-
Notifications
You must be signed in to change notification settings - Fork 74
Disclosure
OONI • Threat-Model • Roles • Use-Cases • Threats • Impacts • Disclosure
Contents
First, evaluate the risk of the issue, then decide how to communicate it to the OONI developers, then track progress on the issue to ensure it is properly handled.
If you have discovered an issue with ooniprobe or the MLab deployment of oonib, please take a few moments to step through this mental process:
- Are you certain the issue only affects unreleased development versions of the software?
- Do you understand all of the Roles which are impacted by this issue?
- Do you know who all of the actual users of the software are, including all ooniprobe Operators?
- Do you understand all of the affected people's risk tolerances?
If the answer to any of these is not "Yes, without doubt", then please disclose this issue confidentially. Even if the issue seems minor, please consider the potential situations of the userbase, and remember that you may not be aware of who those people are.
Remember, if you are too cautious, the worse that happens is a developers just create a bug ticket for your issue. If you are too incautious, you may harm real people.
In order to confidentially communicate an issue, you must first ensure you are only communicating with your intended audience. The best option is to tell them in person, but this is rarely practical, so the next best option is to use appropriate technology for confidential communication. We recommend using a properly installed, secure OTR-enabled client.
OTR (Warning: Non-SSL), or "Off-the-Record Messaging" is a protocol and software to improve one-on-one instant messaging.
Pitfall: Google Chat has a feature called "Off the Record" which is unrelated and provides no security benefits.
Unfortunately, selecting secure software and installing it security is
highly error prone process which depends greatly on your background and
computer access. We recommend joining #ooni on the oftc.net IRC network
(here is a webclient) to ask for advice on
securely installing OTR software.
Pitfall: Do not disclose sensitive details throught this IRC channel!
Please disclose your security issue to a someone on the Communication page who:
- Is labelled as a
Disclosure Contact - Is in the (Tor/OONI) organization; and
- Has a listed OTR fingerprint.
Pitfall: When you load this wiki, ensure the URL begins with https:.
You may need to click the URL bar to see the beginning of the URL.
Risk: The https: scheme is vulnerable in various technical and hard
to anticipate ways. Your best hope is to verify you use a recent version
of firefox or chrome. See Authenticating an OTR
session below for advice.
Risk: Anyone with the capability to alter the wiki contents may attempt to confuse you by altering the OTR fingerprints there. This includes employees and contractors at Github, at various third party websites which Github relies on, members of OONI, members of Least Authority, members of M-Lab, and potentially more. See Authenticating an OTR session below for advice.
To increase your confidence in OTR fingerprints, and to help overcome
the risks mentioned above, the best strategy is to distribute and share
those fingerprints in multiple channels using decoupled technology.
For example, check the Communication page, and ask for confirmation in IRC,
and ask for confirmation in mailing lists. This wiki is available as a
git repository, so those who clone that history to a local machine
can notice suspicious edits.
The best mitigation is to get a fingerprint from one of the developers directly, such as on a business card.
Once you are confident in a fingerprint, start a session with the appropriate reciepient (see Who above), then display and compare the fingerprint of that session with the fingerprint you gained confidence in above.