For the past few days especially yesterday I have exchanged a number of emails around the globe to figure out a solution for the deteriorating blogging condition in Pakistan which started a few days back as reported by Don’t Block the Blog, Press Release of 3rd February and also my blog, I have a few things to share so I thought I would d formulate this into a small report.
PSIPHON – http://psiphon.civisec.org/
I was probing if PsiPhon could be used from Pakistan to handle the Pakistani Censorship (PsiPhon is a better replacement for TOR which I talked about a few months back here) but unfortunately PsiPhon does not support SSL at the moment but today Nart Villeneuve (of Citizen Lab who has been actively involved with the creation of PsiPhon) responded that the next update will definitely handle SSL which is due to be out in the coming few days and more close to a month.
I quote a few sections of his email correspondence with everyone
My understanding is that psiphon will allow https/ssl connection soon. There are other ways depending on you setup, for example, if your version of php is compiled with openssl support fsockopen (http://ca.php.net/manual/en/function.fsockopen.php) will support ssl:// (same as https) also cgiproxy (http://www.jmarshall.com/tools/cgiproxy/) will support https:// connections if you have openssl and the perl module Net::SSLeay. However, because of all the scripts and so forth used by the blogger interface getting a web-based proxy (such as cgiproxy, or psiphon when it supports https) to work seamlessly will be difficult.
On a personal level I did get that cgiproxy setup but sadly not on a HTTPS framework – as that requires and expensive certificate to the tune of $250 by a certifying agency. But in what is definitely a concern is his statement here that should be weighed heavily before creating any such solution.
There is another important consideration here. The operator of the “proxy” — whatever it is — will be able to collect all the usernames/passwords of all the bloggers who login via that interface! And since the account is now tied to your google account, the proxy owner could get all your gmail too!
Hence the security threats is definitely an issue of grave concern. In slight of our problems in Pakistan Nart has also sent a copy of our email exchange to a few contacts at Google since he has been interacting very closely with them for the past year and a half, probing the option if the blogspot back-end can remain on an unencrypted platform to be accessible from Pakistan, maybe not publicized but more as an underhand tweak to enable bloggers full access to the blogspot interface.
In other news, I also have had a good IM chat last night with Naveed Memon about solving the issue at the PkBlogs end. He was very understanding and his one line really conveyed a strong message “even if I am too busy, we can’t after all, let them win!” That I feel is the spirit with which Naveed and Yasir Memon have done for the Pakistani blog community over the past year, I think their efforts should definitely be lauded.
In our detailed discussion I think we both understood the gist of the problem (as long as the gmail sign-in process can be handled with the proxy script it should be a walk in the park – its more of configuring the pkblogs script to retain the cookie used to sign in) let it be well understood that this configuration of retaining the cookie solves the accessibility issue but introduces a huge privacy leak, as pointed out by Nart but it does definitely the issue, Naveed suggested we can configure to have the cookie expire and discarded after say 30 minutes, but even then the issue persists, as a safety precaution I have requested him (if possible) to have the script evaluated by someone independent to have transparency in the process, thought I trust him but for the sake of the overall community we should think this issue out thoroughly in all honesty.
We may have nailed the problem, but a solution has to be created from scratch, he has said he will definitely give it a shot despite a heavy workload on a number of projects at hand – he sadly has not given us a time frame but trusting him I suspect it will be soon
That’s it guys – I thought I should get you all up to speed on the work in progress on the technically side, but can some one take the initiative on the Legal aspect of this battle – we need to get that going ASAP.