What it detects
The fingerprint used to censor a network conversation.
Inputs
- A sample pcap that is known to contain a censored conversation (e.g. a blocked SSL handshake of Tor)
- An OONIb to do the conversation with.
Experiment
Let 'n' be the length of the censored conversation in bytes.
-
We open 'n' connections with the backend, and foreach connection 'i' we mutate the 'i'th byte of the conversation.
-
When the conversation is no longer blocked it means that censor can no longer find the fingerprint in our packets, and that the last mutated byte is part of the DPI fingerprint.
-
An oracle is needed to tell you if a conversation is blocked or not. The oracle in the Ethiopia case was whether you got an RST back from sending the payload to a closed port of an Ethiopian machine. If the packet was to be blocked, the firewall would devour the packet and it would never reach the Ethiopian machine -- hence no RST. See https://trac.torproject.org/projects/tor/wiki/doc/OONI/censorshipwiki/CensorshipByCountry/Ethiopia.
Output
- The bytes that make up the DPI fingerprint.
Weaknesses
* XXX Add section for weaknesses.