On Tue, Apr 23, 2013 at 5:01 PM, Jacob Appelbaum <jacob@appelbaum.net> wrote:
Hi,

I was thinking of a useful service that will invite everyone to visit
it. In an ideal world, we could offer it as a badge to be included on
websites as well as just as a normal website.
 
I like this idea. The image might also say something qualitative about the users ISP. A simple example would be that ISPs that do not filter/interfere get a green badge, and those that do get varying shades of red.


Basically, I think we should have an HTTP page that reports the user's
ip, asn, a traceroute (icmp, tcp, udp), and it should load an image from
the same machine offered over HTTPS. We could create a unique reference
and if we see split routing, we have a bit of data about likely filtering.

We may even do scanning for key word filtering with a *.example.com
domain certificate. In short, we generate a number of image links for
which each domain load a small image. For every image that does not
load, we know that the single difference is the different word in the
TLS handshake. We could also offer an image to report an image of their
ip address with or without ssl (with or with a lock icon). This would
allow people to add an image for a web survey of sorts, if they wanted
to help us with our coverage.
 
Can this technique be used to tell if Tor is being blocked by fingerprinting TLS handshake, without using Tor?


The incentive for a user is that they want to know their IP address and
other related information.

I'm not sure that IP/asn information is a big incentive to most Internet users and think we'd need to expand on this idea to get significant traction, but it's a good starting point.
 
The incentive for us is that it gives us
information to help develop a generic method that anyone may deploy on
their own website for detecting surveillance of their readers/users/etc.
A further incentive is that the data will be very interesting if we log
all of the *source* ip addresses, headers (eg: X-Forwarded, X-Via, etc),
and so on.

Ideally done in a privacy preserving way.


I'm tempted to run this service on blockfinder.net and back the data
with the data from blockfinder/MaxMind and other GeoIP services. If we
also ask the user of their country, we might be able to collect
information corrections.

If the image or embedded content can function as a simple (single click) survey we can probably come up with a lot of interesting questions.
 

This will give us a light weight one to one testing service This
complements the more heavy ooniprobe one to one or one to many service.
It also helps us develop the more heavy solutions as we'll have an idea
about data we may be missing with the heavy solutions.

Thoughts?

All the best,
Jake
_______________________________________________
ooni-dev mailing list
ooni-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/ooni-d