|
= General =
|
|
# General
|
|
|
|
|
|
|
|
|
|
[[TOC]]
|
|
|
|
|
|
|
|
HerdictWeb is a tool developed by the Berkman Center for Internet & Society. It allows users to report on the report on websites inaccessibility from places around the world.
|
|
HerdictWeb is a tool developed by the Berkman Center for Internet & Society. It allows users to report on the report on websites inaccessibility from places around the world.
|
|
|
|
|
|
It offers two modes of operation: Herdict Reporter (a web application) and Herdict Add-On an in browser addon.
|
|
It offers two modes of operation: Herdict Reporter (a web application) and Herdict Add-On an in browser addon.
|
|
|
|
|
|
== Herdict Reporter ==
|
|
## Herdict Reporter
|
|
|
|
|
|
The reporter web application is available here: http://www.herdict.org/participate/reporter
|
|
The reporter web application is available here: http://www.herdict.org/participate/reporter
|
|
|
|
|
... | @@ -16,9 +16,9 @@ The system automatically detects the users ISP. |
... | @@ -16,9 +16,9 @@ The system automatically detects the users ISP. |
|
|
|
|
|
The sites are visualized inside of an iframe.
|
|
The sites are visualized inside of an iframe.
|
|
|
|
|
|
On Google Chrome the application does not run cleanly and it issues a '''large''' amount of errors to the debug console:
|
|
On Google Chrome the application does not run cleanly and it issues a **large** amount of errors to the debug console:
|
|
|
|
|
|
{{{
|
|
```
|
|
8 event.layerX and event.layerY are broken and deprecated in WebKit. They will be removed from the engine in the near future.
|
|
8 event.layerX and event.layerY are broken and deprecated in WebKit. They will be removed from the engine in the near future.
|
|
|
|
|
|
57 Unsafe JavaScript attempt to access frame with URL http://www.herdict.org/participate/reporter from frame with URL http://www.fun1001.com/. Domains, protocols and ports must match.
|
|
57 Unsafe JavaScript attempt to access frame with URL http://www.herdict.org/participate/reporter from frame with URL http://www.fun1001.com/. Domains, protocols and ports must match.
|
... | @@ -30,11 +30,11 @@ apis.google.com/_/apps-static/_/js/gapi/plusone/rt=j/ver=AzuZKIGCwek.it./sv=1/am |
... | @@ -30,11 +30,11 @@ apis.google.com/_/apps-static/_/js/gapi/plusone/rt=j/ver=AzuZKIGCwek.it./sv=1/am |
|
66 Unsafe JavaScript attempt to access frame with URL http://www.herdict.org/participate/reporter from frame with URL http://www.fun1001.com/. Domains, protocols and ports must match.
|
|
66 Unsafe JavaScript attempt to access frame with URL http://www.herdict.org/participate/reporter from frame with URL http://www.fun1001.com/. Domains, protocols and ports must match.
|
|
|
|
|
|
38 event.layerX and event.layerY are broken and deprecated in WebKit. They will be removed from the engine in the near future
|
|
38 event.layerX and event.layerY are broken and deprecated in WebKit. They will be removed from the engine in the near future
|
|
}}}
|
|
```
|
|
|
|
|
|
They appear to be trying to violate SOP with requests from inside the IFRAME. They should probably be using CORS: http://en.wikipedia.org/wiki/Cross-origin_resource_sharing.
|
|
They appear to be trying to violate SOP with requests from inside the IFRAME. They should probably be using CORS: http://en.wikipedia.org/wiki/Cross-origin_resource_sharing.
|
|
|
|
|
|
== Herdict Web Browser Add-on ==
|
|
## Herdict Web Browser Add-on
|
|
|
|
|
|
It is also possible to download an add-on here: http://www.herdict.org/participate/download.
|
|
It is also possible to download an add-on here: http://www.herdict.org/participate/download.
|
|
|
|
|
... | @@ -43,55 +43,55 @@ The add-on is available fro Google Chrome, Firefox and Internet Explorer. |
... | @@ -43,55 +43,55 @@ The add-on is available fro Google Chrome, Firefox and Internet Explorer. |
|
The add-on installs a toolbar that asks herdict for the profile of every site the user accesses. If a site that is being visited has been reported blocked from the users country the icon is either yellow or red. The user can report the reachability of the site by clicking on the icon and filling in the information similar to how is done with Herdict Reporter.
|
|
The add-on installs a toolbar that asks herdict for the profile of every site the user accesses. If a site that is being visited has been reported blocked from the users country the icon is either yellow or red. The user can report the reachability of the site by clicking on the icon and filling in the information similar to how is done with Herdict Reporter.
|
|
|
|
|
|
|
|
|
|
= Checklist =
|
|
# Checklist
|
|
|
|
|
|
=== Is the tool Open Source? ===
|
|
### Is the tool Open Source?
|
|
|
|
|
|
The source is not explicitly released, but it's a web application so the client side part can be accessed.
|
|
The source is not explicitly released, but it's a web application so the client side part can be accessed.
|
|
The core of the Reporter web application can be found here:
|
|
The core of the Reporter web application can be found here:
|
|
http://www.herdict.org/includes/js/reporter.js
|
|
http://www.herdict.org/includes/js/reporter.js
|
|
|
|
|
|
=== Is the data collected made public? ===
|
|
### Is the data collected made public?
|
|
|
|
|
|
The data is accessible publicly and is viewable from the web site web application. However it is not possible to download more than 500 records per time.
|
|
The data is accessible publicly and is viewable from the web site web application. However it is not possible to download more than 500 records per time.
|
|
|
|
|
|
https://www.herdict.org/explore/data?fs=2245#fs=
|
|
https://www.herdict.org/explore/data?fs=2245#fs=
|
|
|
|
|
|
=== Is the data format that is used for publication easy to interact with? ===
|
|
### Is the data format that is used for publication easy to interact with?
|
|
|
|
|
|
The raw data is available in .csv. The format of the csv file is:
|
|
The raw data is available in .csv. The format of the csv file is:
|
|
|
|
|
|
Date,URL,Type,Country,isp,Location,Comments.
|
|
Date,URL,Type,Country,isp,Location,Comments.
|
|
|
|
|
|
|
|
|
|
=== What license is used for releasing the data ===
|
|
### What license is used for releasing the data
|
|
|
|
|
|
Licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License
|
|
Licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License
|
|
|
|
|
|
=== Are the methodologies explained? ===
|
|
### Are the methodologies explained?
|
|
|
|
|
|
Yes.
|
|
Yes.
|
|
|
|
|
|
=== Is the tool to be used by the general public? ===
|
|
### Is the tool to be used by the general public?
|
|
|
|
|
|
Yes.
|
|
Yes.
|
|
|
|
|
|
|
|
|
|
=== If so, is the user warned of possible risks that he may incur when running the tool? ===
|
|
### If so, is the user warned of possible risks that he may incur when running the tool?
|
|
|
|
|
|
Ni.
|
|
Ni.
|
|
|
|
|
|
=== Does the data collected by the tool include potentially sensitive information? ===
|
|
### Does the data collected by the tool include potentially sensitive information?
|
|
|
|
|
|
Yes.
|
|
Yes.
|
|
|
|
|
|
More broad questions that should be answered when evaluating tools are:
|
|
More broad questions that should be answered when evaluating tools are:
|
|
|
|
|
|
== What kind of tests does the tool perform? ==
|
|
## What kind of tests does the tool perform?
|
|
|
|
|
|
The tool relies only on user feedback so it does not perform any test in itself. What Herdict Reporter does is visualize in random order a set of websites.
|
|
The tool relies only on user feedback so it does not perform any test in itself. What Herdict Reporter does is visualize in random order a set of websites.
|
|
|
|
|
|
== How accurate are the tests? ==
|
|
## How accurate are the tests?
|
|
|
|
|
|
Since it relies on user feedback the accuracy of the tool may vary as the user may be reporting for blocked something that is not in fact a sign of blockage.
|
|
Since it relies on user feedback the accuracy of the tool may vary as the user may be reporting for blocked something that is not in fact a sign of blockage.
|
|
|
|
|
... | @@ -99,11 +99,11 @@ Since it relies on user feedback the accuracy of the tool may vary as the user m |
... | @@ -99,11 +99,11 @@ Since it relies on user feedback the accuracy of the tool may vary as the user m |
|
|
|
|
|
To crowd source reporting of site inaccessibility.
|
|
To crowd source reporting of site inaccessibility.
|
|
|
|
|
|
== Are the claims satisfied? ==
|
|
## Are the claims satisfied?
|
|
|
|
|
|
Yes.
|
|
Yes.
|
|
|
|
|
|
== How does the reporting system work? ==
|
|
## How does the reporting system work?
|
|
|
|
|
|
The reports are done by issuing a GET Request to an API that is provided by the backend herdict website.
|
|
The reports are done by issuing a GET Request to an API that is provided by the backend herdict website.
|
|
|
|
|
... | @@ -112,7 +112,7 @@ are done in cleartext to this address: |
... | @@ -112,7 +112,7 @@ are done in cleartext to this address: |
|
|
|
|
|
Method: POST
|
|
Method: POST
|
|
http://www.herdict.org/participate/reporter/1
|
|
http://www.herdict.org/participate/reporter/1
|
|
{{{
|
|
```
|
|
siteInaccessibleAjax:
|
|
siteInaccessibleAjax:
|
|
testCountry:IT
|
|
testCountry:IT
|
|
closeWindow:false
|
|
closeWindow:false
|
... | @@ -130,11 +130,11 @@ alternateTag: |
... | @@ -130,11 +130,11 @@ alternateTag: |
|
report.comments:
|
|
report.comments:
|
|
_sourcePage:t6w40Ricm2iK0UZ4U8kCl4L43kbS7Rsb2rHKBHOWRsKs9N-SMZviYRK3g32KYH2E
|
|
_sourcePage:t6w40Ricm2iK0UZ4U8kCl4L43kbS7Rsb2rHKBHOWRsKs9N-SMZviYRK3g32KYH2E
|
|
__fp:3-bxLZNZ_-ZErfCjTBA60RDg096X3wIjQRddM1U4tBdTxVG4QtABQUTPbxOCNMy_CyX0SMaPGRfbKVaAN2ZBUQ==
|
|
__fp:3-bxLZNZ_-ZErfCjTBA60RDg096X3wIjQRddM1U4tBdTxVG4QtABQUTPbxOCNMy_CyX0SMaPGRfbKVaAN2ZBUQ==
|
|
}}}
|
|
```
|
|
|
|
|
|
For Herdict Add-on reporter on Firefox the requests are done over HTTPS via GET to this address:
|
|
For Herdict Add-on reporter on Firefox the requests are done over HTTPS via GET to this address:
|
|
|
|
|
|
{{{
|
|
```
|
|
http://www.herdict.org/web/action/ajax/plugin/report
|
|
http://www.herdict.org/web/action/ajax/plugin/report
|
|
+ "&report.url=" + encodeURIComponent(this._rot13(document.getElementById("url").value))
|
|
+ "&report.url=" + encodeURIComponent(this._rot13(document.getElementById("url").value))
|
|
+ "&report.country.shortName=" + document.getElementById("country").selectedItem.value
|
|
+ "&report.country.shortName=" + document.getElementById("country").selectedItem.value
|
... | @@ -149,9 +149,9 @@ http://www.herdict.org/web/action/ajax/plugin/report |
... | @@ -149,9 +149,9 @@ http://www.herdict.org/web/action/ajax/plugin/report |
|
+ "&defaultISPName=" + encodeURIComponent(this.isp)
|
|
+ "&defaultISPName=" + encodeURIComponent(this.isp)
|
|
+ "&encoding=" + "ROT13";
|
|
+ "&encoding=" + "ROT13";
|
|
|
|
|
|
}}}
|
|
```
|
|
|
|
|
|
== Is confidentiality and integrity of data being reported maintained? ==
|
|
## Is confidentiality and integrity of data being reported maintained?
|
|
|
|
|
|
The data being transmitted to the backend system in the Firefox add-on is encrypted end to end.
|
|
The data being transmitted to the backend system in the Firefox add-on is encrypted end to end.
|
|
|
|
|
... | @@ -161,7 +161,7 @@ Even when the data is encrypted it does not enforce PFS. It allows the client to |
... | @@ -161,7 +161,7 @@ Even when the data is encrypted it does not enforce PFS. It allows the client to |
|
|
|
|
|
This is the output of sslscan:
|
|
This is the output of sslscan:
|
|
|
|
|
|
{{{
|
|
```
|
|
$ sslscan herdict.org
|
|
$ sslscan herdict.org
|
|
_
|
|
_
|
|
___ ___| |___ ___ __ _ _ __
|
|
___ ___| |___ ___ __ _ _ __
|
... | @@ -304,20 +304,20 @@ Testing SSL server herdict.org on port 443 |
... | @@ -304,20 +304,20 @@ Testing SSL server herdict.org on port 443 |
|
|
|
|
|
Verify Certificate:
|
|
Verify Certificate:
|
|
Certificate passed verification
|
|
Certificate passed verification
|
|
}}}
|
|
```
|
|
|
|
|
|
|
|
|
|
= What are it's strengths =
|
|
# What are it's strengths
|
|
|
|
|
|
* Censorship data can be easily collected from various parts of the planet. The user wishing to contribute is not require to install special software and can run everything from inside of a web browser.
|
|
* Censorship data can be easily collected from various parts of the planet. The user wishing to contribute is not require to install special software and can run everything from inside of a web browser.
|
|
* Pretty UI
|
|
* Pretty UI
|
|
|
|
|
|
= What are it's weaknesses =
|
|
# What are it's weaknesses
|
|
|
|
|
|
* Encryption is not enforced on the website and when encryption is used it allows weak cipher suites.
|
|
* Encryption is not enforced on the website and when encryption is used it allows weak cipher suites.
|
|
* Potentially inaccurate data collected from users.
|
|
* Potentially inaccurate data collected from users.
|
|
|
|
|
|
= Bottom line =
|
|
# Bottom line
|
|
|
|
|
|
As they state in their about page: "Whereas OpenNet views Internet filtering through an academic lens, Herdict uses crowdsourcing to learn about and present a real time view of the experiences of users around the globe", so the data
|
|
As they state in their about page: "Whereas OpenNet views Internet filtering through an academic lens, Herdict uses crowdsourcing to learn about and present a real time view of the experiences of users around the globe", so the data
|
|
collected by Herdict should be taken with the right amount of caution, but it can be very valuable to have data in real time in places where there would be none.
|
|
collected by Herdict should be taken with the right amount of caution, but it can be very valuable to have data in real time in places where there would be none.
|
... | | ... | |