FYI Iran blocks ALL https requests

After many months of sudden loss of emails from within iran, I just learned that one of my Iranian-centric websites has not been visible from within Iran for the last 6-12 months due to HTTPS requests.

I learned this by using an Iran proxy ip address to access my site via HTTPS… My next move was to open a server location in India instead of Dallas thinking that USA ips were blocked. That didnt work. India was blocked also.

Long story short, I realized that I was timing out during the TLS handshake. So I tried deleting my cert and using http: instead of https. Http loaded immediately. Upon searching the net for SSL blocking in iran, I learned that this blocking started several years ago after other types of blocking were failing the Iran government.

This latest TLS Handshake blocking has solved the problem for the Iranian government. Without website encryption, the Iran government can now monitor the general public of Iran.

If you have websites that you think are being viewed within Iran, I have bad news for you. The good news is that you can get your viewership back from within Iran by serving unencrypted pages thru HTTP.

FYI

Hi @pixelpadre

thanks for sharing.

This isn't really an option. That would mean: No redirect http -> https, no HSTS, no preload.

A site with redirects, HSTS and preload has a good configuration. I don't want to miss these things.

@pixelpadre can you please elaborate more on your findings?
I have experienced the same issue, but of course not all HTTPS connections fail the handshake, some websites load some don’t.
I suspect there are specific TLS certificate types or server settings that are fiddled with in Iranian internet routes.
Besides disabling HTTPS, have you tried changing any encryption settings on your server (apache, nginx, etc. config files) seeing if different values work?

Unfortunately, tweaking encryption settings is above my pay grade.

You will have to decide what is more important. No viewership or viewership over a non secure connection.

I cant find the article I read, but here is another. There are more recent articles that you can dig up if you look hard.

I’ve checked the domains of my online tool “check-your-website”. There are some ir-domains checked.

Some with Grade B, C or E, so there is no http without a redirect. Some with Letsencrypt certificates.

I don’t know who had checked these domains - from Iran or from another country.

Checked the integrated Preload-List from Chrome, there are 50 *.ir - entries.

Looks like it isn’t a complete blocking.

PS: server-daten.de is preloaded and has a 2-year-HSTS, so using the tool (via the subdomain) requires a https connection.

Right, I have people from inside Iran confirmation this block is not ubiquitous among websites or even ISPs. i.e. some websites’ TLS handshake fails form some ISPs and not others.

I used https://www.proxynova.com/proxy-server-list/country-ir/ and randomly selected elite ip addresses and then used firefox proxy settings to see if https was the problem.

I dont believe blocking applies to *.ir domains.

try this hosting https://www.pouyasazan.org in your location, you can use lets encrypt freely and with no problem with their service

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.