Department of Internal Affairs to Implement NZ Internet Filter

Forums › ICT Policies and Regulation › Department of Internal Affairs to Implement NZ Internet Filter

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11

600 posts

Ultimate Geek
+1 received by user: 5

Trusted

#308148 17-Mar-2010 09:03

Silent MitM attacks are easy when you're a certificate authority, or you have control of one. That was why such a big stink was raised when Mozilla added a Chinese government owned org as a CA.

However, there are enough governmental organisations on the list, that it is likely to be very easy for any of them to get a certificate signed stating that they are someone else.

Even without it, there are attacks against SSL using web proxies - just look at what Opera Mini does with its rewriting proxy.

However, even with all of that, we have pretty good knowledge of what the current filter is capable of. It isn't capable of snooping anything other than HTTP.

So, to be truly paranoid:

1) Don't trust DNS - type the IP address and port in by hand.
2) Don't trust the built-in CAs, hand deliver the signed certificate through a secondary channel.
3) Don't surf using anything other than HTTPS.

In fact, take off and nuke the whole thing from orbit. It's the only way to be sure.

I do wonder why people think that these filters are a good idea. I think we need a post office metaphor here!

What filters are on the mail service? Telephone service? Do we block address ranges and add automatic taping of phone calls to certain numbers (actually, we probably do, we just don't talk about that stuff)?

---
http://blog.jason.pollock.ca

wazzageek

1095 posts

Uber Geek
+1 received by user: 108

ID Verified

Trusted

Lifetime subscriber

#308152 17-Mar-2010 09:11

JDNZ:

1. User types in https://www.url.com
2. User's computer uses DNS to resolve that to 10.1.1.1
3. User's computer requests a secure HTTPS session to 10.1.1.1
4. The ISP sees that 10.1.1.1 is on the filter list and diverts it to the filter
5. The govt filter sees the encrypted connection request to 10.1.1.1, but it can't see which URL was requested as that is also encrypted.
6. The govt filter can't decrypt it and therefore lets it through

The problem (from the govt's perspective) is that they never see the URL for HTTPS connections. Therefore they either have to block all HTTPS to that IP address... or none.

Urr dude, I think your forgetting a pretty relevant fact in this statement. The entire HTTPS session is redirected through the proxy (filter) hence it's a man in the middle... think this through... as eventually every ISP WILL have a "government approved" filter appliance.

But all the data will be encrypted - the DIA filter will have no choice but to pass it on un-altered. This is what internet routers do all day, every day. Your traffic simply takes another route.

Thinking about it, I suspect that the filter itself would probably be quite easy to DoS.

Google "man in the middle +ssl"... at best your going to get a strange certificate error - which most people will accept anyway... but more than likely your not going to know that your SSL session is totally transparent to "big brother".

http://en.wikipedia.org/wiki/Internet_censorship_in_Australia
http://nocleanfeed.com/

Filtering will only ever be used for purposes of eavesdropping, the more the technology develops the more they will be able to see. FFS we have an Echelon station in NZ... why do you think we have that :P Sure it's to catch the kiddie pr0n dealers... or protect us from Terrorists...LOL...

I can't really agree with all this - a stated purpose is to notify the end user that the site is blocked (unless the official statement has changed since I last read it - or I'm misquoting it - either are likely) - so the "only" purpose cannot be eavesdropping. A convenient by-product if there is enough storage. However I'm arguing the semantics here ...

BTW your DNS requests basically give you away anyways (and can be used in court without any other evidence). If you need privacy use a VPN or similar.

I would hope our court system would not use a DNS request on it's own in a trial - The only thing DNS will give you is a value based upon an input - unless someone is hiding stuff in the INFO or TXT records (like the DeCSS).

wazzageek

1095 posts

Uber Geek
+1 received by user: 108

ID Verified

Trusted

Lifetime subscriber

#308156 17-Mar-2010 09:20

jpollock: Silent MitM attacks are easy when you're a certificate authority, or you have control of one. That was why such a big stink was raised when Mozilla added a Chinese government owned org as a CA.

However, there are enough governmental organisations on the list, that it is likely to be very easy for any of them to get a certificate signed stating that they are someone else.

I think it's possible in most modern OS'es to delete certain CA's if required. (Of course, if it's hidden in a chain of trust, that becomes a problem.

Even without it, there are attacks against SSL using web proxies - just look at what Opera Mini does with its rewriting proxy.

However, even with all of that, we have pretty good knowledge of what the current filter is capable of. It isn't capable of snooping anything other than HTTP.

So, to be truly paranoid:

1) Don't trust DNS - type the IP address and port in by hand.

This won't help you - the routing happens based upon IP address, so even going through IP by hand, how do you tell the (assumed) Name Based Virtual Host webserver on the other end which website you want to ogle?

2) Don't trust the built-in CAs, hand deliver the signed certificate through a secondary channel.
3) Don't surf using anything other than HTTPS.

In fact, take off and nuke the whole thing from orbit. It's the only way to be sure.

+1 :-)

I do wonder why people think that these filters are a good idea. I think we need a post office metaphor here!

What filters are on the mail service? Telephone service? Do we block address ranges and add automatic taping of phone calls to certain numbers (actually, we probably do, we just don't talk about that stuff)?

The mail service can (and will) open your mail in transit. You will (generally) receive you mail a little later, but it will have a tape on it saying something like "Re-packaged by NZPost". I confess that I don't know the regulations on that, but I've certainly received mail like that in the past. At our borders, customs certainly have the authority to seize and search postal items.

Telephones - I think you need a warrant to implement a tap.

bradi

137 posts

Master Geek
Inactive user

#308376 17-Mar-2010 16:42

jpollock: However, even with all of that, we have pretty good knowledge of what the current filter is capable of. It isn't capable of snooping anything other than HTTP.

So, to be truly paranoid:

1) Don't trust DNS - type the IP address and port in by hand.
2) Don't trust the built-in CAs, hand deliver the signed certificate through a secondary channel.
3) Don't surf using anything other than HTTPS.

In fact, take off and nuke the whole thing from orbit. It's the only way to be sure.

I do wonder why people think that these filters are a good idea.

I personally don't believe that the Government would openly admit to using the "filter" for anything illegal - which eavesdropping is without the relevant laws being followed. And we all know that governments always tell the whole truth right...

So, to be truly paranoid doesn't actually require all the effort (or nuking) you mentioned. Just use a trusted VPN or TOR or any other well known, secure encryption standard. Easy peasy.

Now the statement above means the government pretty much has to eavesdrop illegally on everyone just fulfill the original purpose and to catch anyone with 1/2 a brain doing something dodgy. Hence the reason filters will only ever be used for eavesdropping and to restrict freedom.

I too wonder why people think that banning, filtering, prohibition, restrictions, etc have anything to do with reducing crime... or make anyone's life better.

jpollock

600 posts

Ultimate Geek
+1 received by user: 5

Trusted

#308464 17-Mar-2010 20:48

JDNZ:
So, to be truly paranoid doesn't actually require all the effort (or nuking) you mentioned. Just use a trusted VPN or TOR or any other well known, secure encryption standard. Easy peasy.

The problem is that TOR, encryption or anything else won't work if the attacking party is able to subvert the trust relationship needed to validate the public key in the initial stage of the key exchange. So, if they route all TOR traffic to a local node, route HTTPS traffic to a site with a fake CA signature on the TLS certificate (same for VPN connections), you won't _know_ that there is someone in the middle.

The only way to setup a secure end-to-end connection is by being able to trust the other party's public key. If you can't trust that key (because you don't trust the CA, or because you downloaded it from an insecure site), then you can't trust the connection. Hence the take off and nuke it from orbit solution for the truly paranoid.

This is also why when people talk about true communications security, the public key exchange is done face to face. Examples in novels - Cryptonomicon and Little Brother.

---
http://blog.jason.pollock.ca

chipsz

3 posts

Wannabe Geek

#308862 18-Mar-2010 18:04

DIA spoof video. It's funny

http://www.youtube.com/watch?v=T5j4com3kGk

shiroshadows

165 posts

Master Geek

#309162 19-Mar-2010 15:10

With so many people against it, how can they get away with it?
Why can't we complain and say we don't want our tax money going towards the DIA cause we don't want them operating anyway.

yuxek

147 posts

Master Geek
Inactive user

#309167 19-Mar-2010 15:19

well i don't think i've seen this story in the nzherald. wonder why they aren't making it front page news.

shiroshadows

165 posts

Master Geek

#309171 19-Mar-2010 15:24

Because the government got to them. You'd think it'd be on the front page of every paper just because of all the hype against the filter but nope. theres not

adam77

46 posts

Geek

#309214 19-Mar-2010 16:38

shiroshadows: With so many people against it, how can they get away with it?
Why can't we complain and say we don't want our tax money going towards the DIA cause we don't want them operating anyway.

How many people have actually taken the time to write to their MP, ISP, newspaper, Tv station, ..., about how they feel?
How many people have been out on the streets petioning, protesting?

thomasbeagle

21 posts

Geek

Trusted

#309217 19-Mar-2010 16:45

If you oppose the filter:

- write to your MP and tell them so
- write to your ISP and tell them that if they implement it you'll switch ISP
- tell other people about it and ask them to do the same

New website coming real soon now! :)

shiroshadows

165 posts

Master Geek

#309218 19-Mar-2010 16:46

adam77:
shiroshadows: With so many people against it, how can they get away with it?
Why can't we complain and say we don't want our tax money going towards the DIA cause we don't want them operating anyway.

How many people have actually taken the time to write to their MP, ISP, newspaper, Tv station, ..., about how they feel?
How many people have been out on the streets petioning, protesting?

I know what you mean.
I am going to write to my ISP and Local MP now

Hopefully someone does start some sort of riot or protest. I'd turn up.

shiroshadows

165 posts

Master Geek

#309771 22-Mar-2010 12:14

PhantomSS: I have read this site and noted down that they are blocking Child Pornography. Is this something weshould consider? Or is there a reason to saying no. I'm glad Xtra have adopted this marvelous Technology as I will not be able to view this most heinous material anymore.

It has been in the works for many years now, and according to much credited research it has not slowed down the internet at all. So why not use it. I would be in awe if New Zealand followed China into the 22nd Century and started to tell it's people what's accessible and what is not.

The only thing I can see wrong with it is a breach of freedom of speech, which of course we don;t have because we're New Zealand. Most people will not like this, and I can see a lot of people jumping ship because of it. Even though the S92a is looming in the midst

Glad? How could you be glad. Telecom Xtra is most likely to abuse the new filter by blocking sites they are in no way related to child pornography and blaming it on the DIA's filter.
I do alot of surfing and I have never come across this disgusting type of content so I do not see how it is a problem. Especially considering a simple call or email to a site that hosts this type of content or to their isp will get the site shut down anyways.

I also like the way you vaguely alluded to "much credited research" without providing any real facts.

Now would be a good time for Orcon, Slingshot and Natcom to provide an unlimited bandwith plan for cheap so I can change to it, because I personally like my government conspiracy stories/docos and wikileaks and do not want the govt. abusing the filter and blocking this particular type of content.

Plus I forsee Telecom will block torrent sites to prevent people from getting their money's worth out of their bandwidth on the BigTime plan then blame the filter.

thomasbeagle

21 posts

Geek

Trusted

#309773 22-Mar-2010 12:18

You may want to look at:

http://stopthefilter.org.nz

Cheers,

Thomas.

freitasm

BDFL - Memuneh
80658 posts

Uber Geek
+1 received by user: 41071

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#309775 22-Mar-2010 12:22

shiroshadows:
PhantomSS: I have read this site and noted down that they are blocking Child Pornography. Is this something weshould consider? Or is there a reason to saying no. I'm glad Xtra have adopted this marvelous Technology as I will not be able to view this most heinous material anymore.

It has been in the works for many years now, and according to much credited research it has not slowed down the internet at all. So why not use it. I would be in awe if New Zealand followed China into the 22nd Century and started to tell it's people what's accessible and what is not.

The only thing I can see wrong with it is a breach of freedom of speech, which of course we don;t have because we're New Zealand. Most people will not like this, and I can see a lot of people jumping ship because of it. Even though the S92a is looming in the midst

Glad? How could you be glad. Telecom Xtra is most likely to abuse the new filter by blocking sites they are in no way related to child pornography and blaming it on the DIA's filter.
I do alot of surfing and I have never come across this disgusting type of content so I do not see how it is a problem. Especially considering a simple call or email to a site that hosts this type of content or to their isp will get the site shut down anyways.

I also like the way you vaguely alluded to "much credited research" without providing any real facts.

Now would be a good time for Orcon, Slingshot and Natcom to provide an unlimited bandwith plan for cheap so I can change to it, because I personally like my government conspiracy stories/docos and wikileaks and do not want the govt. abusing the filter and blocking this particular type of content.

Plus I forsee Telecom will block torrent sites to prevent people from getting their money's worth out of their bandwidth on the BigTime plan then blame the filter.

Interesting you rant about Telecom because I have already seem Vodafone blaming the filter in a case where the website in question was having unrelated problems. They don't even the filter in place and started the blame game already - read my posts in previous pages.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11