Re: [tor-talk] trackers in OONI Probe Mobile App / was: NEW RiseupVPN test in OONI Probe Mobile App

["Dave Warren" <dw@xxxxxxxxxx>]

I’m not sure I see the point.

If we assume we are building a probe with a client and server component, can the client not just connect to the server using a pinned certificate (or otherwise validate this connection via any of the well established public key mechanisms) and then each side connect to the target, retrieve the certificate, calculate the fingerprint and compare?

Of course this also assumes that you get the same fingerprint from everywhere, something that is absolutely not guaranteed in the general case, although many specific targets will use one certificate universally. 

Admittedly the quoted protocol proposal might have some advantages if you (operating the client) don’t trust the server, or want a cryptographic guarantee, but at least for the use-cases of OONI Probe Mobile that I see (detecting whether my current connection is being censored, relying on a centralized platform to provide censorship test data) it seems to be overkill. 



> On Feb 16, 2021, at 04:33, Aymeric Vitte <aymeric@xxxxxxxxxx> wrote:
> 
> Resending ccing directly the participants since apparently it's not going to make it to the list

> 
> 
> -------- Message transféré -------- 
> Sujet :
> Re: [tor-talk] trackers in OONI Probe Mobile App / was: NEW RiseupVPN test in OONI Probe Mobile App
> Date :
> Wed, 10 Feb 2021 17:21:20 +0100
> De :
> Aymeric Vitte <aymeric@xxxxxxxxxx>
> Pour :
> tor-talk@xxxxxxxxxxxxxxxxxxxx
> 
> 
> You might consider adding to OONI features the "Interception Detector",
see http://ianonym.peersm.com/intercept.html

This is from 2012 but still actual, the basic principles are that you
are intercepting yourself with the help of a remote server (ie an OONI
node here), by "browser" below we could mean the OONI app

Indeed, one browser page is acting as a server page connected to a
remote server via websockets, once the user enters the domain to check
(for example abcd.google.com) it generates a self-signed TLS certificate
and a link (https://abcd.google.com), clicking on the link opens a
client page in the browser which produces a https request with the
target server name (google.com) that is proxied to the server, then a
TLS handshake is initiated between the browser client page and the
browser server page since the messages are intercepted by the server
that relays messages between both

Then the user can check that the signature/fingerprint of the
certificate in the handshake match the ones indicated on the server
page, if not it means that someone in the path between the browser and
the server did intercept the TLS connection

In fact, we can summarize this today (because browsers do not really
give the possibility any longer to accept self signed certificates) as:
if the browser does not raise a security exception then you are for sure
intercepted

Of course a positive result does not say that you are not intercepted
(because the interceptor might have missed the server name honeypot or
just not be interested by it), that's where OONI network becomes
interesting since you can multiply the tests via various destinations/nodes

This is not a "week-end" project as some "experts" think since it
requires to implement TLS in js inside the browser, some other experts
here might question/destroy the concepts, please do

It would have defeated the logjam attack if deployed at that time

It's not open source for now but can be with some little funding

For the other concerns in this thread you should develop things by
yourself instead of adding dubious third party sw, 1.3 MUSD (at least)
of funding since years should allow this, no?


Le 10/02/2021 à 10:28, Maria Xynou a écrit :
> On 09/02/21 19:39, Dave Warren wrote:
>>> It should give results for middle boxes , DNS/TLS hijacking ...etc
>>> something useful/worth to run OONI for. 
>> These would be great things to consider adding too. 
> Thanks for the feedback (and support!).
>
> Current OONI Probe tests are available here:
> https://github.com/ooni/probe-engine/tree/master/experiment
>
> We are working towards shipping new tests (such as that for measuring
> SNI based filtering) as part of the OONI Probe apps.
>
> Code review and feedback is greatly appreciated, and we also encourage
> community members to contribute their own tests.
>
> For example, the recent RiseupVPN test (shipped in the latest OONI Probe
> mobile release) was contributed by community members.
>
> Cheers,
>
> Maria.
>

-- 
Sophia-Antipolis, France
LinkedIn: https://fr.linkedin.com/in/aymeric-vitte-05855b26
Move your coins by yourself (browser version): https://peersm.com/wallet
Bitcoin transactions made simple: https://github.com/Ayms/bitcoin-transactions
Zcash wallets made simple: https://github.com/Ayms/zcash-wallets
Bitcoin wallets made simple: https://github.com/Ayms/bitcoin-wallets
Get the torrent dynamic blocklist: http://peersm.com/getblocklist
Check the 10 M passwords list: http://peersm.com/findmyass
Anti-spies and private torrents, dynamic blocklist: http://torrent-live.org
Peersm : http://www.peersm.com
torrent-live: https://github.com/Ayms/torrent-live
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms


> 
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk