10

According to this article Iran has criminalized the usage of encryption and VPNs. According to this blog post it is still possible to use SSH tunnels in Iran.

For me SSH is encryption and thus forbidden in the Iran, but I wonder how online banking, which requires SSL, works over there and if OTR (eg for pidgin) and PGP/GPG are forbidden, too.

The reason why I ask this is pretty simple, I know some people traveling through asia who upload their videos to my server via sftp. I have no ftp installed because of security concerns, sftp was fine for me and them.

I don't want to bring them in any danger because of using sftp and would rather istall ftp and open ports till they are in india (I heard pakistan handles it pretty much the same way).

To clarify: I do not want any way to circumvent the iranian regulations, just a clear information on how encryption laws are applied in iran and under which circumstances.

Baarn
  • 248
  • 4
  • 15
  • 1
    As far as I understand it, Iran is spoofing CAs (can be done when you basically run the internet), so they can decrypt SSL info. As for the legal implications, no clue. – StrangeWill Jan 24 '12 at 19:05
  • 5
    Wow, that policy makes even US lawmakers look sane. – rook Jan 24 '12 at 19:30
  • Where encryption is banned, encryption software can comply with the law while remaining compatible with encrypted protocols by disclosing all key material that's used for confidentiality. There was version of ssh called `ssf` which IIRC operated this when >40-bit keys were prohibited in France (back in the previous century). I don't know if anything of the sort is practiced in Iran. – Gilles 'SO- stop being evil' Jan 24 '12 at 19:42
  • 2
    Legal implications aren't a concern for the Iranian government. – Wayne In Yak Jan 24 '12 at 23:37
  • 1
    How about asking the [Iranian embassy](http://www.iranembassy.de/ger/policyaffairs.htm)? You don't have to mention your friends if that worries you; say that you may have to go to Iran yourself, and want to know ahead of time. – S.L. Barth Jan 27 '12 at 05:12
  • @blunders The poster is in Germany. Either way, I don't think they will give someone trouble for asking how to comply with their laws. – S.L. Barth Jan 27 '12 at 05:33
  • Strange, according to another question on security.SE Iran already blocks SSH: http://security.stackexchange.com/questions/10340/what-alternatives-are-there-when-ssh-is-being-actively-filtered – CodesInChaos Jan 30 '12 at 14:50
  • The linked blog entry has pretty low quality too. For example it claims that SSH is hard to detect for an observer - it isn't. – CodesInChaos Jan 30 '12 at 14:53
  • 2
    This is the wrong place to ask for clarification on Iranian law. You should consult with an attorney that is actually authorized to practice inside of Iran. The only thing you'll get here are some wild guesses. As a side note, I wouldn't actually travel there to ask this. Remote is probably best. ;) – NotMe Jan 31 '12 at 16:57

3 Answers3

4

If you're just accepting files, opening FTP to help them comply with Iranian law is a good idea.

If your friends are taking videos and images which are even unintentionally slightly political in nature, then they should keep a low profile. I can't fathom why they'd enter the country with computers and start sending encrypted videos outside the country if that was their intent.

http://www.nytimes.com/2012/01/26/world/middleeast/iran-steps-up-arrests-of-journalists-and-bloggers.html

I was travelling in Iran a couple years ago and I didn't dare bring a computer into the country. They need to ensure that their computers are squeaky clean. Material offensive to Islam in the eyes of a corrupt government official could be anything. Concealing their encrypted volumes is not an option. If they didn't back up their data before crossing the border... I don't know what to say.

Iran's a nice place, but like anywhere in the world, you are subject to their laws in their country.

Without a computer, I carried a small stack of SD cards, had a USB card reader with a read-only flag and sent stuff out from cybercafes.

mgjk
  • 7,535
  • 2
  • 20
  • 34
  • The material is only about their travels, nothing political. As far as I know they do not use encryption on their computers, only for communication. My server is intended for their video-backups (everything else should be replaceable). – Baarn Jan 27 '12 at 18:58
  • @blunders: Very true, thats is why I asked this question. I don't want (them) to cause any troble accidentialy, especially not by forcing them to use sftp and not just plain ftp. – Baarn Jan 27 '12 at 20:54
3

This site is a good survey of laws on cryptography around the world. For Iran, they state:

According to the 2005 HRW report False Freedom, use of encryption for exchanging information requires a license. Users have to request permission by submitting crypto algorithm and keys and information about 'related parties' to the Supreme Council for Cultural Revolution, as regulated in art. 5.3.8 of the Rules and Regulations for Computer Information Providers.

Iran is not known to be a sanctuary for Human Rights... but it is a "civilized" country, in the following sense: they have written laws. They have procedures. They have bureaucracy. So it makes sense that if you want to do something which is banned on a general basis (such as encryption), there is still a definite procedure by which you could ask for permission. As @S.L.Barth suggests in a comment, asking at the local Iranian embassy would be the logical first step.

Note that your local laws might add some constraints. For instance, exporting cryptographic tools to Iran from the USA is illegal per US regulations because Iran is part of the list of "terrorist countries". Getting things clear with the Iranian authorities is thus necessary (to remain on the side of the Law) but not sufficient; you must also make things clear with the authorities of your own country.

(And, as for all legal matters: get a professional attorney. Legal matters rarely tolerate amateurism.)

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
-2

I think you're looking at this all wrong. Who cares about the LETTER of their laws when the consequences of breaching the SPIRIT of their laws is so high?

Lawmakers don't understand technology (just look at the recent SOPA/PIPA debacle) and the people responsible for interpreting and enforcing them don't understand them either. With all those uncertainties in a paranoid police state, are you really proposing trying to suggest that your friends avoid possible life imprisonment or death by exploiting a loophole in their legal system?

Tell your friends not to attempt any uploads to/from your servers, and that you will be shutting your sftp daemon down for the entire time of their stay in Iran. Then actually shut it down.

nohup
  • 1
  • How's allowing them to use ftp while they're in Iran (as the OP suggested) breaking the spirit of the law? All data will be sent over the wire in the clear, unless of course the users choose to encrypt them prior to transmission. And, unless the server is hosted in Iran, I'm pretty sure it would be the *users* putting themselves at risk if they did that - not the server owner. – Iszi Feb 26 '12 at 05:53
  • **Who cares about the LETTER of their laws when the consequences of breaching the SPIRIT of their laws is so high?** - People who don't want to spend 30 years in a dungeon. Honest people follow the LETTER of the law until they are able to change the law. – Ramhound Sep 04 '12 at 10:57