whatsapp: implement remaining checks #741
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
As mentioned in the commit, we see a 400 Bad Request error from WhatsApp when using the User-Agent we use for measurements along with the standard Golang's ClientHello fingerprint. This looks like MITM detection like https://mitm.watch to me. A fix for this issue could be to find out a combination of User-Agent and ClientHello that does not trigger 400 and keep the test as it should according to the spec. Yet, if there is MITM detection, it may change. This will likely cause future false positives, and we already have a bunch of such false positives for the IM tests. Also, it currently seems safe to assume that, if we can perform a TLS handshake with a certificate pool we trust, then we are talking with WhatsApp. Therefore, the status code and the returned web page matter much less than they did when we wrote the initial implementation of the WhatsApp experiment. What's more, because the HTTP request only redirects us, we should probably also simplify that check, to avoid asserting anything on the returned web page _if_ we're correctly redirected. How to properly do this will be researched in the next sprint as part of #740. Further investigating this issue should also be fun. This work is part of #55.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As mentioned in the commit, we see a 400 Bad Request error from
WhatsApp when using the User-Agent we use for measurements along
with the standard Golang's ClientHello fingerprint.
This looks like MITM detection like https://mitm.watch to me.
A fix for this issue could be to find out a combination of User-Agent
and ClientHello that does not trigger 400 and keep the test as it
should according to the spec.
Yet, if there is MITM detection, it may change. This will likely
cause future false positives, and we already have a bunch of such
false positives for the IM tests.
Also, it currently seems safe to assume that, if we can perform
a TLS handshake with a certificate pool we trust, then we are
talking with WhatsApp. Therefore, the status code and the returned
web page matter much less than they did when we wrote the initial
implementation of the WhatsApp experiment.
What's more, because the HTTP request only redirects us, we should
probably also simplify that check, to avoid asserting anything on
the returned web page if we're correctly redirected.
How to properly do this will be researched in the next sprint
as part of #740.
Further investigating this issue should also be fun.
This work is part of #55.