Hello,
Last week we discovered an ASN-related bug in OONI Probe.
Today we published an Incident Report which shares details about the bug, what we did to fix it, and we document our next steps (as well as measures for limiting the possibility of similar bugs recurring in the future).
You can read our Incident Report here: https://ooni.org/post/2020-ooni-probe-asn-incident-report/
## What you can do
Please update to OONI Probe Mobile 2.7.0 (which fixes the bug): https://ooni.org/install/mobile
If you're an OONI Probe desktop app user and you prefer *not* to share your network ASN, please refrain from running tests until we have released the fix -- hopefully next week (this requires third party action).
If you're a legacy ooniprobe user, please use the OONI Probe Command Line Interface (CLI) instead. Version 3.0.8 contains the bug fix: https://github.com/ooni/probe-cli/releases/tag/v3.0.8
Over the next year, we aim to release OONI Probe Linux packages which would serve as a replacement for legacy ooniprobe.
## The bug in summary
When you run OONI Probe, by default your network ASN (e.g. AS30722 for “Vodafone Italia”) is collected and published, as this information is very important for examining internet censorship (i.e. it's important to know on which network internet censorship is implemented).
Through the OONI Probe apps, you can opt out of ASN collection (and publication) by disabling the "Include Network Info" setting.
The bug is that if you disabled this setting, your network ASN was not published in the OONI Explorer measurement page or in the raw JSON data (where it was displayed as AS0), but it was included in the report ID of those measurements.
During our investigation, we also found that in some cases, the network name (such as "Vodafone Italia") was included in AS0 measurements, and that it may have been possible to retrieve the ASN through the resolver IP (which we previously didn't sanitize because it's useful for measuring DNS consistency).
All of these issues have been fixed in our probe engine, and we have released a fix for OONI Probe Mobile (as mentioned above).
## Affected measurements
Most OONI Probe users were *not* affected by this bug, since roughly 86% of OONI measurements collected from around the world did not disable the collection and publication of network information, which is enabled in the default settings.
According to our analysis, only around 2% of global OONI measurements leaked the user network ASN in the report ID (this mainly involves new probes), and about 12% of global OONI measurements might have disclosed the ASN through the client resolver in OONI’s Web Connectivity test (this mainly involves legacy probes).
We made changes to OONI Explorer to hide AS0 measurements, and further details are available through our Incident Report.
The OONI team apologizes to the OONI community for this incident. We would never intentionally harm our users, we value and respect user choice, and we take seriously the trust our users have placed in us. We do our best to give you as much control over how you use OONI Probe, but sometimes we make mistakes. We will always be transparent when such bugs occur.
To learn more about our data practices and about the principles that govern OONI data collection, please refer to our Data Policy: https://ooni.org/about/data-policy
If you have any questions or concerns related to this incident, please don't hesitate to reach out.
Thank you,
Maria (on behalf of the OONI team).
Hello,
Today we released OONI Probe Desktop 3.0.4: https://ooni.org/install/desktop
This release is important because it fixes the ASN-related bug that we previously reported (discussed below).
Apologies for not releasing this sooner (we were facing some issues with updating our code signing certificate, but this is now resolved).
Please update to the latest OONI Probe desktop version (3.0.4).
Thank you!
On 09/10/20 16:59, Maria Xynou wrote:
Hello,
Last week we discovered an ASN-related bug in OONI Probe.
Today we published an Incident Report which shares details about the bug, what we did to fix it, and we document our next steps (as well as measures for limiting the possibility of similar bugs recurring in the future).
You can read our Incident Report here: https://ooni.org/post/2020-ooni-probe-asn-incident-report/
## What you can do
Please update to OONI Probe Mobile 2.7.0 (which fixes the bug): https://ooni.org/install/mobile
If you're an OONI Probe desktop app user and you prefer *not* to share your network ASN, please refrain from running tests until we have released the fix -- hopefully next week (this requires third party action).
If you're a legacy ooniprobe user, please use the OONI Probe Command Line Interface (CLI) instead. Version 3.0.8 contains the bug fix: https://github.com/ooni/probe-cli/releases/tag/v3.0.8
Over the next year, we aim to release OONI Probe Linux packages which would serve as a replacement for legacy ooniprobe.
## The bug in summary
When you run OONI Probe, by default your network ASN (e.g. AS30722 for “Vodafone Italia”) is collected and published, as this information is very important for examining internet censorship (i.e. it's important to know on which network internet censorship is implemented).
Through the OONI Probe apps, you can opt out of ASN collection (and publication) by disabling the "Include Network Info" setting.
The bug is that if you disabled this setting, your network ASN was not published in the OONI Explorer measurement page or in the raw JSON data (where it was displayed as AS0), but it was included in the report ID of those measurements.
During our investigation, we also found that in some cases, the network name (such as "Vodafone Italia") was included in AS0 measurements, and that it may have been possible to retrieve the ASN through the resolver IP (which we previously didn't sanitize because it's useful for measuring DNS consistency).
All of these issues have been fixed in our probe engine, and we have released a fix for OONI Probe Mobile (as mentioned above).
## Affected measurements
Most OONI Probe users were *not* affected by this bug, since roughly 86% of OONI measurements collected from around the world did not disable the collection and publication of network information, which is enabled in the default settings.
According to our analysis, only around 2% of global OONI measurements leaked the user network ASN in the report ID (this mainly involves new probes), and about 12% of global OONI measurements might have disclosed the ASN through the client resolver in OONI’s Web Connectivity test (this mainly involves legacy probes).
We made changes to OONI Explorer to hide AS0 measurements, and further details are available through our Incident Report.
The OONI team apologizes to the OONI community for this incident. We would never intentionally harm our users, we value and respect user choice, and we take seriously the trust our users have placed in us. We do our best to give you as much control over how you use OONI Probe, but sometimes we make mistakes. We will always be transparent when such bugs occur.
To learn more about our data practices and about the principles that govern OONI data collection, please refer to our Data Policy: https://ooni.org/about/data-policy
If you have any questions or concerns related to this incident, please don't hesitate to reach out.
Thank you,
Maria (on behalf of the OONI team).
ooni-talk@lists.torproject.org