On Wed, 7 Jan 2015 18:25:24 +0200 Aleksejs Popovs popoffka@gmail.com wrote:
I have completed a few more manual tests.
First of all, I remembered that in the early days of this law's implementation Lattelecom were using DNS spoofing. I decided to check if this was still the case (https://popovs.lv/crap/ooni/nslookup.txt), and it wasn't.
Then, I checked whether I can connect to port 80 on the IPs of banned websites and issue a request with a Host header unrelated to that website. It seems to have worked (https://popovs.lv/crap/ooni/plain_fake_host.txt), as the request was passed to the actual server (which seems to be configured to answer all requests on port 80 with a redirect to the same Host via HTTPS). Sending a request with "Host: unibet.net" still returns the censorship page.
Now, I decided to use openssl's s_client (basically nc through TLS) to check out what was happening with HTTPS. This test (https://popovs.lv/crap/ooni/s_client.txt) was weird, because its results were inconsistent with what I saw in my browser (no response was served to me at all) — I am not sure how to explain that. By the way, when I visit the censorship page in my browser, Chromium, it fails to display response headers (https://popovs.lv/crap/ooni/chrome_https.png — the panel in the bottom should normally display both request and response headers), so, whenever this thing works in my browser, it fails to serve headers just like its HTTP counterpart.
Also interesting is the HTTPS cert they're using, which you can find in the log. It is issued by Fortinet, an American company that's apparently known for this sort of thing, and the issuer's CN (FGT1KC3913801932) looks like a serial number.
I will try running some other ooniprobe-based tests later.
Do they MITM connections to any cloud providers such as Amazon, CloudFlare, Google, etc?
I wrote a simple OONI test for fetching TLS certificate chains of resources specified in an input list. https://github.com/TheTorProject/ooni-probe/tree/feature/tls_certificates
There are quite a few issues with using the OpenSSL bindings, as many methods (e.g. to learn the negotiated cipher suite) are non-functional.
It would probably be interesting to see which other python TLS implementations exist that could better mimic the handshake of various applications (or write an OONI test to that passively sniffs observed certificate chains off the wire).
--Aaron