[ooni-dev] Ooniprobe in Latvia

Aleksejs Popovs popoffka at gmail.com
Wed Jan 7 16:25:24 UTC 2015


I have completed a few more manual tests.

First of all, I remembered that in the early days of this law's
implementation Lattelecom were using DNS spoofing. I decided to check
if this was still the case (https://popovs.lv/crap/ooni/nslookup.txt),
and it wasn't.

Then, I checked whether I can connect to port 80 on the IPs of banned
websites and issue a request with a Host header unrelated to that
website. It seems to have worked
(https://popovs.lv/crap/ooni/plain_fake_host.txt), as the request was
passed to the actual server (which seems to be configured to answer
all requests on port 80 with a redirect to the same Host via HTTPS).
Sending a request with "Host: unibet.net" still returns the censorship
page.

Now, I decided to use openssl's s_client (basically nc through TLS) to
check out what was happening with HTTPS. This test
(https://popovs.lv/crap/ooni/s_client.txt) was weird, because its
results were inconsistent with what I saw in my browser (no response
was served to me at all) — I am not sure how to explain that. By the
way, when I visit the censorship page in my browser, Chromium, it
fails to display response headers
(https://popovs.lv/crap/ooni/chrome_https.png — the panel in the
bottom should normally display both request and response headers), so,
whenever this thing works in my browser, it fails to serve headers
just like its HTTP counterpart.

Also interesting is the HTTPS cert they're using, which you can find
in the log. It is issued by Fortinet, an American company that's
apparently known for this sort of thing, and the issuer's CN
(FGT1KC3913801932) looks like a serial number.

I will try running some other ooniprobe-based tests later.

-- 
Best regards,
Aleksejs Popovs


More information about the ooni-dev mailing list