Address @hellais feedback

ooni · Oct 9, 2019 · fbe3045 · fbe3045
1 parent 31ad838
commit fbe3045
Showing 1 changed file with 20 additions and 11 deletions.
diff --git a/nettests/ts-024-sni-blocking.md b/nettests/ts-024-sni-blocking.md
@@ -12,7 +12,9 @@ SNI blocking (`sni_blocking`)
 
 # Expected impact
 
-Understanding whether there is SNI based blocking.
+Understanding whether there is SNI based blocking. This experiment is useful
+when you know a website that may be blocked with this blocking technique, and
+you would like to verify this hypothesis.
 
 # Expected inputs
 
@@ -54,17 +56,19 @@ The `test_keys.failure_with_random_sni` contains the error of connecting and
 performing a TLS handshake to the input endpoint using a random SNI. This
 key will be null in case there is no error.
 
-The `test_keys.behavior` key is determined as follows:
+## Understanding the results
 
-- "interesting" if there is no failure when using the random SNI
+Under normal conditions, we expect the attempt with the proper SNI to succeed
+and the attempt with the random SNI to fail with an error indicating that
+the provided certificate does not cover the configured SNI.
 
-- "normal" if there is no failure with proper SNI and there is an error
-indicating that the certificate does not apply to the random SNI
+When there is SNI based blocking, we instead expect the attempt with the proper
+SNI to fail with a connection reset, and we expect to see in the second
+attempt the same failure we see under normal conditions.
 
-- "suspicious" if there is any failure with proper SNI and there is an error
-indicating that the certificate does not apply to the random SNI
-
-- "🤷" otherwise
+A case where both attempts succeed would certainly be very interesting. It may
+be caused by a certificate installed on a device that allows a proxy to
+generate certificates for any host on the fly.
 
 ## Example output sample
 
@@ -82,7 +86,6 @@ indicating that the certificate does not apply to the random SNI
   "software_name": "miniooni",
   "software_version": "0.1.0-dev",
   "test_keys": {
-    "behavior": "normal",
     "failure_with_proper_sni": null,
     "failure_with_random_sni": "x509: certificate is valid for kernel.org, archive.kernel.org, git.kernel.org, mirrors.kernel.org, www.kernel.org, not spyvkhuzbl.bel"
   },
@@ -103,7 +106,6 @@ indicating that the certificate does not apply to the random SNI
   "software_name": "miniooni",
   "software_version": "0.1.0-dev",
   "test_keys": {
-    "behavior": "🤷",
     "failure_with_proper_sni": "x509: certificate has expired or is not yet valid",
     "failure_with_random_sni": "x509: certificate has expired or is not yet valid"
   },
@@ -112,3 +114,10 @@ indicating that the certificate does not apply to the random SNI
   "test_version": "0.1.0"
 }
 ```
+
+## Limitations
+
+This first iteration of the experiment [does not allow to repeat the
+experiment with variations of the random SNI, to understand how blocking
+is happening](https://github.com/ooni/spec/pull/159#discussion_r332989964).
+A future version of this specification will address these limitations.