate(s).

When you visit Gmail, Google sends your browser its SSL Server
Certificate. Without this certificate, no connection can be made.

For example, running the following command, then browsing to
<https://mail.google.com/>, will produce the following output:

$ sudo ngrep -d eth0 -x 'Google Inc'
...
47 6f 6f 67 6c 65 20 49 6e 63 31 18 30 16 06 03 Google Inc1.0...
55 04 03 14 0f 6d 61 69 6c 2e 67 6f 6f 67 6c 65 U....mail.google
2e 63 6f 6d 30 81 9f 30 0d 06 09 2a 86 48 86 f7 .com0..0...*.H..
...

This output shows part of Google's ASN.1 encoded X.509 certificate.

Therefore, the following Linux firewall commands will stop any
connection to Gmail:

$ sudo iptables -I INPUT -m string --algo bm --hex-string
'|476f6f676c6520496e63311830160603550403140f6d61696c2e676f6f676c652e636f6d30819f30|'
-j DROP

Try it, you will get a connection timeout:

$ curl --connect-timeout 60 https://mail.google.com/
curl: (28) SSL connection timeout

The same applies for Twitter, Facebook... Much more efficient than
DNS/IP blocking!


Thanks for the information. I was not actually aware of that you can block
with iptables using hex strings. Very nice.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: [Full-disclosure] Gmail and Chinas GFW
    ... Google sends your browser its SSL Server ... Without this certificate, no connection can be made. ... For example, running the following command, then browsing to ...
    (Full-Disclosure)
  • Re: CreateTimerQueueTimer fails unexpectedly
    ... so you are multiplexing communication with several devices over a single TCP connection as well as having multiple TCP connections to various controllers. ... When sending this is easy since you can build a whole command and send it in a single write, but on read you must buffer the read results and parse out the responses. ...
    (microsoft.public.win32.programmer.kernel)
  • RE: Dialin problem
    ... # /etc/ppp/ppp.conf File for dial out modem to ISP and Dial in modem ... # connection to this FBSD system. ... # it's default options profile set to, NO command echo ATE0 and NO ... Edit /etc/ttys to enable a getty on the port where the dialin ...
    (freebsd-questions)
  • Re: Does L2TP actually WORK ? Drama on XP
    ... >Stop multiposting and find the correct newsgroup for VPN ... Into the DC and configured the automatic certificate ... >> WinXP box back to the isolated Internet hub connection. ... >> The L2TP connection attempt failed because security ...
    (microsoft.public.windowsxp.security_admin)
  • Re: VFP Updates?
    ... Try talking ODBC or OleDb and they say HU. ... make up my apps so that what ever they want to run has to be from a command ... kind of connection and assign it the right to do exactly what you want. ...
    (microsoft.public.fox.programmer.exchange)