On Tue, Apr 23, 2013 at 5:01 PM, Jacob Appelbaum jacob@appelbaum.netwrote:
Hi,
I was thinking of a useful service that will invite everyone to visit it. In an ideal world, we could offer it as a badge to be included on websites as well as just as a normal website.
I like this idea. The image might also say something qualitative about the users ISP. A simple example would be that ISPs that do not filter/interfere get a green badge, and those that do get varying shades of red.
Basically, I think we should have an HTTP page that reports the user's ip, asn, a traceroute (icmp, tcp, udp), and it should load an image from the same machine offered over HTTPS. We could create a unique reference and if we see split routing, we have a bit of data about likely filtering.
We may even do scanning for key word filtering with a *.example.com domain certificate. In short, we generate a number of image links for which each domain load a small image. For every image that does not load, we know that the single difference is the different word in the TLS handshake. We could also offer an image to report an image of their ip address with or without ssl (with or with a lock icon). This would allow people to add an image for a web survey of sorts, if they wanted to help us with our coverage.
Can this technique be used to tell if Tor is being blocked by fingerprinting TLS handshake, without using Tor?
The incentive for a user is that they want to know their IP address and other related information.
I'm not sure that IP/asn information is a big incentive to most Internet users and think we'd need to expand on this idea to get significant traction, but it's a good starting point.
The incentive for us is that it gives us information to help develop a generic method that anyone may deploy on their own website for detecting surveillance of their readers/users/etc. A further incentive is that the data will be very interesting if we log all of the *source* ip addresses, headers (eg: X-Forwarded, X-Via, etc), and so on.
Ideally done in a privacy preserving way.
I'm tempted to run this service on blockfinder.net and back the data with the data from blockfinder/MaxMind and other GeoIP services. If we also ask the user of their country, we might be able to collect information corrections.
If the image or embedded content can function as a simple (single click) survey we can probably come up with a lot of interesting questions.
This will give us a light weight one to one testing service This complements the more heavy ooniprobe one to one or one to many service. It also helps us develop the more heavy solutions as we'll have an idea about data we may be missing with the heavy solutions.
Thoughts?
All the best, Jake _______________________________________________ ooni-dev mailing list ooni-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/ooni-dhttps://lists.torproject.org/cgi-bin/mailman/listinfo/ooni-dev