Update Qlogo.cn.xml #7586
Update Qlogo.cn.xml #7586
Conversation
gloomy-ghost
force-pushed
the
gloomy-ghost-qlogo_cn
branch
from
c30ba7a to
0ccb968
Compare
|
I'm getting I'm also not sure what to do about |
|
Do you mean all URLs? They are CDN subdomains and most of them have blank roots. Could you try to use Tor and set |
|
I've added testing URLs for them. Also would it be okay if @ivysrono could provide a screen recording to prove that these subdomains are available in https in RPC? |
gloomy-ghost
force-pushed
the
gloomy-ghost-qlogo_cn
branch
from
a2950a4 to
135a9f4
Compare
|
|
|
@gloomy-ghost I'm having trouble with Tor. I added Also, I'm not going to sign off on a pull request based on a screenshot, meaning no disrespect to @ivysrono . @Hainish : do you at the EFF have any tools available to test something from within the Chinese GFW? |
|
There is a public proxy in China: 1.82.216.134:80 |
|
I'm not comfortable using a random public proxy. I'm sorry if it seems like I'm being difficult. |
|
It's all right, but I'm not sure what are you worrying about public proxies
since we are just testing https availability.
|
|
It's not a good precedent. An attacker could add a malicious ruleset by saying, "Here's my ruleset, and by the way, you need to test it through this specific proxy", where the attacker controls the proxy and manipulates the response. We should be able to check rulesets using our own independent tools and settings. |
|
An attacker can't manipulate response of https request unless he have a
valid certificate. If he had one, it would be unnecessary to push a
malicious ruleset to here (and I don't think a ruleset that only
redirecting http to https can be malicious).
In this case, I'm not asking you to use an specific proxy. You can search
"Chinese proxy” and choose whichever is working, or find a Chinese VPS to
test the ruleset. I understand you want to have a testing environment that
can be trusted, but https is designed for untrusted network isn't it?
|
|
The whole problem here is that for some reason we get different results from exit points inside the GFW than we do from outside it, so the exit point does matter. I guess whatever technique is being used by the GFW could also be used by one malicious attacker managing one exit point. |
|
For subdomains in Tencent_CN, we are getting `Mismatch` or `Timeout`
outside of China.
`Mismatch` is because Tencent has own CDN network in China (which is its
main market), but not overseas. I think it's a country-based DNS result
that you get a non-https CDN when you are not in China.
`Timeout` is not easy to determine. Maybe Tencent dropped oversea
connections, or GFW dropped them. My point is attackers with MITM access
can't "manipulate" a https response. All they can do is monitor encrypted
data or drop/reset connections, which has no difference with a Cisco
enterprise router.
|
|
So to properly test these domains, I have to proxy DNS, not just HTTP(S) traffic. I have to trust that both the proxy's DNS and web traffic match what a regular user inside the GFW sees, and if either DNS or web traffic differs, then I as a maintainer might be misled. |
|
For "web traffic", I understand that HTTPS traffic can't be modified, however it's possible the person who controls the proxy might be able to route traffic outside the GFW, or not, depending on some criteria. |
|
To clarify my opinion, there is at least one official server supporting https when the domain works with a proxy. Network hijacking is everywhere, but if it only routes traffic, it's more likely a router.
As I said, hijacking is everywhere and even Tencent can't say their https sites have 100% availability in China. CMCC is different with GWBN, CN2 is different with CHINANET. There are always some risks that https doesn't work, and we can't test them one by one. As a project rarely has official ruleset, we have to take this kind of risks. |
|
The way to guard against having the review manipulated is to use independent tools. In this case though I have to configure my environment a certain way and use one of a limited number of access points. I don't see how I personally could feel comfortable enough with a test in this situation to sign off on it. I've unassigned myself from this pull request. I hope that @Hainish can come up with some approach. We need to figure out a general process for handling these inside-the-GFW issues. |
|
@gloomy-ghost 我看他们暂时解决不了GFW的测试问题,干脆绕开,进一步拆分,把没问题的先合并了。 |
|
@ivysrono 现在好歹绑着Alexa排名高的域名,再拆就真没人处理拆出来的了… |
|
@gloomy-ghost Here's an idea: since |
|
You mean |
|
Well, I used |
gloomy-ghost
force-pushed
the
gloomy-ghost-qlogo_cn
branch
from
135a9f4 to
42ee285
Compare
|
Please just only delete this line and make no other changes to |
|
I'm getting
|
|
All of them are working for me. PS: For |
|
Okay, the URLs work now, thanks. I've updated the checklist. To clarify: by "replace http://q.qlogo.cn/g?b=qq&k=Osib95YbszciblkflbYwNQgw&s=140 Merged. |
|
I've reached out to some colleagues particularly well positioned to know about testing within the GFW. Hopefully they will have some tips on the best strategy here. |
No description provided.