Aaron:
> On Tue, Apr 23, 2013 at 5:01 PM, Jacob Appelbaum <jacob(a)appelbaum.net>wrote:
>
>> Hi,
>>
>> I was thinking of a useful service that will invite everyone to visit
>> it. In an ideal world, we could offer it as a badge to be included on
>> websites as well as just as a normal website.
>>
>
> I like this idea. The image might also say something qualitative about the
> users ISP. A simple example would be that ISPs that do not filter/interfere
> get a green badge, and those that do get varying shades of red.
>
>
Sure - seems rather straight forward to include some non-color specific
stuff for color blind folks as well.
>> Basically, I think we should have an HTTP page that reports the user's
>> ip, asn, a traceroute (icmp, tcp, udp), and it should load an image from
>> the same machine offered over HTTPS. We could create a unique reference
>> and if we see split routing, we have a bit of data about likely filtering.
>>
>
>> We may even do scanning for key word filtering with a *.example.com
>> domain certificate. In short, we generate a number of image links for
>> which each domain load a small image. For every image that does not
>> load, we know that the single difference is the different word in the
>> TLS handshake. We could also offer an image to report an image of their
>> ip address with or without ssl (with or with a lock icon). This would
>> allow people to add an image for a web survey of sorts, if they wanted
>> to help us with our coverage.
>>
>
> Can this technique be used to tell if Tor is being blocked by
> fingerprinting TLS handshake, without using Tor?
>
I'm not sure - Tor's website? Sure. But Tor's protocol? Unlikely.
>
>>
>> The incentive for a user is that they want to know their IP address and
>> other related information.
>
>
> I'm not sure that IP/asn information is a big incentive to most Internet
> users and think we'd need to expand on this idea to get significant
> traction, but it's a good starting point.
>
I think whatismyip.com gets a lot of traffic. As do most of the other
sites....
>
>> The incentive for us is that it gives us
>> information to help develop a generic method that anyone may deploy on
>> their own website for detecting surveillance of their readers/users/etc.
>> A further incentive is that the data will be very interesting if we log
>> all of the *source* ip addresses, headers (eg: X-Forwarded, X-Via, etc),
>> and so on.
>>
>
> Ideally done in a privacy preserving way.
>
Sure - I imagine a setup where we only log origin ASN, if we want, while
also giving them the data they want.
>
>>
>> I'm tempted to run this service on blockfinder.net and back the data
>> with the data from blockfinder/MaxMind and other GeoIP services. If we
>> also ask the user of their country, we might be able to collect
>> information corrections.
>>
>
> If the image or embedded content can function as a simple (single click)
> survey we can probably come up with a lot of interesting questions.
>
Yeah, I agree.
>
>> This will give us a light weight one to one testing service This
>> complements the more heavy ooniprobe one to one or one to many service.
>> It also helps us develop the more heavy solutions as we'll have an idea
>> about data we may be missing with the heavy solutions.
>>
...
All the best,
Jacob
Hi,
I was thinking of a useful service that will invite everyone to visit
it. In an ideal world, we could offer it as a badge to be included on
websites as well as just as a normal website.
Basically, I think we should have an HTTP page that reports the user's
ip, asn, a traceroute (icmp, tcp, udp), and it should load an image from
the same machine offered over HTTPS. We could create a unique reference
and if we see split routing, we have a bit of data about likely filtering.
We may even do scanning for key word filtering with a *.example.com
domain certificate. In short, we generate a number of image links for
which each domain load a small image. For every image that does not
load, we know that the single difference is the different word in the
TLS handshake. We could also offer an image to report an image of their
ip address with or without ssl (with or with a lock icon). This would
allow people to add an image for a web survey of sorts, if they wanted
to help us with our coverage.
The incentive for a user is that they want to know their IP address and
other related information. The incentive for us is that it gives us
information to help develop a generic method that anyone may deploy on
their own website for detecting surveillance of their readers/users/etc.
A further incentive is that the data will be very interesting if we log
all of the *source* ip addresses, headers (eg: X-Forwarded, X-Via, etc),
and so on.
I'm tempted to run this service on blockfinder.net and back the data
with the data from blockfinder/MaxMind and other GeoIP services. If we
also ask the user of their country, we might be able to collect
information corrections.
This will give us a light weight one to one testing service This
complements the more heavy ooniprobe one to one or one to many service.
It also helps us develop the more heavy solutions as we'll have an idea
about data we may be missing with the heavy solutions.
Thoughts?
All the best,
Jake
