Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.

View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
147 posts

Master Geek
Inactive user


  Reply # 307097 14-Mar-2010 15:18 Send private message

apparently if a website is using SSL it cannot be censored. Is this true? So if all websites used https:// would that mean they cannot be blocked by the government's filter?

21 posts

Geek

Trusted

  Reply # 307099 14-Mar-2010 15:22 Send private message

Yuxec - that is correct.

The filter has to be able to see what website and URL has been requested so it can decide whether to block it or not.

HTTPS encrypts everything between you and the webserver. The filter can't decrypt the request and therefore can't tell whether you're going to a "bad site" or a "good site" at that network address, so it just lets it through.

This is one of the big problems with filtering and surveillance on the internet - the only way to make sure you see everything going through is to ban encryption (or provide the government with back doors so that they can access it anyway).

Indeed, the filter can only intercept HTTP (i.e. normal unencrypted web traffic). It can't see email, chat, peer-to-peer file sharing, ftp, etc, etc. 

2329 posts

Uber Geek
+1 received by user: 79


  Reply # 307140 14-Mar-2010 18:10 Send private message

How does one go about writing up/submitting a OIA request?

21 posts

Geek

Trusted

  Reply # 307206 14-Mar-2010 21:29 Send private message

OIA requests are very simple. Here's an example:

Dear Ministry of Internal Affairs,

Please send me any position papers, letters, meeting minutes, discussion papers or any other documents you have about [subject]. 

Yours,

[your name] 

3bit.com
5889 posts

Uber Geek
+1 received by user: 195

Moderator
Trusted
Subscriber

Reply # 307208 14-Mar-2010 21:33 Send private message

thomasbeagle: The filter has to be able to see what website and URL has been requested so it can decide whether to block it or not. 


Isn't the filter based on a list of IP addresses, so it doesn't matter if the request is SSL, you will still be browsing to an URL, which will then resolve to an IP address, which could then be blocked?




21 posts

Geek

Trusted

  Reply # 307222 14-Mar-2010 22:28 Send private message

"Isn't the filter based on a list of IP addresses, so it doesn't matter if the request is SSL, you will still be browsing to an URL, which will then resolve to an IP address, which could then be blocked?"

You're sort of correct. :)

The ISPs redirect traffic to the filter server based on IP address. This means that all HTTP, HTTPS, SMTP, FTP, P2P, etc requests for that IP address are diverted to the filter.

The key point is that the filter then decides what traffic to block and what traffic to let through.

The filter takes the HTTP (i.e. normal unencrypted web) requests and looks at the requested URL. If that URL is on the banned list the request is blocked, otherwise it is let through.

Of course, when you send a request to an HTTPS site, your browser and the remote server encrypt everything that passes between them. This includes the URL that you have requested, which means that the filter can only see an encrypted data stream and therefore can't tell which URL you are requesting. Therefore it just lets it pass through.

All other protocols aren't examined by the filter and are just passed through.

 

2329 posts

Uber Geek
+1 received by user: 79


  Reply # 307224 14-Mar-2010 22:30 Send private message


Isn't the filter based on a list of IP addresses, so it doesn't matter if the request is SSL, you will still be browsing to an URL, which will then resolve to an IP address, which could then be blocked?


First thing that happens is that you do a DNS lookup that resolves to an IP, then your browser starts a SSL session to that IP. So it'll hit the filter based on the IP, but since the GET <url> is inside a SSL session, they can't tell what it is..

3bit.com
5889 posts

Uber Geek
+1 received by user: 195

Moderator
Trusted
Subscriber

Reply # 307365 15-Mar-2010 12:38 Send private message

Orcon have made clear their stance on this:

We also would like to reiterate that we are not currently participating in any kind of Internet filtering, nor do we have any plans to in the immediate future.


I wonder if use of this filter will be made mandatory in the future, then ISPs would have no choice.




601 posts

Ultimate Geek
+1 received by user: 5

Trusted

  Reply # 307385 15-Mar-2010 13:27 Send private message

If it becomes mandatory, then I foresee a huge increase in the number of VPN accounts to US PoPs.  It's less than NZ$10/month...

In fact, VPN providers already advertise on their ability to get around national filters/throttles in locations such as Belize, China, UAE, Oman, Guyana...

So, you've got providers that consider it a _goal_ to get around these filters, and countries with stronger free speech and/or privacy rules.

I foresee multiple VPNs, one VPN to a country with lax IP laws, and another to a country with strong free speech laws.

Being encrypted, DPI doesn't really help.  However, NZ Internet is now worse off because all traffic is avoiding ISPs proxies.

Although, YouTube would finally start working for people because it would avoid TCL's throttling. 




1679 posts

Uber Geek
+1 received by user: 172


  Reply # 307390 15-Mar-2010 14:11 Send private message

im with Snap and they wont be part of it, but they will have an opt in option for anyone who wants there internet filtered.

147 posts

Master Geek
Inactive user


  Reply # 307391 15-Mar-2010 14:11 Send private message

thomasbeagle: Yuxec - that is correct.

The filter has to be able to see what website and URL has been requested so it can decide whether to block it or not.

HTTPS encrypts everything between you and the webserver. The filter can't decrypt the request and therefore can't tell whether you're going to a "bad site" or a "good site" at that network address, so it just lets it through.

This is one of the big problems with filtering and surveillance on the internet - the only way to make sure you see everything going through is to ban encryption (or provide the government with back doors so that they can access it anyway).

Indeed, the filter can only intercept HTTP (i.e. normal unencrypted web traffic). It can't see email, chat, peer-to-peer file sharing, ftp, etc, etc. 


but couldn't they manually type in the url? like on some internet filtering software you can download for your pc, you just type in a url and it's blocked, so couldn't the government type in https://www.url.com and block it like that?

i am going to start emailing some legal adult websites and get them to have a ssl version. I wonder if geekzone is going to have a ssl version.

21 posts

Geek

Trusted

  Reply # 307396 15-Mar-2010 14:18 Send private message

yuxek: 
but couldn't they manually type in the url? like on some internet filtering software you can download for your pc, you just type in a url and it's blocked, so couldn't the government type in https://www.url.com and block it like that?


Nope.

Here's how the filter works again:

1. Govt adds URL to block list.
2. Govt turns URL into IP address.
3. Govt sends list of IPs to ISPs
4. ISPs divert all traffic to those IPs to the filter
5. Govt filter examines traffic and decides what to block or allow

Now, from the user perspective using your example:

1. User types in https://www.url.com
2. User's computer uses DNS to resolve that to 10.1.1.1
3. User's computer requests a secure HTTPS session to 10.1.1.1
4. The ISP sees that 10.1.1.1 is on the filter list and diverts it to the filter
5. The govt filter sees the encrypted connection request to 10.1.1.1, but it can't see which URL was requested as that is also encrypted.
6. The govt filter can't decrypt it and therefore lets it through

The problem (from the govt's perspective) is that they never see the URL for HTTPS connections. Therefore they either have to block all HTTPS to that IP address... or none. 

137 posts

Master Geek
Inactive user


  Reply # 308077 16-Mar-2010 23:48 Send private message


1. User types in https://www.url.com
2. User's computer uses DNS to resolve that to 10.1.1.1
3. User's computer requests a secure HTTPS session to 10.1.1.1
4. The ISP sees that 10.1.1.1 is on the filter list and diverts it to the filter
5. The govt filter sees the encrypted connection request to 10.1.1.1, but it can't see which URL was requested as that is also encrypted.
6. The govt filter can't decrypt it and therefore lets it through

The problem (from the govt's perspective) is that they never see the URL for HTTPS connections. Therefore they either have to block all HTTPS to that IP address... or none. 


Urr dude, I think your forgetting a pretty relevant fact in this statement.  The entire HTTPS session is redirected through the proxy (filter) hence it's a man in the middle... think this through... as eventually every ISP WILL have a "government approved" filter appliance.

Google "man in the middle +ssl"... at best your going to get a strange certificate error - which most people will accept anyway... but more than likely your not going to know that your SSL session is totally transparent to "big brother".

http://en.wikipedia.org/wiki/Internet_censorship_in_Australia
http://nocleanfeed.com/

Filtering will only ever be used for purposes of eavesdropping, the more the technology develops the more they will be able to see.  FFS we have an Echelon station in NZ... why do you think we have that :P  Sure it's to catch the kiddie pr0n dealers... or protect us from Terrorists...LOL...

BTW your DNS requests basically give you away anyways (and can be used in court without any other evidence).  If you need privacy use a VPN or similar.


268 posts

Ultimate Geek


  Reply # 308131 17-Mar-2010 08:18 Send private message

JDNZ:

Urr dude, I think your forgetting a pretty relevant fact in this statement.  The entire HTTPS session is redirected through the proxy (filter) hence it's a man in the middle... think this through... as eventually every ISP WILL have a "government approved" filter appliance.

Google "man in the middle +ssl"... at best your going to get a strange certificate error - which most people will accept anyway... but more than likely your not going to know that your SSL session is totally transparent to "big brother".


If the user doesn't understand certificate errors, that's their problem.  I would find it unlikely that they could successfully pull off a man in the middle attack on an informed user.



BTW your DNS requests basically give you away anyways (and can be used in court without any other evidence).  If you need privacy use a VPN or similar.


This is not how the filter is stated to work.  Unless your ISP is logging your DNS lookups then this is a non-issue.


605 posts

Ultimate Geek
+1 received by user: 1

Trusted

  Reply # 308145 17-Mar-2010 08:59 Send private message

nate: Orcon have made clear their stance on this:

We also would like to reiterate that we are not currently participating in any kind of Internet filtering, nor do we have any plans to in the immediate future.


I wonder if use of this filter will be made mandatory in the future, then ISPs would have no choice.


Isn't Orcon now owned by Kordia?  Kordia being an SOE ... 

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
View this topic in a long page with up to 500 replies per page Create new topic




Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





Trending now »

Hot discussions in our forums right now:

Government Limos
Created by networkn, last reply by Bung on 31-Oct-2014 12:39 (94 replies)
Pages... 5 6 7


Snap refuses to replace faulty gear
Created by Brendan, last reply by MadEngineer on 28-Oct-2014 19:07 (92 replies)
Pages... 5 6 7


Shutup and take my money (via NFC on my mobile phone)
Created by sxz, last reply by sonyxperiageek on 31-Oct-2014 22:34 (24 replies)
Pages... 2


How good is your general Science Knowledge?
Created by Aredwood, last reply by Sideface on 1-Nov-2014 18:32 (47 replies)
Pages... 2 3 4


OneDrive code giveaway - go!
Created by freitasm, last reply by PhantomNVD on 1-Nov-2014 10:31 (36 replies)
Pages... 2 3


Uber: a cheaper taxi ride?
Created by kingdragonfly, last reply by livisun on 31-Oct-2014 14:47 (34 replies)
Pages... 2 3


Sky will be 'upgrading software' of My Sky to connect to internet. What does that mean?
Created by Geektastic, last reply by TwoSeven on 1-Nov-2014 17:43 (30 replies)
Pages... 2


DDos Protection from ISP
Created by charsleysa, last reply by freitasm on 31-Oct-2014 12:11 (46 replies)
Pages... 2 3 4



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.