Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Discuss proper test helper for sni_blocking #303

Closed
bassosimone opened this issue Jan 28, 2020 · 4 comments
Closed

Discuss proper test helper for sni_blocking #303

bassosimone opened this issue Jan 28, 2020 · 4 comments
Assignees
@bassosimone
Labels
bug Something isn't working discuss We need to have a conversation effort/S Small effort ooni/probe-engine Issues related to github.com/ooni/probe-engine priority/high High priority
Milestone
Sprint 6 - Dumbo ...

Comments

@bassosimone
Copy link
Contributor

It seems using ps.ooni.io is not wise because we may be blocked automatically. We need instead to come up with a better solution for deploying a test helper here.
@bassosimone bassosimone added bug Something isn't working priority/high High priority effort/L Large effort ooni/probe-engine Issues related to github.com/ooni/probe-engine labels Jan 28, 2020
@bassosimone bassosimone added this to the Sprint 6 - Dumbo Octopus milestone Jan 28, 2020
@bassosimone bassosimone self-assigned this Jan 28, 2020
@bassosimone bassosimone changed the title Proper test helper for sni_blocking Discuss proper test helper for sni_blocking Jan 31, 2020
@bassosimone bassosimone added discuss We need to have a conversation effort/S Small effort and removed effort/L Large effort labels Jan 31, 2020
@bassosimone
Copy link
Contributor Author

bassosimone commented Jan 31, 2020
edited
Loading

Changed this as a "discuss" thing that is a good to discuss in the ~10 Feb week. The original issue was "L" but actually starting to have a conversation on that is a small thing we can easily do.

@bassosimone
Copy link
Contributor Author

cc: @fortuna

@fortuna
Copy link

fortuna commented Feb 3, 2020
edited
Loading

The test helper could be cloudflare.com, or example.com. Or some other service that is well provisioned. We can do fallback and only use third-party domains is OONI's is blocked.

The requirement is that they should be TLS services that can be accessed from the client's network and return predictable results.

With both domains, I get a ServerHello with a certificate that is not valid for the test domain, with exceptions:

  • For cloudflare.com, if the test domain is on Cloudflare, then I get a valid certificate. You can differentiate from MITM by checking the CA chain.
  • For example.com, you will get a valid certificate for all variations of the example.com domain (www.example.com, example.net, ...)

The trick is to always check the validity of the certificate, with a valid certificate indicating that SNI is not being blocked.

@bassosimone
Copy link
Contributor Author

After discussing this issue with @fortuna, @hellais, and @FedericoCeratto, we concluded that for the time being we're using example.com. I'll add this as the todo list in #309

@bassosimone bassosimone mentioned this issue Feb 11, 2020
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bassosimone bassosimone

Labels
bug Something isn't working discuss We need to have a conversation effort/S Small effort ooni/probe-engine Issues related to github.com/ooni/probe-engine priority/high High priority
Projects
None yet
Milestone
Sprint 6 - Dumbo Octopus
Development

No branches or pull requests
2 participants
@fortuna @bassosimone