Opened 5 months ago

Last modified 3 months ago

#30794 assigned project

Create lightweight censorship analyser for users

Reported by: phw Owned by: phw
Priority: Medium Milestone:
Component: Circumvention/Censorship analysis Version:
Severity: Normal Keywords: tbb-bridges
Cc: cohosh, gaba, dcf Actual Points:
Parent ID: Points: 5
Reviewer: Sponsor:

Description

Users occasionally show up on #tor and wonder why they are unable to connect to the network. We sometimes suspect censorship but it's often difficult to confirm this hypothesis. It would be useful to have a lightweight censorship analysis tool for users to run. Think of it as a small, specialised OONI: It should be a self-contained executable that tests if the user's computer can do the following:

  • Connect to the TCP port of our directory authorities.
  • Connect to the TCP port of a handful of relays.
  • Connect to the TCP port of our default bridges.
  • Resolve critical domains (e.g., bridges.tp.o) correctly.
  • Fetch the index page of critical websites (e.g., bridges.tp.o) over HTTPS.
  • Establish a TLS connection with a bridge authority and a relay.
  • ...

The output of the tool can be a simple text file that the user can then email to us, or paste in a chat window. We originally had this idea several years ago and documented it in a research paper but nobody every followed up. Such a tool could also be useful as part of an anti-censorship rapid response process.

If this sounds like a good idea, then I suggest that we build the tool in Go because 1) we have several talented Go hackers, 2) Go binaries are self-contained, and 3) since Go 1.5, cross-compiling for Windows seems relatively simple.

Child Tickets

Change History (3)

comment:1 Changed 3 months ago by ahf

Sponsor: Sponsor28-can

Removing sponsor.

comment:2 Changed 3 months ago by phw

I created a simple proof of concept: https://dip.torproject.org/anti-censorship/emma. I cross-compiled a .exe file by running:

GOOS=windows GOARCH=386 go build -o emma.exe

comment:3 Changed 3 months ago by dcf

I tried it at commit c8924dce26a28193b8478f72941d3b857a24c343 and got the following output:

Testing TCP port of default bridges.
        reachable: 109.105.109.163:38980
        reachable: 109.105.109.163:47779
        reachable: 109.105.109.165:10527
        reachable: 109.105.109.147:13764
        unreachable: 85.17.30.79:443 (dial tcp 85.17.30.79:443: connect: connection refused)
        reachable: 38.229.1.78:80
        reachable: 38.229.33.83:80
        unreachable: [2001:470:b381:bfff:216:3eff:fe23:d6c3]:443 (dial tcp [2001:470:b381:bfff:216:3eff:fe23:d6c3]:443: i/o timeout)
        reachable: 192.95.36.142:443
        reachable: 37.218.240.34:40035
        reachable: 37.218.245.14:38224
        reachable: 85.31.186.98:443
        reachable: 85.31.186.26:443
        reachable: 216.252.162.21:46089
        reachable: 144.217.20.138:80
Testing TCP port of directory authorities.
        reachable: 128.31.0.39:9131
        reachable: [2001:858:2:2:aabb:0:563b:1526]:443
        reachable: 86.59.21.38:80
        reachable: 194.109.206.212:80
        reachable: 66.111.2.131:9030
        reachable: [2001:638:a000:4140::ffff:189]:443
        reachable: 131.188.40.189:80
        reachable: [2001:678:558:1000::244]:443
        reachable: 193.23.244.244:80
        reachable: [2001:67c:289c::9]:80
        reachable: 171.25.193.9:443
        reachable: 154.35.175.225:80
        reachable: 199.58.81.140:80
        reachable: [2620:13:4000:6000::1000:118]:443
        reachable: 204.13.164.118:80
Testing *.torproject.org domains.
        Everything as expected.

Ideas:

  • If emma.exe is double-clicked on Windows, it may open a terminal window, display the output, then close the window again. Perhaps in the default configuration, it should append its output (timestamped) to a file.
  • For reachability tests, it would be good to show an elapsed time, in both the reachable and unreachable case.
  • For the DNS lookups, it would be nice to see what names were resolved. This is in case there are multiple versions of the program distributed, so we can tell from the output whether the domains included a particular one that we care about.
Note: See TracTickets for help on using tickets.