February 2, 2021
People Gazette is a new independent investigative Nigerian news site, that during its first four months in operations has revealed illicit financial transactions of Nigeria’s political elites and broken several exclusive stories that have affected the closest ring around president Buhari. The online newspaper has quickly gained popularity in Nigeria because of it daring evidence-based investigative journalism. They are described as “a watchdog that not only sniffs and barks at corruption in high places but that also bites the ankles of its perpetrators“.
The blocking is believed to be a revenge from Professor Ibrahim Gambari, Buhari’s Chief of Staff, who was the center of a report released by Peoples Gazette in October 2020 which went viral in Nigeria. Leaked material from the State House witnessed how Gambari had given his son privileges and responsibilities as if he was a part of his staff. Gambari’s son was authorizing administrative regulations, arranging top secret executive briefings and handled classified information without having an official role in the government.
As in other cases of Internet blocking, Qurium started collecting traffic recordings from different operators in the country (MTN AS29465, Airtel AS36873). The traffic recordings and the reports received from inside the country confirmed that the blocking of the website was implemented by each of the mobile operators. Some operators have blocked the DNS resolution of the website while others, such as Airtel, are using Deep Packet Inspection (DPI) to stop the traffic to the website once the website name is sent in the SSL negotiation (Hello Client).
One of our traffic recordings shows how the browser exchanges traffic with the IP address of Cloudflare Content Distribution Network (3WHS) and communication stops immediately after the name of the website is sent in the “Client Hello” message of the communication (TLS negotiation).
The hosting provider exchanges the first packets that establish the session with the webserver (session handshake) but no more traffic is received afterwards.
The reader in turn receives different error messages depending on the type of blocking and web browser used. The most common ones received are:
Recent tests (2nd February) in Globacom (GLO) show that the IP address of the newspapers is blocked. Reset packets are sent from their mobile infrastructure (TTL 63) as soon as the website is requested.
The Dashboard at Cloudflare also confirms the traffic drop and how the blocking was implemented by each of the mobile operators and some ISPs from the 26th to the 28th of January 2021.
Changing domain to verify domain blocking
It is common that during blocking the operators and government officials will not acknowledge that the blocking is taking place and will point to technical problems with the website. In order to fully verify that the blocking was targeting the domain peoplesgazette.com specifically, the website was soon made available in the domain gazettengr.com.
Not surprisingly, as soon as the new domain was used, the website was online again inside Nigeria.
A Bifrost mirror has been deployed
To circumvent the blocking, Qurium has deployed a Bifrost mirror of Peoples Gazette, that users can visit without the need of any third party software or VPN. The Bifrost mirror is reachable at: https://storage.googleapis.com/qurium/peoplesgazette.com/index.html
- Our forensic analysis confirms the blocking of the domain name peoplesgazette.com started the 26th of January 2021 inside Nigeria.
- The blocking has been implemented by the different operators during the 26-28th of January 2021.
- Different techniques are used to keep the website offline including DNS and SSL tampering by means of Deep Packet Inspection.
- The blocking has been implemented without any notification and readers are not informed about the cause of the blocking.