I have completed a few more manual tests. First of all, I remembered that in the early days of this law's implementation Lattelecom were using DNS spoofing. I decided to check if this was still the case (https://popovs.lv/crap/ooni/nslookup.txt), and it wasn't. Then, I checked whether I can connect to port 80 on the IPs of banned websites and issue a request with a Host header unrelated to that website. It seems to have worked (https://popovs.lv/crap/ooni/plain_fake_host.txt), as the request was passed to the actual server (which seems to be configured to answer all requests on port 80 with a redirect to the same Host via HTTPS). Sending a request with "Host: unibet.net" still returns the censorship page. Now, I decided to use openssl's s_client (basically nc through TLS) to check out what was happening with HTTPS. This test (https://popovs.lv/crap/ooni/s_client.txt) was weird, because its results were inconsistent with what I saw in my browser (no response was served to me at all) — I am not sure how to explain that. By the way, when I visit the censorship page in my browser, Chromium, it fails to display response headers (https://popovs.lv/crap/ooni/chrome_https.png — the panel in the bottom should normally display both request and response headers), so, whenever this thing works in my browser, it fails to serve headers just like its HTTP counterpart. Also interesting is the HTTPS cert they're using, which you can find in the log. It is issued by Fortinet, an American company that's apparently known for this sort of thing, and the issuer's CN (FGT1KC3913801932) looks like a serial number. I will try running some other ooniprobe-based tests later. -- Best regards, Aleksejs Popovs