Department of Internal Affairs to Implement NZ Internet Filter

Forums › ICT Policies and Regulation › Department of Internal Affairs to Implement NZ Internet Filter

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11

147 posts

Master Geek
Inactive user

#307097 14-Mar-2010 15:18

apparently if a website is using SSL it cannot be censored. Is this true? So if all websites used https:// would that mean they cannot be blocked by the government's filter?

thomasbeagle

21 posts

Geek

Trusted

#307099 14-Mar-2010 15:22

Yuxec - that is correct.

The filter has to be able to see what website and URL has been requested so it can decide whether to block it or not.

HTTPS encrypts everything between you and the webserver. The filter can't decrypt the request and therefore can't tell whether you're going to a "bad site" or a "good site" at that network address, so it just lets it through.

This is one of the big problems with filtering and surveillance on the internet - the only way to make sure you see everything going through is to ban encryption (or provide the government with back doors so that they can access it anyway).

Indeed, the filter can only intercept HTTP (i.e. normal unencrypted web traffic). It can't see email, chat, peer-to-peer file sharing, ftp, etc, etc.

kyhwana2

2572 posts

Uber Geek
+1 received by user: 233

#307140 14-Mar-2010 18:10

How does one go about writing up/submitting a OIA request?

thomasbeagle

21 posts

Geek

Trusted

#307206 14-Mar-2010 21:29

OIA requests are very simple. Here's an example:

Dear Ministry of Internal Affairs,

Please send me any position papers, letters, meeting minutes, discussion papers or any other documents you have about [subject].

Yours,

[your name]

nate

6473 posts

Uber Geek
+1 received by user: 458

Retired Mod

Trusted

Lifetime subscriber

#307208 14-Mar-2010 21:33

thomasbeagle: The filter has to be able to see what website and URL has been requested so it can decide whether to block it or not.

Isn't the filter based on a list of IP addresses, so it doesn't matter if the request is SSL, you will still be browsing to an URL, which will then resolve to an IP address, which could then be blocked?

thomasbeagle

21 posts

Geek

Trusted

#307222 14-Mar-2010 22:28

"Isn't the filter based on a list of IP addresses, so it doesn't matter if the request is SSL, you will still be browsing to an URL, which will then resolve to an IP address, which could then be blocked?"

You're sort of correct. :)

The ISPs redirect traffic to the filter server based on IP address. This means that all HTTP, HTTPS, SMTP, FTP, P2P, etc requests for that IP address are diverted to the filter.

The key point is that the filter then decides what traffic to block and what traffic to let through.

The filter takes the HTTP (i.e. normal unencrypted web) requests and looks at the requested URL. If that URL is on the banned list the request is blocked, otherwise it is let through.

Of course, when you send a request to an HTTPS site, your browser and the remote server encrypt everything that passes between them. This includes the URL that you have requested, which means that the filter can only see an encrypted data stream and therefore can't tell which URL you are requesting. Therefore it just lets it pass through.

All other protocols aren't examined by the filter and are just passed through.

kyhwana2

2572 posts

Uber Geek
+1 received by user: 233

#307224 14-Mar-2010 22:30

Isn't the filter based on a list of IP addresses, so it doesn't matter if the request is SSL, you will still be browsing to an URL, which will then resolve to an IP address, which could then be blocked?

First thing that happens is that you do a DNS lookup that resolves to an IP, then your browser starts a SSL session to that IP. So it'll hit the filter based on the IP, but since the GET <url> is inside a SSL session, they can't tell what it is..

nate

6473 posts

Uber Geek
+1 received by user: 458

Retired Mod

Trusted

Lifetime subscriber

#307365 15-Mar-2010 12:38

Orcon have made clear their stance on this:

We also would like to reiterate that we are not currently participating in any kind of Internet filtering, nor do we have any plans to in the immediate future.

I wonder if use of this filter will be made mandatory in the future, then ISPs would have no choice.

jpollock

600 posts

Ultimate Geek
+1 received by user: 5

Trusted

#307385 15-Mar-2010 13:27

If it becomes mandatory, then I foresee a huge increase in the number of VPN accounts to US PoPs. It's less than NZ$10/month...

In fact, VPN providers already advertise on their ability to get around national filters/throttles in locations such as Belize, China, UAE, Oman, Guyana...

So, you've got providers that consider it a _goal_ to get around these filters, and countries with stronger free speech and/or privacy rules.

I foresee multiple VPNs, one VPN to a country with lax IP laws, and another to a country with strong free speech laws.

Being encrypted, DPI doesn't really help. However, NZ Internet is now worse off because all traffic is avoiding ISPs proxies.

Although, YouTube would finally start working for people because it would avoid TCL's throttling.

---
http://blog.jason.pollock.ca

vexxxboy

4336 posts

Uber Geek
+1 received by user: 2072

#307390 15-Mar-2010 14:11

im with Snap and they wont be part of it, but they will have an opt in option for anyone who wants there internet filtered.

Common sense is not as common as you think.

yuxek

147 posts

Master Geek
Inactive user

#307391 15-Mar-2010 14:11

thomasbeagle: Yuxec - that is correct.

The filter has to be able to see what website and URL has been requested so it can decide whether to block it or not.

HTTPS encrypts everything between you and the webserver. The filter can't decrypt the request and therefore can't tell whether you're going to a "bad site" or a "good site" at that network address, so it just lets it through.

This is one of the big problems with filtering and surveillance on the internet - the only way to make sure you see everything going through is to ban encryption (or provide the government with back doors so that they can access it anyway).

Indeed, the filter can only intercept HTTP (i.e. normal unencrypted web traffic). It can't see email, chat, peer-to-peer file sharing, ftp, etc, etc.

but couldn't they manually type in the url? like on some internet filtering software you can download for your pc, you just type in a url and it's blocked, so couldn't the government type in https://www.url.com and block it like that?

i am going to start emailing some legal adult websites and get them to have a ssl version. I wonder if geekzone is going to have a ssl version.

thomasbeagle

21 posts

Geek

Trusted

#307396 15-Mar-2010 14:18

yuxek:
but couldn't they manually type in the url? like on some internet filtering software you can download for your pc, you just type in a url and it's blocked, so couldn't the government type in https://www.url.com and block it like that?

Nope.

Here's how the filter works again:

1. Govt adds URL to block list.
2. Govt turns URL into IP address.
3. Govt sends list of IPs to ISPs
4. ISPs divert all traffic to those IPs to the filter
5. Govt filter examines traffic and decides what to block or allow

Now, from the user perspective using your example:

1. User types in https://www.url.com
2. User's computer uses DNS to resolve that to 10.1.1.1
3. User's computer requests a secure HTTPS session to 10.1.1.1
4. The ISP sees that 10.1.1.1 is on the filter list and diverts it to the filter
5. The govt filter sees the encrypted connection request to 10.1.1.1, but it can't see which URL was requested as that is also encrypted.
6. The govt filter can't decrypt it and therefore lets it through

The problem (from the govt's perspective) is that they never see the URL for HTTPS connections. Therefore they either have to block all HTTPS to that IP address... or none.

bradi

137 posts

Master Geek
Inactive user

#308077 16-Mar-2010 23:48

1. User types in https://www.url.com
2. User's computer uses DNS to resolve that to 10.1.1.1
3. User's computer requests a secure HTTPS session to 10.1.1.1
4. The ISP sees that 10.1.1.1 is on the filter list and diverts it to the filter
5. The govt filter sees the encrypted connection request to 10.1.1.1, but it can't see which URL was requested as that is also encrypted.
6. The govt filter can't decrypt it and therefore lets it through

The problem (from the govt's perspective) is that they never see the URL for HTTPS connections. Therefore they either have to block all HTTPS to that IP address... or none.

Urr dude, I think your forgetting a pretty relevant fact in this statement. The entire HTTPS session is redirected through the proxy (filter) hence it's a man in the middle... think this through... as eventually every ISP WILL have a "government approved" filter appliance.

Google "man in the middle +ssl"... at best your going to get a strange certificate error - which most people will accept anyway... but more than likely your not going to know that your SSL session is totally transparent to "big brother".

http://en.wikipedia.org/wiki/Internet_censorship_in_Australia
http://nocleanfeed.com/

Filtering will only ever be used for purposes of eavesdropping, the more the technology develops the more they will be able to see. FFS we have an Echelon station in NZ... why do you think we have that :P Sure it's to catch the kiddie pr0n dealers... or protect us from Terrorists...LOL...

BTW your DNS requests basically give you away anyways (and can be used in court without any other evidence). If you need privacy use a VPN or similar.

friedCrumpet

271 posts

Ultimate Geek
+1 received by user: 2

#308131 17-Mar-2010 08:18

JDNZ:

Urr dude, I think your forgetting a pretty relevant fact in this statement. The entire HTTPS session is redirected through the proxy (filter) hence it's a man in the middle... think this through... as eventually every ISP WILL have a "government approved" filter appliance.

Google "man in the middle +ssl"... at best your going to get a strange certificate error - which most people will accept anyway... but more than likely your not going to know that your SSL session is totally transparent to "big brother".

If the user doesn't understand certificate errors, that's their problem. I would find it unlikely that they could successfully pull off a man in the middle attack on an informed user.

BTW your DNS requests basically give you away anyways (and can be used in court without any other evidence). If you need privacy use a VPN or similar.

This is not how the filter is stated to work. Unless your ISP is logging your DNS lookups then this is a non-issue.

wazzageek

1095 posts

Uber Geek
+1 received by user: 108

ID Verified

Trusted

Lifetime subscriber

#308145 17-Mar-2010 08:59

nate: Orcon have made clear their stance on this:

We also would like to reiterate that we are not currently participating in any kind of Internet filtering, nor do we have any plans to in the immediate future.

I wonder if use of this filter will be made mandatory in the future, then ISPs would have no choice.

Isn't Orcon now owned by Kordia? Kordia being an SOE ...

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11