Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.

View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
601 posts

Ultimate Geek
+1 received by user: 5

Trusted

  Reply # 308148 17-Mar-2010 09:03 Send private message

Silent MitM attacks are easy when you're a certificate authority, or you have control of one.  That was why such a big stink was raised when Mozilla added a Chinese government owned org as a CA.  

However, there are enough governmental organisations on the list, that it is likely to be very easy for any of them to get a certificate signed stating that they are someone else.

Even without it, there are attacks against SSL using web proxies - just look at what Opera Mini does with its rewriting proxy.

However, even with all of that, we have pretty good knowledge of what the current filter is capable of.  It isn't capable of snooping anything other than HTTP.

So, to be truly paranoid:

1) Don't trust DNS - type the IP address and port in by hand.
2) Don't trust the built-in CAs, hand deliver the signed certificate through a secondary channel.
3) Don't surf using anything other than HTTPS.

In fact, take off and nuke the whole thing from orbit.  It's the only way to be sure. 

I do wonder why people think that these filters are a good idea.  I think we need a post office metaphor here!

What filters are on the mail service?  Telephone service?  Do we block address ranges and add automatic taping of phone calls to certain numbers (actually, we probably do, we just don't talk about that stuff)?




603 posts

Ultimate Geek

Trusted

  Reply # 308152 17-Mar-2010 09:11 Send private message

JDNZ:

1. User types in https://www.url.com
2. User's computer uses DNS to resolve that to 10.1.1.1
3. User's computer requests a secure HTTPS session to 10.1.1.1
4. The ISP sees that 10.1.1.1 is on the filter list and diverts it to the filter
5. The govt filter sees the encrypted connection request to 10.1.1.1, but it can't see which URL was requested as that is also encrypted.
6. The govt filter can't decrypt it and therefore lets it through

The problem (from the govt's perspective) is that they never see the URL for HTTPS connections. Therefore they either have to block all HTTPS to that IP address... or none. 


Urr dude, I think your forgetting a pretty relevant fact in this statement.  The entire HTTPS session is redirected through the proxy (filter) hence it's a man in the middle... think this through... as eventually every ISP WILL have a "government approved" filter appliance.


But all the data will be encrypted - the DIA filter will have no choice but to pass it on un-altered.  This is what internet routers do all day, every day.  Your traffic simply takes another route.

Thinking about it, I suspect that the filter itself would probably be quite easy to DoS.

 Google "man in the middle +ssl"... at best your going to get a strange certificate error - which most people will accept anyway... but more than likely your not going to know that your SSL session is totally transparent to "big brother".

http://en.wikipedia.org/wiki/Internet_censorship_in_Australia
http://nocleanfeed.com/

Filtering will only ever be used for purposes of eavesdropping, the more the technology develops the more they will be able to see.  FFS we have an Echelon station in NZ... why do you think we have that :P  Sure it's to catch the kiddie pr0n dealers... or protect us from Terrorists...LOL...


I can't really agree with all this - a stated purpose is to notify the end user that the site is blocked (unless the official statement has changed since I last read it - or I'm misquoting it - either are likely) - so the "only" purpose cannot be eavesdropping.  A convenient by-product if there is enough storage.  However I'm arguing the semantics here ... 

BTW your DNS requests basically give you away anyways (and can be used in court without any other evidence).  If you need privacy use a VPN or similar.


I would hope our court system would not use a DNS request on it's own in a trial - The only thing DNS will give you is a value based upon an input - unless someone is hiding stuff in the INFO or TXT records (like the DeCSS). 

603 posts

Ultimate Geek

Trusted

  Reply # 308156 17-Mar-2010 09:20 Send private message

jpollock: Silent MitM attacks are easy when you're a certificate authority, or you have control of one.  That was why such a big stink was raised when Mozilla added a Chinese government owned org as a CA.  

However, there are enough governmental organisations on the list, that it is likely to be very easy for any of them to get a certificate signed stating that they are someone else.


I think it's possible in most modern OS'es to delete certain CA's if required.  (Of course, if it's hidden in a chain of trust, that becomes a problem.


Even without it, there are attacks against SSL using web proxies - just look at what Opera Mini does with its rewriting proxy.

However, even with all of that, we have pretty good knowledge of what the current filter is capable of.  It isn't capable of snooping anything other than HTTP.

So, to be truly paranoid:

1) Don't trust DNS - type the IP address and port in by hand.


This won't help you - the routing happens based upon IP address, so even going through IP by hand, how do you tell the (assumed) Name Based Virtual Host webserver on the other end which website you want to ogle?


2) Don't trust the built-in CAs, hand deliver the signed certificate through a secondary channel.
3) Don't surf using anything other than HTTPS.

In fact, take off and nuke the whole thing from orbit.  It's the only way to be sure. 


+1 :-)


I do wonder why people think that these filters are a good idea.  I think we need a post office metaphor here!

What filters are on the mail service?  Telephone service?  Do we block address ranges and add automatic taping of phone calls to certain numbers (actually, we probably do, we just don't talk about that stuff)?


The mail service can (and will) open your mail in transit.  You will (generally) receive you mail a little later, but it will have a tape on it saying something like "Re-packaged by NZPost".  I confess that I don't know the regulations on that, but I've certainly received mail like that in the past.  At our borders, customs certainly have the authority to seize and search postal items.

Telephones - I think you need a warrant to implement a tap. 

137 posts

Master Geek
Inactive user


  Reply # 308376 17-Mar-2010 16:42 Send private message

jpollock: However, even with all of that, we have pretty good knowledge of what the current filter is capable of.  It isn't capable of snooping anything other than HTTP.

So, to be truly paranoid:

1) Don't trust DNS - type the IP address and port in by hand.
2) Don't trust the built-in CAs, hand deliver the signed certificate through a secondary channel.
3) Don't surf using anything other than HTTPS.

In fact, take off and nuke the whole thing from orbit.  It's the only way to be sure. 

I do wonder why people think that these filters are a good idea.


I personally don't believe that the Government would openly admit to using the "filter" for anything illegal - which eavesdropping is without the relevant laws being followed.  And we all know that governments always tell the whole truth right...

So, to be truly paranoid doesn't actually require all the effort (or nuking) you mentioned.  Just use a trusted VPN or TOR or any other well known, secure encryption standard.  Easy peasy. 

Now the statement above means the government pretty much has to eavesdrop illegally on everyone just fulfill the original purpose and to catch anyone with 1/2 a brain doing something dodgy.  Hence the reason filters will only ever be used for eavesdropping and to restrict freedom.

I too wonder why people think that banning, filtering, prohibition, restrictions, etc have anything to do with reducing crime... or make anyone's life better.

601 posts

Ultimate Geek
+1 received by user: 5

Trusted

  Reply # 308464 17-Mar-2010 20:48 Send private message

JDNZ:
So, to be truly paranoid doesn't actually require all the effort (or nuking) you mentioned.  Just use a trusted VPN or TOR or any other well known, secure encryption standard.  Easy peasy. 


The problem is that TOR, encryption or anything else won't work if the attacking party is able to subvert the trust relationship needed to validate the public key in the initial stage of the key exchange.  So, if they route all TOR traffic to a local node, route HTTPS traffic to a site with a fake CA signature on the TLS certificate (same for VPN connections), you won't _know_ that there is someone in the middle.

The only way to setup a secure end-to-end connection is by being able to trust the other party's public key.  If you can't trust that key (because you don't trust the CA, or because you downloaded it from an insecure site), then you can't trust the connection.  Hence the take off and nuke it from orbit solution for the truly paranoid.

This is also why when people talk about true communications security, the public key exchange is done face to face.  Examples in novels - Cryptonomicon and Little Brother.





3 posts

Wannabe Geek


  Reply # 308862 18-Mar-2010 18:04 Send private message

DIA spoof video. It's funny

http://www.youtube.com/watch?v=T5j4com3kGk

157 posts

Master Geek


  Reply # 309162 19-Mar-2010 15:10 Send private message

With so many people against it, how can they get away with it?
Why can't we complain and say we don't want our tax money going towards the DIA cause we don't want them operating anyway.

147 posts

Master Geek
Inactive user


  Reply # 309167 19-Mar-2010 15:19 Send private message

well i don't think i've seen this story in the nzherald. wonder why they aren't making it front page news.

157 posts

Master Geek


  Reply # 309171 19-Mar-2010 15:24 Send private message

Because the government got to them. You'd think it'd be on the front page of every paper just because of all the hype against the filter but nope. theres not

46 posts

Geek


  Reply # 309214 19-Mar-2010 16:38 Send private message

shiroshadows: With so many people against it, how can they get away with it?
Why can't we complain and say we don't want our tax money going towards the DIA cause we don't want them operating anyway.


How many people have actually taken the time to write to their MP, ISP, newspaper, Tv station, ..., about how they feel?
How many people have been out on the streets petioning, protesting?

21 posts

Geek

Trusted

  Reply # 309217 19-Mar-2010 16:45 Send private message

If you oppose the filter:

- write to your MP and tell them so
- write to your ISP and tell them that if they implement it you'll switch ISP
- tell other people about it and ask them to do the same

New website coming real soon now! :) 

157 posts

Master Geek


  Reply # 309218 19-Mar-2010 16:46 Send private message

adam77:
shiroshadows: With so many people against it, how can they get away with it?
Why can't we complain and say we don't want our tax money going towards the DIA cause we don't want them operating anyway.


How many people have actually taken the time to write to their MP, ISP, newspaper, Tv station, ..., about how they feel?
How many people have been out on the streets petioning, protesting?


I know what you mean.
I am going to write to my ISP and Local MP now

Hopefully someone does start some sort of riot or protest. I'd turn up.

157 posts

Master Geek


  Reply # 309771 22-Mar-2010 12:14 Send private message

PhantomSS: I have read this site and noted down that they are blocking Child Pornography. Is this something weshould consider? Or is there a reason to saying no. I'm glad Xtra have adopted this marvelous Technology as I will not be able to view this most heinous material anymore.

It has been in the works for many years now, and according to much credited research it has not slowed down the internet at all. So why not use it. I would be in awe if New Zealand followed China into the 22nd Century and started to tell it's people what's accessible and what is not.

The only thing I can see wrong with it is a breach of freedom of speech, which of course we don;t have because we're New Zealand. Most people will not like this, and I can see a lot of people jumping ship because of it. Even though the S92a is looming in the midst


Glad? How could you be glad. Telecom Xtra is most likely to abuse the new filter by blocking sites they are in no way related to child pornography and blaming it on the DIA's filter.
I do alot of surfing and I have never come across this disgusting type of content so I do not see how it is a problem. Especially considering a simple call or email to a site that hosts this type of content or to their isp will get the site shut down anyways.

I also like the way you vaguely alluded to "much credited research" without providing any real facts.

Now would be a good time for Orcon, Slingshot and Natcom to provide an unlimited bandwith plan for cheap so I can change to it, because I personally like my government conspiracy stories/docos and wikileaks and do not want the govt. abusing the filter and blocking this particular type of content.

Plus I forsee Telecom will block torrent sites to prevent people from getting their money's worth out of their bandwidth on the BigTime plan then blame the filter.

21 posts

Geek

Trusted

  Reply # 309773 22-Mar-2010 12:18 Send private message

You may want to look at:

http://stopthefilter.org.nz

Cheers,

Thomas.
 

BDFL
49198 posts

Uber Geek
+1 received by user: 4173

Administrator
Trusted
Geekzone
Subscriber

  Reply # 309775 22-Mar-2010 12:22 Send private message

shiroshadows:
PhantomSS: I have read this site and noted down that they are blocking Child Pornography. Is this something weshould consider? Or is there a reason to saying no. I'm glad Xtra have adopted this marvelous Technology as I will not be able to view this most heinous material anymore.

It has been in the works for many years now, and according to much credited research it has not slowed down the internet at all. So why not use it. I would be in awe if New Zealand followed China into the 22nd Century and started to tell it's people what's accessible and what is not.

The only thing I can see wrong with it is a breach of freedom of speech, which of course we don;t have because we're New Zealand. Most people will not like this, and I can see a lot of people jumping ship because of it. Even though the S92a is looming in the midst


Glad? How could you be glad. Telecom Xtra is most likely to abuse the new filter by blocking sites they are in no way related to child pornography and blaming it on the DIA's filter.
I do alot of surfing and I have never come across this disgusting type of content so I do not see how it is a problem. Especially considering a simple call or email to a site that hosts this type of content or to their isp will get the site shut down anyways.

I also like the way you vaguely alluded to "much credited research" without providing any real facts.

Now would be a good time for Orcon, Slingshot and Natcom to provide an unlimited bandwith plan for cheap so I can change to it, because I personally like my government conspiracy stories/docos and wikileaks and do not want the govt. abusing the filter and blocking this particular type of content.

Plus I forsee Telecom will block torrent sites to prevent people from getting their money's worth out of their bandwidth on the BigTime plan then blame the filter.


Interesting you rant about Telecom because I have already seem Vodafone blaming the filter in a case where the website in question was having unrelated problems. They don't even the filter in place and started the blame game already - read my posts in previous pages.




1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
View this topic in a long page with up to 500 replies per page Create new topic




Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:




News »

Trending now »
Hot discussions in our forums right now:

Lightbox press event release
Created by freitasm, last reply by Flickky on 31-Jul-2014 23:06 (85 replies)
Pages... 4 5 6


New Mobile plans coming?
Created by nunasdream, last reply by tardtasticx on 31-Jul-2014 23:42 (75 replies)
Pages... 3 4 5


Does acupuncture work?
Created by timmmay, last reply by darkasdes2 on 31-Jul-2014 22:30 (49 replies)
Pages... 2 3 4


Checking UHF aerial is working
Created by OnceBitten, last reply by B1GGLZ on 28-Jul-2014 21:49 (21 replies)
Pages... 2


No PIN No Pay
Created by old3eyes, last reply by MaxLV on 31-Jul-2014 23:42 (19 replies)
Pages... 2


2010 Honda Jazz, Suzuki Swift - which has higher maintenance cost?
Created by joker97, last reply by jonathan18 on 31-Jul-2014 10:47 (76 replies)
Pages... 4 5 6


2 x PS4s to give away. Geekzone members only.
Created by BigPipeNZ, last reply by bjorn on 31-Jul-2014 15:43 (72 replies)
Pages... 3 4 5


Hierarchy of a mistake: Gerry Brownlee
Created by joker97, last reply by DonGould on 29-Jul-2014 21:57 (93 replies)
Pages... 5 6 7



Geekzone Live »
Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.