[tor-dev] Def Con Kaminsky talk (censorship detection)

[David Fifield]

Dan replies:

On Mon, Jul 30, 2012 at 11:33:09AM -0700, Dan Kaminsky wrote:
> Basically, if you spoof HTTP or HTTPS headers from a Flash socket to your own
> IP, with someone else's Host/SNI, a transparent proxy is going to send its
> interposing content to the Flash SWF and not to the browser.  It's a really
> deployable way to see nasty stuff.
> 
> One warning is that if hijacking is DNS based, and not transparent proxy based,
> you don't see anything with this stunt (though favicon.ico detection still
> works).
> 
> On Mon, Jul 30, 2012 at 10:57 AM, David Fifield <david at bamsoftware.com> wrote:
> 
>     I saw an interesting talk by Dan Kaminsky at Def Con that touched on
>     some ideas for censorship detection. He mentioned OONI-probe and talked
>     about his project CensorSweeper. It tests blockedness of web sites by
>     making cross-domain requests for favicon.ico and displaying them in a
>     minesweeper-like grid.
> 
>     http://www.censorsweeper.com/
>     https://www.hackerleague.org/hackathons/wsj-data-transparency-code-a-thon/
>     hacks/censorsweeper
> 
>     He also mentioned something, which unfortunately I didn't follow very
>     closely, about using Flash sockets to spoof HTTP and HTTPS headers. I
>     think the gag here was sending these spoofed connections to a server you
>     control (so you can answer the crossdomain policy requests without which
>     Flash Player will refuse to connect), but you give it a Host header of a
>     censored site or something like that.
> 
>     http://miriku.com/wp/2012/07/decon-day-3/comment-page-1/#comment-1416
> 
>     Unfortunately I don't have the conference DVD which presumably contains
>     the slides he used, but videos usually show up online after some number
>     of months.
>    
>     David Fifield
> 
>