[ooni-dev] Ooniprobe in Latvia

Aaron Gibson aagbsn at extc.org
Thu Jan 8 14:46:26 UTC 2015 

On Wed, 7 Jan 2015 18:25:24 +0200
Aleksejs Popovs <popoffka at gmail.com> wrote:

> I have completed a few more manual tests.
> 
> First of all, I remembered that in the early days of this law's
> implementation Lattelecom were using DNS spoofing. I decided to check
> if this was still the case (https://popovs.lv/crap/ooni/nslookup.txt),
> and it wasn't.
> 
> Then, I checked whether I can connect to port 80 on the IPs of banned
> websites and issue a request with a Host header unrelated to that
> website. It seems to have worked
> (https://popovs.lv/crap/ooni/plain_fake_host.txt), as the request was
> passed to the actual server (which seems to be configured to answer
> all requests on port 80 with a redirect to the same Host via HTTPS).
> Sending a request with "Host: unibet.net" still returns the censorship
> page.
> 
> Now, I decided to use openssl's s_client (basically nc through TLS) to
> check out what was happening with HTTPS. This test
> (https://popovs.lv/crap/ooni/s_client.txt) was weird, because its
> results were inconsistent with what I saw in my browser (no response
> was served to me at all) — I am not sure how to explain that. By the
> way, when I visit the censorship page in my browser, Chromium, it
> fails to display response headers
> (https://popovs.lv/crap/ooni/chrome_https.png — the panel in the
> bottom should normally display both request and response headers), so,
> whenever this thing works in my browser, it fails to serve headers
> just like its HTTP counterpart.
> 
> Also interesting is the HTTPS cert they're using, which you can find
> in the log. It is issued by Fortinet, an American company that's
> apparently known for this sort of thing, and the issuer's CN
> (FGT1KC3913801932) looks like a serial number.
> 
> I will try running some other ooniprobe-based tests later.
> 

Do they MITM connections to any cloud providers such as Amazon,
CloudFlare, Google, etc?

I wrote a simple OONI test for fetching TLS certificate chains of
resources specified in an input list.
https://github.com/TheTorProject/ooni-probe/tree/feature/tls_certificates

There are quite a few issues with using the OpenSSL bindings, as many
methods (e.g. to learn the negotiated cipher suite) are non-functional.

It would probably be interesting to see which other python TLS
implementations exist that could better mimic the handshake of various
applications (or write an OONI test to that passively sniffs
observed certificate chains off the wire).

--Aaron

More information about the ooni-dev mailing list