[tor-commits] [spec/master] formatting and filename fixes

commit 29f56af6ba8cfbc6c8d8d4f5729f8c30bf384111 Author: Joe Landers joe@joelanders.net Date: Tue Apr 5 13:22:44 2016 +0200

formatting and filename fixes --- test-specs/ts-001-bridget.md | 2 +- test-specs/ts-005-dns-spoof.md | 131 ++++++++--------- test-specs/ts-012-lantern.md | 111 --------------- test-specs/ts-013-lantern.md | 111 +++++++++++++++ test-specs/ts-013-meek-fronted-requests.md | 111 --------------- test-specs/ts-014-meek-fronted-requests.md | 111 +++++++++++++++ test-specs/ts-014-psiphon.md | 146 ------------------- test-specs/ts-015-openvpn.md | 218 ---------------------------- test-specs/ts-015-psiphon.md | 148 +++++++++++++++++++ test-specs/ts-016-openvpn.md | 220 +++++++++++++++++++++++++++++ 10 files changed, 657 insertions(+), 652 deletions(-)

diff --git a/test-specs/ts-001-bridget.md b/test-specs/ts-001-bridget.md index f800df5..e2b9f47 100644 --- a/test-specs/ts-001-bridget.md +++ b/test-specs/ts-001-bridget.md @@ -55,7 +55,7 @@ Note: This test is deprecated

# Privacy considerations

- * Bridge location should not be devolved to adversaries. + * Bridge location should not be revealed to adversaries. * If possible, the fact that a scan is running should be difficult to detect.

# Packet capture considerations diff --git a/test-specs/ts-005-dns-spoof.md b/test-specs/ts-005-dns-spoof.md index 417dc8b..94f0f3a 100644 --- a/test-specs/ts-005-dns-spoof.md +++ b/test-specs/ts-005-dns-spoof.md @@ -77,72 +77,73 @@ Whether or not DNS spoofing is occurring for a particular FQDN.

## Example output sample

- - ########################################### - # OONI Probe Report for dns_spoof (0.0.1) - # Wed Sep 25 15:39:32 2013 - ########################################### - --- - input_hashes: [] - options: [-r, '10.211.0.10:53', -h, google.com] - probe_asn: AS2819 - probe_cc: CZ - probe_ip: 127.0.0.1 - software_name: ooniprobe - software_version: 1.0.0-rc3 - start_time: 1380116372.573729 - test_name: dns_spoof - test_version: 0.0.1 - ... - --- - answer_flags: [ipsrc] +``` +########################################### +# OONI Probe Report for dns_spoof (0.0.1) +# Wed Sep 25 15:39:32 2013 +########################################### +--- +input_hashes: [] +options: [-r, '10.211.0.10:53', -h, google.com] +probe_asn: AS2819 +probe_cc: CZ +probe_ip: 127.0.0.1 +software_name: ooniprobe +software_version: 1.0.0-rc3 +start_time: 1380116372.573729 +test_name: dns_spoof +test_version: 0.0.1 +... +--- +answer_flags: [ipsrc] +answered_packets: +- - raw_packet: !!binary | + RbgA6OumAAAyEY4+CAgICH8AAAEANQA1ANSshgAAgYAAAQALAAAAAAZnb29nbGUDY29tAAABAAEG + Z29vZ2xlA2NvbQAAAQABAAAA4AAErcIs5QZnb29nbGUDY29tAAABAAEAAADgAAStwizkBmdvb2ds + ZQNjb20AAAEAAQAAAOAABK3CLOYGZ29vZ2xlA2NvbQAAAQABAAAA4AAErcIs6QZnb29nbGUDY29t + AAABAAEAAADgAAStwizoBmdvb2dsZQNjb20AAAEAAQAAAOAABK3CLOcGZ29vZ2xlA2NvbQAAAQAB + AAAA4AAErcIs4gZnb29nbGUDY29tAAABAAEAAADgAAStwizjBmdvb2dsZQNjb20AAAEAAQAAAOAA + BK3CLOAGZ29vZ2xlA2NvbQAAAQABAAAA4AAErcIs4QZnb29nbGUDY29tAAABAAEAAADgAAStwizu + summary: 'IP / UDP / DNS Ans "173.194.44.229" ' +- - raw_packet: !!binary | + RbgA6J0DAABAEdQUCtMACn8AAAEANQA1ANSxxAAAgYAAAQALAAAAAAZnb29nbGUDY29tAAABAAEG + Z29vZ2xlA2NvbQAAAQABAAAA3wAErcIs5wZnb29nbGUDY29tAAABAAEAAADfAAStwizoBmdvb2ds + ZQNjb20AAAEAAQAAAN8ABK3CLOkGZ29vZ2xlA2NvbQAAAQABAAAA3wAErcIs5gZnb29nbGUDY29t + AAABAAEAAADfAAStwizkBmdvb2dsZQNjb20AAAEAAQAAAN8ABK3CLOUGZ29vZ2xlA2NvbQAAAQAB + AAAA3wAErcIs7gZnb29nbGUDY29tAAABAAEAAADfAAStwizhBmdvb2dsZQNjb20AAAEAAQAAAN8A + BK3CLOAGZ29vZ2xlA2NvbQAAAQABAAAA3wAErcIs4wZnb29nbGUDY29tAAABAAEAAADfAAStwizi + summary: 'IP / UDP / DNS Ans "173.194.44.231" ' +input: null +sent_packets: +- - raw_packet: !!binary | + RQAAOAABAABAEeujfwAAAQgICAgANQA1ACRccgAAAQAAAQAAAAAAAAZnb29nbGUDY29tAAABAAE= + summary: 'IP / UDP / DNS Qry "google.com" ' +- - raw_packet: !!binary | + RQAAOAABAABAEfDWfwAAAQrTAAoANQA1ACRhpQAAAQAAAQAAAAAAAAZnb29nbGUDY29tAAABAAE= + summary: 'IP / UDP / DNS Qry "google.com" ' +spoofing: false +test_a_lookup: + answered_packets: + - raw_packet: !!binary | + RbgA6J0DAABAEdQUCtMACn8AAAEANQA1ANSxxAAAgYAAAQALAAAAAAZnb29nbGUDY29tAAABAAEG + Z29vZ2xlA2NvbQAAAQABAAAA3wAErcIs5wZnb29nbGUDY29tAAABAAEAAADfAAStwizoBmdvb2ds + ZQNjb20AAAEAAQAAAN8ABK3CLOkGZ29vZ2xlA2NvbQAAAQABAAAA3wAErcIs5gZnb29nbGUDY29t + AAABAAEAAADfAAStwizkBmdvb2dsZQNjb20AAAEAAQAAAN8ABK3CLOUGZ29vZ2xlA2NvbQAAAQAB + AAAA3wAErcIs7gZnb29nbGUDY29tAAABAAEAAADfAAStwizhBmdvb2dsZQNjb20AAAEAAQAAAN8A + BK3CLOAGZ29vZ2xlA2NvbQAAAQABAAAA3wAErcIs4wZnb29nbGUDY29tAAABAAEAAADfAAStwizi + summary: 'IP / UDP / DNS Ans "173.194.44.231" ' +test_control_a_lookup: answered_packets: - - - raw_packet: !!binary | - RbgA6OumAAAyEY4+CAgICH8AAAEANQA1ANSshgAAgYAAAQALAAAAAAZnb29nbGUDY29tAAABAAEG - Z29vZ2xlA2NvbQAAAQABAAAA4AAErcIs5QZnb29nbGUDY29tAAABAAEAAADgAAStwizkBmdvb2ds - ZQNjb20AAAEAAQAAAOAABK3CLOYGZ29vZ2xlA2NvbQAAAQABAAAA4AAErcIs6QZnb29nbGUDY29t - AAABAAEAAADgAAStwizoBmdvb2dsZQNjb20AAAEAAQAAAOAABK3CLOcGZ29vZ2xlA2NvbQAAAQAB - AAAA4AAErcIs4gZnb29nbGUDY29tAAABAAEAAADgAAStwizjBmdvb2dsZQNjb20AAAEAAQAAAOAA - BK3CLOAGZ29vZ2xlA2NvbQAAAQABAAAA4AAErcIs4QZnb29nbGUDY29tAAABAAEAAADgAAStwizu - summary: 'IP / UDP / DNS Ans "173.194.44.229" ' - - - raw_packet: !!binary | - RbgA6J0DAABAEdQUCtMACn8AAAEANQA1ANSxxAAAgYAAAQALAAAAAAZnb29nbGUDY29tAAABAAEG - Z29vZ2xlA2NvbQAAAQABAAAA3wAErcIs5wZnb29nbGUDY29tAAABAAEAAADfAAStwizoBmdvb2ds - ZQNjb20AAAEAAQAAAN8ABK3CLOkGZ29vZ2xlA2NvbQAAAQABAAAA3wAErcIs5gZnb29nbGUDY29t - AAABAAEAAADfAAStwizkBmdvb2dsZQNjb20AAAEAAQAAAN8ABK3CLOUGZ29vZ2xlA2NvbQAAAQAB - AAAA3wAErcIs7gZnb29nbGUDY29tAAABAAEAAADfAAStwizhBmdvb2dsZQNjb20AAAEAAQAAAN8A - BK3CLOAGZ29vZ2xlA2NvbQAAAQABAAAA3wAErcIs4wZnb29nbGUDY29tAAABAAEAAADfAAStwizi - summary: 'IP / UDP / DNS Ans "173.194.44.231" ' - input: null - sent_packets: - - - raw_packet: !!binary | - RQAAOAABAABAEeujfwAAAQgICAgANQA1ACRccgAAAQAAAQAAAAAAAAZnb29nbGUDY29tAAABAAE= - summary: 'IP / UDP / DNS Qry "google.com" ' - - - raw_packet: !!binary | - RQAAOAABAABAEfDWfwAAAQrTAAoANQA1ACRhpQAAAQAAAQAAAAAAAAZnb29nbGUDY29tAAABAAE= - summary: 'IP / UDP / DNS Qry "google.com" ' - spoofing: false - test_a_lookup: - answered_packets: - - raw_packet: !!binary | - RbgA6J0DAABAEdQUCtMACn8AAAEANQA1ANSxxAAAgYAAAQALAAAAAAZnb29nbGUDY29tAAABAAEG - Z29vZ2xlA2NvbQAAAQABAAAA3wAErcIs5wZnb29nbGUDY29tAAABAAEAAADfAAStwizoBmdvb2ds - ZQNjb20AAAEAAQAAAN8ABK3CLOkGZ29vZ2xlA2NvbQAAAQABAAAA3wAErcIs5gZnb29nbGUDY29t - AAABAAEAAADfAAStwizkBmdvb2dsZQNjb20AAAEAAQAAAN8ABK3CLOUGZ29vZ2xlA2NvbQAAAQAB - AAAA3wAErcIs7gZnb29nbGUDY29tAAABAAEAAADfAAStwizhBmdvb2dsZQNjb20AAAEAAQAAAN8A - BK3CLOAGZ29vZ2xlA2NvbQAAAQABAAAA3wAErcIs4wZnb29nbGUDY29tAAABAAEAAADfAAStwizi - summary: 'IP / UDP / DNS Ans "173.194.44.231" ' - test_control_a_lookup: - answered_packets: - - raw_packet: !!binary | - RbgA6OumAAAyEY4+CAgICH8AAAEANQA1ANSshgAAgYAAAQALAAAAAAZnb29nbGUDY29tAAABAAEG - Z29vZ2xlA2NvbQAAAQABAAAA4AAErcIs5QZnb29nbGUDY29tAAABAAEAAADgAAStwizkBmdvb2ds - ZQNjb20AAAEAAQAAAOAABK3CLOYGZ29vZ2xlA2NvbQAAAQABAAAA4AAErcIs6QZnb29nbGUDY29t - AAABAAEAAADgAAStwizoBmdvb2dsZQNjb20AAAEAAQAAAOAABK3CLOcGZ29vZ2xlA2NvbQAAAQAB - AAAA4AAErcIs4gZnb29nbGUDY29tAAABAAEAAADgAAStwizjBmdvb2dsZQNjb20AAAEAAQAAAOAA - BK3CLOAGZ29vZ2xlA2NvbQAAAQABAAAA4AAErcIs4QZnb29nbGUDY29tAAABAAEAAADgAAStwizu - summary: 'IP / UDP / DNS Ans "173.194.44.229" ' - ... + - raw_packet: !!binary | + RbgA6OumAAAyEY4+CAgICH8AAAEANQA1ANSshgAAgYAAAQALAAAAAAZnb29nbGUDY29tAAABAAEG + Z29vZ2xlA2NvbQAAAQABAAAA4AAErcIs5QZnb29nbGUDY29tAAABAAEAAADgAAStwizkBmdvb2ds + ZQNjb20AAAEAAQAAAOAABK3CLOYGZ29vZ2xlA2NvbQAAAQABAAAA4AAErcIs6QZnb29nbGUDY29t + AAABAAEAAADgAAStwizoBmdvb2dsZQNjb20AAAEAAQAAAOAABK3CLOcGZ29vZ2xlA2NvbQAAAQAB + AAAA4AAErcIs4gZnb29nbGUDY29tAAABAAEAAADgAAStwizjBmdvb2dsZQNjb20AAAEAAQAAAOAA + BK3CLOAGZ29vZ2xlA2NvbQAAAQABAAAA4AAErcIs4QZnb29nbGUDY29tAAABAAEAAADgAAStwizu + summary: 'IP / UDP / DNS Ans "173.194.44.229" ' +... +```

# Privacy considerations

diff --git a/test-specs/ts-012-lantern.md b/test-specs/ts-012-lantern.md deleted file mode 100644 index 508bdfc..0000000 --- a/test-specs/ts-012-lantern.md +++ /dev/null @@ -1,111 +0,0 @@ -# Specification version number - -2015-04-03-000 - -# Specification name - -Lantern Test - -# Test preconditions - -Downloaded or compiled the "lantern" binary and made executable and in -the users PATH environment variable. - -# Expected impact - -Ability to measure whether Lantern is working from the given network vantage point. - -# Expected inputs - -A single URL to fetch, supplied by command line argument "--url (-u)". To test -Lantern, it must be a URL from the whitelisted set. -See: https://github.com/getlantern/flashlight/blob/master/genconfig/proxiedsites/ - -# Test description - -This test launches Lantern in --headless mode, and parses output to determine -if it has bootstrapped. After bootstrap, it fetches the URL supplied by the ---url option using Lanterns http proxy interface listening on 127.0.0.1.8787. - -The specific string used to determine bootstrap from Lantern output in version -"2.0.10" is "Connected to proxy on localhost" from standard output. - -# Expected output - -## Parent data format - -None. - -## Required output data - -success: -**boolean** The bootstrap status of Lantern (success or failure). - -lantern --headless: -**dictionary** the parent key of Lanterns output that contains the keys stdout and stderr - -stdout: -**string** Output produced by Lanterns standard output. - -stderr: -**string** Error produced by Lanterns standard error. - -body: -**string** The page body of a successful HTTP request. - -failure: -**string** If failure, then the corresponding failure message. - - -## Data specification version number - -## Semantics - -'success' - True or False - whether Lantern has bootstrapped. -'body' - http page body if successfully requested. -'failure' - optional, present if there is a failure. -'lantern --headless': - 'stdout' - Contents of standard output produced by Lantern. - 'stderr' - Contents of standard error produced by Lantern. - - -## Possible conclusions - -We can determine whether or not Lantern is able to bootstrap, according to its output. -We can determine whether or not a given URL is reachable via Lantern. - -## Example output sample -``` ---- -input_hashes: [] -options: [-u, google.com] -probe_asn: AS1234 -probe_cc: US -probe_city: null -probe_ip: 127.0.0.1 -software_name: ooniprobe -software_version: 1.2.3-rc1 -start_time: 1428344311.0 -test_name: lantern_circumvention_tool_test -test_version: 0.0.1 -... ---- -body: "<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"\ - >\n<TITLE>301 Moved</TITLE></HEAD><BODY>\n<H1>301 Moved</H1>\nThe document has moved\n\ - <A HREF="http://www.google.com/%5C%22%3Ehere</A>.\r\n</BODY></HTML>\r\n" -bootstrapped: true -input: null -lantern --headless: {exit_reason: process_done, stderr: '', stdout: ''} -``` - -## Expected Post-processing efforts - -# Privacy considerations - -Lantern does not seek to provide anonymity. Lantern contains tracking analytics -software and may connect directly to Lantern-provided proxy endpoints, or use -fronted domains via Content Delivery Networks (CDNs) as a data channel. - -# Packet capture considerations - -This test does not capture packets by default. diff --git a/test-specs/ts-013-lantern.md b/test-specs/ts-013-lantern.md new file mode 100644 index 0000000..508bdfc --- /dev/null +++ b/test-specs/ts-013-lantern.md @@ -0,0 +1,111 @@ +# Specification version number + +2015-04-03-000 + +# Specification name + +Lantern Test + +# Test preconditions + +Downloaded or compiled the "lantern" binary and made executable and in +the users PATH environment variable. + +# Expected impact + +Ability to measure whether Lantern is working from the given network vantage point. + +# Expected inputs + +A single URL to fetch, supplied by command line argument "--url (-u)". To test +Lantern, it must be a URL from the whitelisted set. +See: https://github.com/getlantern/flashlight/blob/master/genconfig/proxiedsites/ + +# Test description + +This test launches Lantern in --headless mode, and parses output to determine +if it has bootstrapped. After bootstrap, it fetches the URL supplied by the +--url option using Lanterns http proxy interface listening on 127.0.0.1.8787. + +The specific string used to determine bootstrap from Lantern output in version +"2.0.10" is "Connected to proxy on localhost" from standard output. + +# Expected output + +## Parent data format + +None. + +## Required output data + +success: +**boolean** The bootstrap status of Lantern (success or failure). + +lantern --headless: +**dictionary** the parent key of Lanterns output that contains the keys stdout and stderr + +stdout: +**string** Output produced by Lanterns standard output. + +stderr: +**string** Error produced by Lanterns standard error. + +body: +**string** The page body of a successful HTTP request. + +failure: +**string** If failure, then the corresponding failure message. + + +## Data specification version number + +## Semantics + +'success' - True or False - whether Lantern has bootstrapped. +'body' - http page body if successfully requested. +'failure' - optional, present if there is a failure. +'lantern --headless': + 'stdout' - Contents of standard output produced by Lantern. + 'stderr' - Contents of standard error produced by Lantern. + + +## Possible conclusions + +We can determine whether or not Lantern is able to bootstrap, according to its output. +We can determine whether or not a given URL is reachable via Lantern. + +## Example output sample +``` +--- +input_hashes: [] +options: [-u, google.com] +probe_asn: AS1234 +probe_cc: US +probe_city: null +probe_ip: 127.0.0.1 +software_name: ooniprobe +software_version: 1.2.3-rc1 +start_time: 1428344311.0 +test_name: lantern_circumvention_tool_test +test_version: 0.0.1 +... +--- +body: "<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"\ + >\n<TITLE>301 Moved</TITLE></HEAD><BODY>\n<H1>301 Moved</H1>\nThe document has moved\n\ + <A HREF="http://www.google.com/%5C%22%3Ehere</A>.\r\n</BODY></HTML>\r\n" +bootstrapped: true +input: null +lantern --headless: {exit_reason: process_done, stderr: '', stdout: ''} +``` + +## Expected Post-processing efforts + +# Privacy considerations + +Lantern does not seek to provide anonymity. Lantern contains tracking analytics +software and may connect directly to Lantern-provided proxy endpoints, or use +fronted domains via Content Delivery Networks (CDNs) as a data channel. + +# Packet capture considerations + +This test does not capture packets by default. diff --git a/test-specs/ts-013-meek-fronted-requests.md b/test-specs/ts-013-meek-fronted-requests.md deleted file mode 100644 index f78066e..0000000 --- a/test-specs/ts-013-meek-fronted-requests.md +++ /dev/null @@ -1,111 +0,0 @@ -# Specification version number - -2015-04-01-000 - -# Specification name - -Meek Fronted Request Test - -# Test preconditions - -* An internet connection - -# Expected impact - -Ability to detect uncensored fronted domains that can transmit requests to the -"inside" meek-server via an intermediary web service. - -# Expected inputs - -## Import document or import data format - -A list of domain names (fronted domains) and host headers (meek-server) of the -intermediary web service. - -## Semantics - -The input document may contain a domain name and a host header combination per -line separated by colon in the format: - - DomainName:HostHeader - -Example: - - www.google.com:meek-reflect.appspot.com - a0.awsstatic.com:d2zfqthxsdq309.cloudfront.net - -# Test description - -Performs a HTTP GET request over TLS (HTTPS) to a list of fronted domains with -the Host Header of the "inside" meek-server. For diagnostic purposes the -meek-server handles a GET request and respond with: "I’m just a happy little -web server.\n". The GET request is sent over TLS to the root of the fronted -domain with the Host Header option of the desired meek-server host. - - -# Expected output - -## Parent data format - -df-001-httpt-000 - -## Required output data - -* The domain name and host header used in the measurement - (DomainName:HostHeader) - -* The requests that have been made - -* The received responses - -* If the meek server is blocked or unreachable - -## Semantics - -success: - **boolean** indicates if an HTTPS GET response to the meek server is - successfull - -## Possible conclusions - -If the fronted request/response to the meek server is successful. - -## Example output sample - -``` -agent: agent -input: ajax.aspnetcdn.com:az668014.vo.msecnd.net -requests: -- request: - body: null - headers: - - - Host - - [az668014.vo.msecnd.net] - method: GET - tor: {is_tor: false} - url: https://ajax.aspnetcdn.com - response: - body: "I\u2019m just a happy little web server.\n" - code: 200 - headers: - - - Content-Length - - ['38'] - - - X-Cache - - [HIT] - - - X-Powered-By - - [ASP.NET] - - - Accept-Ranges - - [bytes] - - - Server - - [ECAcc (fcn/40C4)] - - - Last-Modified - - ['Wed, 01 Apr 2015 09:25:13 GMT'] - - - Connection - - [close] - - - Date - - ['Wed, 01 Apr 2015 10:01:37 GMT'] - - - Content-Type - - [text/plain; charset=utf-8] -socksproxy: null -success: true -``` diff --git a/test-specs/ts-014-meek-fronted-requests.md b/test-specs/ts-014-meek-fronted-requests.md new file mode 100644 index 0000000..f78066e --- /dev/null +++ b/test-specs/ts-014-meek-fronted-requests.md @@ -0,0 +1,111 @@ +# Specification version number + +2015-04-01-000 + +# Specification name + +Meek Fronted Request Test + +# Test preconditions + +* An internet connection + +# Expected impact + +Ability to detect uncensored fronted domains that can transmit requests to the +"inside" meek-server via an intermediary web service. + +# Expected inputs + +## Import document or import data format + +A list of domain names (fronted domains) and host headers (meek-server) of the +intermediary web service. + +## Semantics + +The input document may contain a domain name and a host header combination per +line separated by colon in the format: + + DomainName:HostHeader + +Example: + + www.google.com:meek-reflect.appspot.com + a0.awsstatic.com:d2zfqthxsdq309.cloudfront.net + +# Test description + +Performs a HTTP GET request over TLS (HTTPS) to a list of fronted domains with +the Host Header of the "inside" meek-server. For diagnostic purposes the +meek-server handles a GET request and respond with: "I’m just a happy little +web server.\n". The GET request is sent over TLS to the root of the fronted +domain with the Host Header option of the desired meek-server host. + + +# Expected output + +## Parent data format + +df-001-httpt-000 + +## Required output data + +* The domain name and host header used in the measurement + (DomainName:HostHeader) + +* The requests that have been made + +* The received responses + +* If the meek server is blocked or unreachable + +## Semantics + +success: + **boolean** indicates if an HTTPS GET response to the meek server is + successfull + +## Possible conclusions + +If the fronted request/response to the meek server is successful. + +## Example output sample + +``` +agent: agent +input: ajax.aspnetcdn.com:az668014.vo.msecnd.net +requests: +- request: + body: null + headers: + - - Host + - [az668014.vo.msecnd.net] + method: GET + tor: {is_tor: false} + url: https://ajax.aspnetcdn.com + response: + body: "I\u2019m just a happy little web server.\n" + code: 200 + headers: + - - Content-Length + - ['38'] + - - X-Cache + - [HIT] + - - X-Powered-By + - [ASP.NET] + - - Accept-Ranges + - [bytes] + - - Server + - [ECAcc (fcn/40C4)] + - - Last-Modified + - ['Wed, 01 Apr 2015 09:25:13 GMT'] + - - Connection + - [close] + - - Date + - ['Wed, 01 Apr 2015 10:01:37 GMT'] + - - Content-Type + - [text/plain; charset=utf-8] +socksproxy: null +success: true +``` diff --git a/test-specs/ts-014-psiphon.md b/test-specs/ts-014-psiphon.md deleted file mode 100644 index 7bc6c04..0000000 --- a/test-specs/ts-014-psiphon.md +++ /dev/null @@ -1,146 +0,0 @@ -# Specification version number - -2015-10-11-000 - -# Specification name - -Psiphon Test - -# Test preconditions - -Have psiphon-circumvention-system (including psiphon-circumvention-system/pyclient/psi_client.py) cloned in the home of the user that runs ooni or somewhere else accessible to the user that runs ooni. - -# Expected impact - -Ability to measure whether Psiphon is working from the given network vantage point. - -# Expected inputs - -Optionally: -A single URL to fetch, supplied by command line argument "--url (-u)". -Psiphon path, specified by the command line argument "--psiphonpath (-p)" -The ip:port that Psiphon will use for the SOCKS proxy, with the command line argument "--socksproxy (-s)" - -# Test description - -This test first check that the Psiphon path exists, then launches Psiphon and parses output to determine if it has bootstrapped. After bootstrap, it fetches google.com (or other URL specified by the --url argument) using Psiphons SOCKS proxy listening on 127.0.0.1:1080 (or otherwise specified by the --socksproxy argument). - -The specific string used to determine bootstrap from Psiphon output in version -"0.0.1" is "Press Ctrl-C to terminate." from standard output. - -# Expected output - -## Parent data format - -The following keys from df-001-httpt.md are used when Psiphon bootstraps: requests, socksproxy, agent. -When Psiphon is not installed or does not bootstrap, only agent and socksproxy are used. - -## Required output data - -psiphon_installed: -**boolean** Whether Psiphon client is found or not (success or failure). - -success: -**boolean** The bootstrap status of Psiphon (success or failure). - -/tmp/<temporary file>: -**dictionary** the parent key of Psiphon's output that contains the keys stdout and stderr and exit_reason - -stdout: -**string** Output produced by Psiphon's standard output. - -stderr: -**string** Error produced by Psiphon's standard error. - -## Data specification version number - -## Semantics - -'psiphon_installed' - True or False - whether Psiphon is found. -'success' - True or False - whether Psiphon has bootstrapped. -'body' - http page body if successfully requested. -'/tmp/<temporary file>': - 'stdout' - Contents of standard output produced by Psiphon. - 'stderr' - Contents of standard error produced by Psiphon. - - -## Possible conclusions - -We can determine whether or not Psiphon is found. -We can determine whether or not Psiphon is able to bootstrap, according to its output. -We can determine whether or not a given URL is reachable via Psiphon. - -## Example output sample -``` ---- -input_hashes: [] -options: [-u, google.com] -probe_asn: AS0 -probe_cc: ZZ -probe_city: null -probe_ip: 127.0.0.1 -report_id: 4dAHr0ceNDBmw5lUQ7pBoxqgyUSfP873Qj1zv5VyElnSSTXwcsLYeCv69DsUjb94 -software_name: ooniprobe -software_version: 1.3.1 -start_time: 1444686051.0 -test_helpers: {} -test_name: psiphon_test -test_version: 0.0.1 -... ---- -/tmp/tmplKg8K3: {exit_reason: process_done, stderr: '', stdout: "./ssh is not a valid\ - \ executable. Using standard ssh.\r\n\r\nYour SOCKS proxy is now running at 127.0.0.1:1080\r\ - \n\r\nPress Ctrl-C to terminate.\r\nTerminating...\r\nConnection closed\r\n"} -agent: agent -input: null -psiphon_installed: true -requests: -- request: - body: null - headers: [] - method: GET - tor: {is_tor: false} - url: http://google.com - response: - body: "<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"\ - >\n<TITLE>301 Moved</TITLE></HEAD><BODY>\n<H1>301 Moved</H1>\nThe document has\ - \ moved\n<A HREF="http://www.google.com/%5C%22%3Ehere</A>.\r\n</BODY></HTML>\r\n" - code: 301 - headers: - - - Content-Length - - ['219'] - - - X-XSS-Protection - - [1; mode=block] - - - Expires - - ['Wed, 11 Nov 2015 21:40:58 UTC'] - - - Server - - [gws] - - - Connection - - [close] - - - Location - - ['http://www.google.com/'] - - - Cache-Control - - ['public, max-age=2592000'] - - - Date - - ['Mon, 12 Oct 2015 21:40:58 UTC'] - - - X-Frame-Options - - [SAMEORIGIN] - - - Content-Type - - [text/html; charset=UTF-8] -socksproxy: 127.0.0.1:1080 -test_runtime: 7.373162031173706 -test_start_time: 1444686052.0 -... -``` - -## Expected Post-processing efforts - -# Privacy considerations - -Psiphon does not seek to provide anonymity. -An adversary can observe that a user is connecting to Psiphon servers. -Psiphon servers can also determine the users location. - -# Packet capture considerations - -This test does not capture packets by default. diff --git a/test-specs/ts-015-openvpn.md b/test-specs/ts-015-openvpn.md deleted file mode 100644 index 84ed367..0000000 --- a/test-specs/ts-015-openvpn.md +++ /dev/null @@ -1,218 +0,0 @@ -# Specification version number - -2015-10-11-000 - -# Specification name - -OpenVPN Test - -# Test preconditions - -Have OpenVPN installed and configured to work with at least one server and privileges to run the test as root. - -# Expected impact - -Ability to measure whether OpenVPN is working from the given network vantage point. - -# Expected inputs - -A single URL to fetch, supplied by command line argument "--url (-u)". -OpenVPN configuration file, specified by the command line argument "--openvpn-config (-c)" - -# Test description - -This test first launches OpenVPN and parses output to determine if it has bootstrapped. After bootstrap, it fetches the URL specified by the --url argument using OpenVPN. - -The specific string used to determine bootstrap from OpenVPN output in version -"0.0.1" is "Initialization Sequence Completed" from standard output. - -# Expected output - -## Parent data format - -None. - -## Required output data - -success: -**boolean** The bootstrap status of OpenVPN (success or failure). - -OpenVPN_linux --headless: -**dictionary** the parent key of OpenVPNs output that contains the keys stdout and stderr - -stdout: -**string** Output produced by OpenVPNs standard output. - -stderr: -**string** Error produced by OpenVPNs standard error. - -body: -**string** The page body of a successful HTTP request. - -failure: -**string** If failure, then the corresponding failure message. - -## Data specification version number - -## Semantics - -'success' - True or False - whether OpenVPN has bootstrapped. -'body' - http page body if successfully requested. -'failure' - optional, present if there is a failure. -'l/usr/sbin/openvpn --config configfile': - 'stdout' - Contents of standard output produced by OpenVPN. - 'stderr' - Contents of standard error produced by OpenVPN. - -## Possible conclusions - -We can determine whether or not OpenVPN is able to bootstrap, according to its output. -We can determine whether or not a given URL is reachable via OpenVPN. - -## Example output sample -``` ---- -input_hashes: [] -options: [-c, openvpnconfigfile.ovpn, -u, ''] -probe_asn: AS0 -probe_cc: ZZ -probe_city: null -probe_ip: 127.0.0.1 -report_id: nqvK7YrK6J5Di7BiWDwPUBfyKcbLoVWeU4DgnxTzzKWMQABvhC2l3q6aLUwF0CA9 -software_name: ooniprobe -software_version: 1.3.1 -start_time: 1444925440.0 -test_helpers: {} -test_name: test_openvpn_circumvent -test_version: 0.0.1 -... ---- -/usr/sbin/openvpn --config /pathtoopenvpnconfigfile/openvpnconfigfile.ovpn: { - exit_reason: process_done, stderr: '', stdout: 'Thu Oct 15 20:10:40 2015 OpenVPN - 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] - [IPv6] built on Dec 1 2014 - - Thu Oct 15 20:10:40 2015 WARNING: file ''/tmp/openvpn.txt'' is group or others - accessible - - Thu Oct 15 20:10:40 2015 Control Channel Authentication: tls-auth using INLINE - static key file - - Thu Oct 15 20:10:40 2015 Attempting to establish TCP connection with [AF_INET]10.0.0.10:993 - [nonblock] - - Thu Oct 15 20:10:41 2015 TCP connection established with [AF_INET]10.0.0.10:993 - - Thu Oct 15 20:10:41 2015 TCPv4_CLIENT link local: [undef] - - Thu Oct 15 20:10:41 2015 TCPv4_CLIENT link remote: [AF_INET]10.0.0.10:993 - - Thu Oct 15 20:10:41 2015 WARNING: this configuration may cache passwords in memory - -- use the auth-nocache option to prevent this - - Thu Oct 15 20:10:46 2015 [server] Peer Connection Initiated with [AF_INET]10.0.0.10:993 - - Thu Oct 15 20:10:48 2015 Options error: Unrecognized option or missing parameter(s) - in [PUSH-OPTIONS]:3: dhcp (2.3.2) - - Thu Oct 15 20:10:48 2015 TUN/TAP device tun0 opened - - Thu Oct 15 20:10:48 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 - - Thu Oct 15 20:10:48 2015 /sbin/ip link set dev tun0 up mtu 1500 - - Thu Oct 15 20:10:48 2015 /sbin/ip addr add dev tun0 local 10.10.0.34 peer 10.10.0.33 - - Thu Oct 15 20:10:48 2015 Initialization Sequence Completed - - '} -body: "<?xml version=\"1.0\"?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\"\ - \n \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n<html xmlns="http://www.w3.org/1999/xhtml%5C%22%5C - >\n<head>\n<meta http-equiv="Content-Type" content="text/html;charset=utf-8"\ - \ />\n<title>This is a Tor Exit Router</title>\n\n<!--\n\nThis notice is intended\ - \ to be placed on a virtual host for a domain that\nyour Tor exit node IP reverse\ - \ resolves to so that people who may be about\nto file an abuse complaint would\ - \ check it first before bothering you or\nyour ISP. Ex:\nhttp://tor-exit.yourdomain.org\ - \ or http://tor-readme.yourdomain.org.\n\nThis type of setup has proven very effective\ - \ at reducing abuse complaints\nfor exit node operators.\n\nThere are a few places\ - \ in this document that you may want to customize.\nThey are marked with FIXME.\n\ - \n-->\n\n</head>\n<body>\n\n<p style="text-align:center; font-size:xx-large; font-weight:bold"\ - >This is a\nTor Exit Router</p>\n\n<p>\nMost likely you are accessing this website\ - \ because you had some issue with\nthe traffic coming from this IP. This router\ - \ is part of the <a\nhref="https://www.torproject.org/%5C%22%3ETor Anonymity Network</a>,\ - \ which is\ndedicated to <a href="https://www.torproject.org/about/overview%5C%22%3Eproviding%5Cn%5C - privacy</a> to people who need it most: average computer users. This\nrouter IP\ - \ should be generating no other traffic, unless it has been\ncompromised.</p>\n\n\ - <p style="text-align:center">\n<a href="https://www.torproject.org/about/overview%5C%22%5C - >\n<img src="how_tor_works_thumb.png" alt="How Tor works" style="border-style:none"\ - />\n</a></p>\n\n<p>\nTor sees use by <a href="https://www.torproject.org/about/torusers%5C%22%5C - >many\nimportant segments of the population</a>, including whistle blowers,\njournalists,\ - \ Chinese dissidents skirting the Great Firewall and oppressive\ncensorship, abuse\ - \ victims, stalker targets, the US military, and law\nenforcement, just to name\ - \ a few. While Tor is not designed for malicious\ncomputer users, it is true that\ - \ they can use the network for malicious ends.\nIn reality however, the actual amount\ - \ of <a\nhref="https://www.torproject.org/docs/faq-abuse%5C%22%3Eabuse</a> is quite low.\ - \ This\nis largely because criminals and hackers have significantly better access\ - \ to\nprivacy and anonymity than do the regular users whom they prey upon. Criminals\n\ - can and do <a\nhref="http://voices.washingtonpost.com/securityfix/2008/08/web_fraud_20_tools.html... - >build,\nsell, and trade</a> far larger and <a\nhref="http://voices.washingtonpost.com/securityfix/2008/08/web_fraud_20_distributi... - >more\npowerful networks</a> than Tor on a daily basis. Thus, in the mind of this\n\ - operator, the social need for easily accessible censorship-resistant private,\n\ - anonymous communication trumps the risk of unskilled bad actors, who are\nalmost\ - \ always more easily uncovered by traditional police work than by\nextensive monitoring\ - \ and surveillance anyway.</p>\n\n<p>\nIn terms of applicable law, the best way\ - \ to understand Tor is to consider it a\nnetwork of routers operating as common\ - \ carriers, much like the Internet\nbackbone. However, unlike the Internet backbone\ - \ routers, Tor routers\nexplicitly do not contain identifiable routing information\ - \ about the source of\na packet, and no single Tor node can determine both the origin\ - \ and destination\nof a given transmission.</p>\n\n<p>\nAs such, there is little\ - \ the operator of this router can do to help you track\nthe connection further.\ - \ This router maintains no logs of any of the Tor\ntraffic, so there is little that\ - \ can be done to trace either legitimate or\nillegitimate traffic (or to filter\ - \ one from the other). Attempts to\nseize this router will accomplish nothing.</p>\n\ - \n<!-- FIXME: May or may not be US-only. Some non-US tor nodes have in\n fact\ - \ reported DMCA harassment... -->\n\n<p>\nIf you are a representative of a company\ - \ who feels that this router is being\nused to violate the DMCA, please be aware\ - \ that this machine does not host or\ncontain any illegal content. Also be aware\ - \ that network infrastructure\nmaintainers are not liable for the type of content\ - \ that passes over their\nequipment, in accordance with <a\nhref="http://www.law.cornell.edu/uscode/text/17/512%5C%22%5C - >DMCA\n"safe harbor" provisions</a>. In other words, you will have just as much\ - \ luck\nsending a takedown notice to the Internet backbone providers. Please consult\n\ - <a href="https://www.torproject.org/eff/tor-dmca-response%5C%22%3EEFF%27s prepared\nresponse</a>\ - \ for more information on this matter.</p>\n\n<p>For more information, please consult\ - \ the following documentation:</p>\n\n<ol>\n<li><a href="https://www.torproject.org/about/overview%5C%22%5C - >Tor Overview</a></li>\n<li><a href="https://www.torproject.org/docs/faq-abuse%5C%22%5C - >Tor Abuse FAQ</a></li>\n<li><a href="https://www.torproject.org/eff/tor-legal-faq%5C%22%5C - >Tor Legal FAQ</a></li>\n</ol>\n\n<p>\nThat being said, if you still have a complaint\ - \ about the router, you may\nemail the <a href="mailto:tor@openvpnconfigfile.ie">maintainer</a>.\ - \ If\ncomplaints are related to a particular service that is being abused, I will\n\ - consider removing that service from my exit policy, which would prevent my\nrouter\ - \ from allowing that traffic to exit through it. I can only do this on an\nIP+destination\ - \ port basis, however. Common P2P ports are\nalready blocked.</p>\n\n<p>\nYou also\ - \ have the option of blocking this IP address and others on\nthe Tor network if\ - \ you so desire. The Tor project provides a <a\nhref="https://check.torproject.org/cgi-bin/TorBulkExitList.py%5C%22%5C - >web service</a>\nto fetch a list of all IP addresses of Tor exit nodes that allow\ - \ exiting to a\nspecified IP:port combination, and an official <a\nhref="https://www.torproject.org/tordnsel/dist/%5C%22%5C - >DNSRBL</a> is also available to\ndetermine if a given IP address is actually a\ - \ Tor exit server. Please\nbe considerate\nwhen using these options. It would be\ - \ unfortunate to deny all Tor users access\nto your site indefinitely simply because\ - \ of a few bad apples.</p>\n\n<p style="text-align:center; margin-bottom: 0.5em"\ - >Exit Node provided by:<p>\n<h2 style="text-align: center"><a style="color: black"\ - \ href="http://www.openvpnconfigfile.ie%5C%22%3EDU Pirate Party</a><h2>\n\n</body>\n</html>\n" -input: null -success: true -test_runtime: 8.374207019805908 -test_start_time: 1444925440.0 -... -``` - -## Expected Post-processing efforts - -# Privacy considerations - -OpenVPN does not seek to provide anonymity. -An adversary can observe that a user is connecting to OpenVPN servers. -OpenVPN servers can also determine the users location. - -# Packet capture considerations - -This test does not capture packets by default. diff --git a/test-specs/ts-015-psiphon.md b/test-specs/ts-015-psiphon.md new file mode 100644 index 0000000..799fc21 --- /dev/null +++ b/test-specs/ts-015-psiphon.md @@ -0,0 +1,148 @@ +# Specification version number + +2015-10-11-000 + +# Specification name + +Psiphon Test + +# Test preconditions + +Have psiphon-circumvention-system (including psiphon-circumvention-system/pyclient/psi_client.py) cloned in the home of the user that runs ooni or somewhere else accessible to the user that runs ooni. + +# Expected impact + +Ability to measure whether Psiphon is working from the given network vantage point. + +# Expected inputs + +Optionally: +A single URL to fetch, supplied by command line argument "--url (-u)". +Psiphon path, specified by the command line argument "--psiphonpath (-p)" +The ip:port that Psiphon will use for the SOCKS proxy, with the command line argument "--socksproxy (-s)" + +# Test description + +This test first check that the Psiphon path exists, then launches Psiphon and parses output to determine if it has bootstrapped. After bootstrap, it fetches google.com (or other URL specified by the --url argument) using Psiphons SOCKS proxy listening on 127.0.0.1:1080 (or otherwise specified by the --socksproxy argument). + +The specific string used to determine bootstrap from Psiphon output in version +"0.0.1" is "Press Ctrl-C to terminate." from standard output. + +# Expected output + +## Parent data format + +The following keys from df-001-httpt.md are used when Psiphon bootstraps: requests, socksproxy, agent. +When Psiphon is not installed or does not bootstrap, only agent and socksproxy are used. + +## Required output data + +psiphon_installed: +**boolean** Whether Psiphon client is found or not (success or failure). + +success: +**boolean** The bootstrap status of Psiphon (success or failure). + +/tmp/<temporary file>: +**dictionary** the parent key of Psiphon's output that contains the keys stdout and stderr and exit_reason + +stdout: +**string** Output produced by Psiphon's standard output. + +stderr: +**string** Error produced by Psiphon's standard error. + +## Data specification version number + +## Semantics + +``` +'psiphon_installed' - True or False - whether Psiphon is found. +'success' - True or False - whether Psiphon has bootstrapped. +'body' - http page body if successfully requested. +'/tmp/<temporary file>': + 'stdout' - Contents of standard output produced by Psiphon. + 'stderr' - Contents of standard error produced by Psiphon. +``` + + +## Possible conclusions + +We can determine whether or not Psiphon is found. +We can determine whether or not Psiphon is able to bootstrap, according to its output. +We can determine whether or not a given URL is reachable via Psiphon. + +## Example output sample +``` +--- +input_hashes: [] +options: [-u, google.com] +probe_asn: AS0 +probe_cc: ZZ +probe_city: null +probe_ip: 127.0.0.1 +report_id: 4dAHr0ceNDBmw5lUQ7pBoxqgyUSfP873Qj1zv5VyElnSSTXwcsLYeCv69DsUjb94 +software_name: ooniprobe +software_version: 1.3.1 +start_time: 1444686051.0 +test_helpers: {} +test_name: psiphon_test +test_version: 0.0.1 +... +--- +/tmp/tmplKg8K3: {exit_reason: process_done, stderr: '', stdout: "./ssh is not a valid\ + \ executable. Using standard ssh.\r\n\r\nYour SOCKS proxy is now running at 127.0.0.1:1080\r\ + \n\r\nPress Ctrl-C to terminate.\r\nTerminating...\r\nConnection closed\r\n"} +agent: agent +input: null +psiphon_installed: true +requests: +- request: + body: null + headers: [] + method: GET + tor: {is_tor: false} + url: http://google.com + response: + body: "<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"\ + >\n<TITLE>301 Moved</TITLE></HEAD><BODY>\n<H1>301 Moved</H1>\nThe document has\ + \ moved\n<A HREF="http://www.google.com/%5C%22%3Ehere</A>.\r\n</BODY></HTML>\r\n" + code: 301 + headers: + - - Content-Length + - ['219'] + - - X-XSS-Protection + - [1; mode=block] + - - Expires + - ['Wed, 11 Nov 2015 21:40:58 UTC'] + - - Server + - [gws] + - - Connection + - [close] + - - Location + - ['http://www.google.com/'] + - - Cache-Control + - ['public, max-age=2592000'] + - - Date + - ['Mon, 12 Oct 2015 21:40:58 UTC'] + - - X-Frame-Options + - [SAMEORIGIN] + - - Content-Type + - [text/html; charset=UTF-8] +socksproxy: 127.0.0.1:1080 +test_runtime: 7.373162031173706 +test_start_time: 1444686052.0 +... +``` + +## Expected Post-processing efforts + +# Privacy considerations + +Psiphon does not seek to provide anonymity. +An adversary can observe that a user is connecting to Psiphon servers. +Psiphon servers can also determine the users location. + +# Packet capture considerations + +This test does not capture packets by default. diff --git a/test-specs/ts-016-openvpn.md b/test-specs/ts-016-openvpn.md new file mode 100644 index 0000000..0346f4a --- /dev/null +++ b/test-specs/ts-016-openvpn.md @@ -0,0 +1,220 @@ +# Specification version number + +2015-10-11-000 + +# Specification name + +OpenVPN Test + +# Test preconditions + +Have OpenVPN installed and configured to work with at least one server and privileges to run the test as root. + +# Expected impact + +Ability to measure whether OpenVPN is working from the given network vantage point. + +# Expected inputs + +A single URL to fetch, supplied by command line argument "--url (-u)". +OpenVPN configuration file, specified by the command line argument "--openvpn-config (-c)" + +# Test description + +This test first launches OpenVPN and parses output to determine if it has bootstrapped. After bootstrap, it fetches the URL specified by the --url argument using OpenVPN. + +The specific string used to determine bootstrap from OpenVPN output in version +"0.0.1" is "Initialization Sequence Completed" from standard output. + +# Expected output + +## Parent data format + +None. + +## Required output data + +success: +**boolean** The bootstrap status of OpenVPN (success or failure). + +OpenVPN_linux --headless: +**dictionary** the parent key of OpenVPNs output that contains the keys stdout and stderr + +stdout: +**string** Output produced by OpenVPNs standard output. + +stderr: +**string** Error produced by OpenVPNs standard error. + +body: +**string** The page body of a successful HTTP request. + +failure: +**string** If failure, then the corresponding failure message. + +## Data specification version number + +## Semantics + +``` +'success' - True or False - whether OpenVPN has bootstrapped. +'body' - http page body if successfully requested. +'failure' - optional, present if there is a failure. +'l/usr/sbin/openvpn --config configfile': + 'stdout' - Contents of standard output produced by OpenVPN. + 'stderr' - Contents of standard error produced by OpenVPN. +``` + +## Possible conclusions + +We can determine whether or not OpenVPN is able to bootstrap, according to its output. +We can determine whether or not a given URL is reachable via OpenVPN. + +## Example output sample +``` +--- +input_hashes: [] +options: [-c, openvpnconfigfile.ovpn, -u, ''] +probe_asn: AS0 +probe_cc: ZZ +probe_city: null +probe_ip: 127.0.0.1 +report_id: nqvK7YrK6J5Di7BiWDwPUBfyKcbLoVWeU4DgnxTzzKWMQABvhC2l3q6aLUwF0CA9 +software_name: ooniprobe +software_version: 1.3.1 +start_time: 1444925440.0 +test_helpers: {} +test_name: test_openvpn_circumvent +test_version: 0.0.1 +... +--- +/usr/sbin/openvpn --config /pathtoopenvpnconfigfile/openvpnconfigfile.ovpn: { + exit_reason: process_done, stderr: '', stdout: 'Thu Oct 15 20:10:40 2015 OpenVPN + 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] + [IPv6] built on Dec 1 2014 + + Thu Oct 15 20:10:40 2015 WARNING: file ''/tmp/openvpn.txt'' is group or others + accessible + + Thu Oct 15 20:10:40 2015 Control Channel Authentication: tls-auth using INLINE + static key file + + Thu Oct 15 20:10:40 2015 Attempting to establish TCP connection with [AF_INET]10.0.0.10:993 + [nonblock] + + Thu Oct 15 20:10:41 2015 TCP connection established with [AF_INET]10.0.0.10:993 + + Thu Oct 15 20:10:41 2015 TCPv4_CLIENT link local: [undef] + + Thu Oct 15 20:10:41 2015 TCPv4_CLIENT link remote: [AF_INET]10.0.0.10:993 + + Thu Oct 15 20:10:41 2015 WARNING: this configuration may cache passwords in memory + -- use the auth-nocache option to prevent this + + Thu Oct 15 20:10:46 2015 [server] Peer Connection Initiated with [AF_INET]10.0.0.10:993 + + Thu Oct 15 20:10:48 2015 Options error: Unrecognized option or missing parameter(s) + in [PUSH-OPTIONS]:3: dhcp (2.3.2) + + Thu Oct 15 20:10:48 2015 TUN/TAP device tun0 opened + + Thu Oct 15 20:10:48 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 + + Thu Oct 15 20:10:48 2015 /sbin/ip link set dev tun0 up mtu 1500 + + Thu Oct 15 20:10:48 2015 /sbin/ip addr add dev tun0 local 10.10.0.34 peer 10.10.0.33 + + Thu Oct 15 20:10:48 2015 Initialization Sequence Completed + + '} +body: "<?xml version=\"1.0\"?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\"\ + \n \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n<html xmlns="http://www.w3.org/1999/xhtml%5C%22%5C + >\n<head>\n<meta http-equiv="Content-Type" content="text/html;charset=utf-8"\ + \ />\n<title>This is a Tor Exit Router</title>\n\n<!--\n\nThis notice is intended\ + \ to be placed on a virtual host for a domain that\nyour Tor exit node IP reverse\ + \ resolves to so that people who may be about\nto file an abuse complaint would\ + \ check it first before bothering you or\nyour ISP. Ex:\nhttp://tor-exit.yourdomain.org\ + \ or http://tor-readme.yourdomain.org.\n\nThis type of setup has proven very effective\ + \ at reducing abuse complaints\nfor exit node operators.\n\nThere are a few places\ + \ in this document that you may want to customize.\nThey are marked with FIXME.\n\ + \n-->\n\n</head>\n<body>\n\n<p style="text-align:center; font-size:xx-large; font-weight:bold"\ + >This is a\nTor Exit Router</p>\n\n<p>\nMost likely you are accessing this website\ + \ because you had some issue with\nthe traffic coming from this IP. This router\ + \ is part of the <a\nhref="https://www.torproject.org/%5C%22%3ETor Anonymity Network</a>,\ + \ which is\ndedicated to <a href="https://www.torproject.org/about/overview%5C%22%3Eproviding%5Cn%5C + privacy</a> to people who need it most: average computer users. This\nrouter IP\ + \ should be generating no other traffic, unless it has been\ncompromised.</p>\n\n\ + <p style="text-align:center">\n<a href="https://www.torproject.org/about/overview%5C%22%5C + >\n<img src="how_tor_works_thumb.png" alt="How Tor works" style="border-style:none"\ + />\n</a></p>\n\n<p>\nTor sees use by <a href="https://www.torproject.org/about/torusers%5C%22%5C + >many\nimportant segments of the population</a>, including whistle blowers,\njournalists,\ + \ Chinese dissidents skirting the Great Firewall and oppressive\ncensorship, abuse\ + \ victims, stalker targets, the US military, and law\nenforcement, just to name\ + \ a few. While Tor is not designed for malicious\ncomputer users, it is true that\ + \ they can use the network for malicious ends.\nIn reality however, the actual amount\ + \ of <a\nhref="https://www.torproject.org/docs/faq-abuse%5C%22%3Eabuse</a> is quite low.\ + \ This\nis largely because criminals and hackers have significantly better access\ + \ to\nprivacy and anonymity than do the regular users whom they prey upon. Criminals\n\ + can and do <a\nhref="http://voices.washingtonpost.com/securityfix/2008/08/web_fraud_20_tools.html... + >build,\nsell, and trade</a> far larger and <a\nhref="http://voices.washingtonpost.com/securityfix/2008/08/web_fraud_20_distributi... + >more\npowerful networks</a> than Tor on a daily basis. Thus, in the mind of this\n\ + operator, the social need for easily accessible censorship-resistant private,\n\ + anonymous communication trumps the risk of unskilled bad actors, who are\nalmost\ + \ always more easily uncovered by traditional police work than by\nextensive monitoring\ + \ and surveillance anyway.</p>\n\n<p>\nIn terms of applicable law, the best way\ + \ to understand Tor is to consider it a\nnetwork of routers operating as common\ + \ carriers, much like the Internet\nbackbone. However, unlike the Internet backbone\ + \ routers, Tor routers\nexplicitly do not contain identifiable routing information\ + \ about the source of\na packet, and no single Tor node can determine both the origin\ + \ and destination\nof a given transmission.</p>\n\n<p>\nAs such, there is little\ + \ the operator of this router can do to help you track\nthe connection further.\ + \ This router maintains no logs of any of the Tor\ntraffic, so there is little that\ + \ can be done to trace either legitimate or\nillegitimate traffic (or to filter\ + \ one from the other). Attempts to\nseize this router will accomplish nothing.</p>\n\ + \n<!-- FIXME: May or may not be US-only. Some non-US tor nodes have in\n fact\ + \ reported DMCA harassment... -->\n\n<p>\nIf you are a representative of a company\ + \ who feels that this router is being\nused to violate the DMCA, please be aware\ + \ that this machine does not host or\ncontain any illegal content. Also be aware\ + \ that network infrastructure\nmaintainers are not liable for the type of content\ + \ that passes over their\nequipment, in accordance with <a\nhref="http://www.law.cornell.edu/uscode/text/17/512%5C%22%5C + >DMCA\n"safe harbor" provisions</a>. In other words, you will have just as much\ + \ luck\nsending a takedown notice to the Internet backbone providers. Please consult\n\ + <a href="https://www.torproject.org/eff/tor-dmca-response%5C%22%3EEFF%27s prepared\nresponse</a>\ + \ for more information on this matter.</p>\n\n<p>For more information, please consult\ + \ the following documentation:</p>\n\n<ol>\n<li><a href="https://www.torproject.org/about/overview%5C%22%5C + >Tor Overview</a></li>\n<li><a href="https://www.torproject.org/docs/faq-abuse%5C%22%5C + >Tor Abuse FAQ</a></li>\n<li><a href="https://www.torproject.org/eff/tor-legal-faq%5C%22%5C + >Tor Legal FAQ</a></li>\n</ol>\n\n<p>\nThat being said, if you still have a complaint\ + \ about the router, you may\nemail the <a href="mailto:tor@openvpnconfigfile.ie">maintainer</a>.\ + \ If\ncomplaints are related to a particular service that is being abused, I will\n\ + consider removing that service from my exit policy, which would prevent my\nrouter\ + \ from allowing that traffic to exit through it. I can only do this on an\nIP+destination\ + \ port basis, however. Common P2P ports are\nalready blocked.</p>\n\n<p>\nYou also\ + \ have the option of blocking this IP address and others on\nthe Tor network if\ + \ you so desire. The Tor project provides a <a\nhref="https://check.torproject.org/cgi-bin/TorBulkExitList.py%5C%22%5C + >web service</a>\nto fetch a list of all IP addresses of Tor exit nodes that allow\ + \ exiting to a\nspecified IP:port combination, and an official <a\nhref="https://www.torproject.org/tordnsel/dist/%5C%22%5C + >DNSRBL</a> is also available to\ndetermine if a given IP address is actually a\ + \ Tor exit server. Please\nbe considerate\nwhen using these options. It would be\ + \ unfortunate to deny all Tor users access\nto your site indefinitely simply because\ + \ of a few bad apples.</p>\n\n<p style="text-align:center; margin-bottom: 0.5em"\ + >Exit Node provided by:<p>\n<h2 style="text-align: center"><a style="color: black"\ + \ href="http://www.openvpnconfigfile.ie%5C%22%3EDU Pirate Party</a><h2>\n\n</body>\n</html>\n" +input: null +success: true +test_runtime: 8.374207019805908 +test_start_time: 1444925440.0 +... +``` + +## Expected Post-processing efforts + +# Privacy considerations + +OpenVPN does not seek to provide anonymity. +An adversary can observe that a user is connecting to OpenVPN servers. +OpenVPN servers can also determine the users location. + +# Packet capture considerations + +This test does not capture packets by default.