Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
147 posts

Master Geek
Inactive user


  # 307097 14-Mar-2010 15:18
Send private message

apparently if a website is using SSL it cannot be censored. Is this true? So if all websites used https:// would that mean they cannot be blocked by the government's filter?

21 posts

Geek

Trusted

  # 307099 14-Mar-2010 15:22
Send private message

Yuxec - that is correct.

The filter has to be able to see what website and URL has been requested so it can decide whether to block it or not.

HTTPS encrypts everything between you and the webserver. The filter can't decrypt the request and therefore can't tell whether you're going to a "bad site" or a "good site" at that network address, so it just lets it through.

This is one of the big problems with filtering and surveillance on the internet - the only way to make sure you see everything going through is to ban encryption (or provide the government with back doors so that they can access it anyway).

Indeed, the filter can only intercept HTTP (i.e. normal unencrypted web traffic). It can't see email, chat, peer-to-peer file sharing, ftp, etc, etc. 

 
 
 
 


2457 posts

Uber Geek
+1 received by user: 147


  # 307140 14-Mar-2010 18:10
Send private message

How does one go about writing up/submitting a OIA request?

21 posts

Geek

Trusted

  # 307206 14-Mar-2010 21:29
Send private message

OIA requests are very simple. Here's an example:

Dear Ministry of Internal Affairs,

Please send me any position papers, letters, meeting minutes, discussion papers or any other documents you have about [subject]. 

Yours,

[your name] 

6344 posts

Uber Geek
+1 received by user: 401

Moderator
Trusted
Lifetime subscriber

# 307208 14-Mar-2010 21:33
Send private message

thomasbeagle: The filter has to be able to see what website and URL has been requested so it can decide whether to block it or not. 


Isn't the filter based on a list of IP addresses, so it doesn't matter if the request is SSL, you will still be browsing to an URL, which will then resolve to an IP address, which could then be blocked?

21 posts

Geek

Trusted

  # 307222 14-Mar-2010 22:28
Send private message

"Isn't the filter based on a list of IP addresses, so it doesn't matter if the request is SSL, you will still be browsing to an URL, which will then resolve to an IP address, which could then be blocked?"

You're sort of correct. :)

The ISPs redirect traffic to the filter server based on IP address. This means that all HTTP, HTTPS, SMTP, FTP, P2P, etc requests for that IP address are diverted to the filter.

The key point is that the filter then decides what traffic to block and what traffic to let through.

The filter takes the HTTP (i.e. normal unencrypted web) requests and looks at the requested URL. If that URL is on the banned list the request is blocked, otherwise it is let through.

Of course, when you send a request to an HTTPS site, your browser and the remote server encrypt everything that passes between them. This includes the URL that you have requested, which means that the filter can only see an encrypted data stream and therefore can't tell which URL you are requesting. Therefore it just lets it pass through.

All other protocols aren't examined by the filter and are just passed through.

 

2457 posts

Uber Geek
+1 received by user: 147


  # 307224 14-Mar-2010 22:30
Send private message


Isn't the filter based on a list of IP addresses, so it doesn't matter if the request is SSL, you will still be browsing to an URL, which will then resolve to an IP address, which could then be blocked?


First thing that happens is that you do a DNS lookup that resolves to an IP, then your browser starts a SSL session to that IP. So it'll hit the filter based on the IP, but since the GET <url> is inside a SSL session, they can't tell what it is..

6344 posts

Uber Geek
+1 received by user: 401

Moderator
Trusted
Lifetime subscriber

# 307365 15-Mar-2010 12:38
Send private message

Orcon have made clear their stance on this:

We also would like to reiterate that we are not currently participating in any kind of Internet filtering, nor do we have any plans to in the immediate future.


I wonder if use of this filter will be made mandatory in the future, then ISPs would have no choice.

600 posts

Ultimate Geek
+1 received by user: 5

Trusted

  # 307385 15-Mar-2010 13:27
Send private message

If it becomes mandatory, then I foresee a huge increase in the number of VPN accounts to US PoPs.  It's less than NZ$10/month...

In fact, VPN providers already advertise on their ability to get around national filters/throttles in locations such as Belize, China, UAE, Oman, Guyana...

So, you've got providers that consider it a _goal_ to get around these filters, and countries with stronger free speech and/or privacy rules.

I foresee multiple VPNs, one VPN to a country with lax IP laws, and another to a country with strong free speech laws.

Being encrypted, DPI doesn't really help.  However, NZ Internet is now worse off because all traffic is avoiding ISPs proxies.

Although, YouTube would finally start working for people because it would avoid TCL's throttling. 




2826 posts

Uber Geek
+1 received by user: 754


  # 307390 15-Mar-2010 14:11
Send private message

im with Snap and they wont be part of it, but they will have an opt in option for anyone who wants there internet filtered.




Common sense is not as common as you think.


147 posts

Master Geek
Inactive user


  # 307391 15-Mar-2010 14:11
Send private message

thomasbeagle: Yuxec - that is correct.

The filter has to be able to see what website and URL has been requested so it can decide whether to block it or not.

HTTPS encrypts everything between you and the webserver. The filter can't decrypt the request and therefore can't tell whether you're going to a "bad site" or a "good site" at that network address, so it just lets it through.

This is one of the big problems with filtering and surveillance on the internet - the only way to make sure you see everything going through is to ban encryption (or provide the government with back doors so that they can access it anyway).

Indeed, the filter can only intercept HTTP (i.e. normal unencrypted web traffic). It can't see email, chat, peer-to-peer file sharing, ftp, etc, etc. 


but couldn't they manually type in the url? like on some internet filtering software you can download for your pc, you just type in a url and it's blocked, so couldn't the government type in https://www.url.com and block it like that?

i am going to start emailing some legal adult websites and get them to have a ssl version. I wonder if geekzone is going to have a ssl version.

21 posts

Geek

Trusted

  # 307396 15-Mar-2010 14:18
Send private message

yuxek: 
but couldn't they manually type in the url? like on some internet filtering software you can download for your pc, you just type in a url and it's blocked, so couldn't the government type in https://www.url.com and block it like that?


Nope.

Here's how the filter works again:

1. Govt adds URL to block list.
2. Govt turns URL into IP address.
3. Govt sends list of IPs to ISPs
4. ISPs divert all traffic to those IPs to the filter
5. Govt filter examines traffic and decides what to block or allow

Now, from the user perspective using your example:

1. User types in https://www.url.com
2. User's computer uses DNS to resolve that to 10.1.1.1
3. User's computer requests a secure HTTPS session to 10.1.1.1
4. The ISP sees that 10.1.1.1 is on the filter list and diverts it to the filter
5. The govt filter sees the encrypted connection request to 10.1.1.1, but it can't see which URL was requested as that is also encrypted.
6. The govt filter can't decrypt it and therefore lets it through

The problem (from the govt's perspective) is that they never see the URL for HTTPS connections. Therefore they either have to block all HTTPS to that IP address... or none. 

137 posts

Master Geek
Inactive user


  # 308077 16-Mar-2010 23:48
Send private message


1. User types in https://www.url.com
2. User's computer uses DNS to resolve that to 10.1.1.1
3. User's computer requests a secure HTTPS session to 10.1.1.1
4. The ISP sees that 10.1.1.1 is on the filter list and diverts it to the filter
5. The govt filter sees the encrypted connection request to 10.1.1.1, but it can't see which URL was requested as that is also encrypted.
6. The govt filter can't decrypt it and therefore lets it through

The problem (from the govt's perspective) is that they never see the URL for HTTPS connections. Therefore they either have to block all HTTPS to that IP address... or none. 


Urr dude, I think your forgetting a pretty relevant fact in this statement.  The entire HTTPS session is redirected through the proxy (filter) hence it's a man in the middle... think this through... as eventually every ISP WILL have a "government approved" filter appliance.

Google "man in the middle +ssl"... at best your going to get a strange certificate error - which most people will accept anyway... but more than likely your not going to know that your SSL session is totally transparent to "big brother".

http://en.wikipedia.org/wiki/Internet_censorship_in_Australia
http://nocleanfeed.com/

Filtering will only ever be used for purposes of eavesdropping, the more the technology develops the more they will be able to see.  FFS we have an Echelon station in NZ... why do you think we have that :P  Sure it's to catch the kiddie pr0n dealers... or protect us from Terrorists...LOL...

BTW your DNS requests basically give you away anyways (and can be used in court without any other evidence).  If you need privacy use a VPN or similar.


268 posts

Ultimate Geek


  # 308131 17-Mar-2010 08:18
Send private message

JDNZ:

Urr dude, I think your forgetting a pretty relevant fact in this statement.  The entire HTTPS session is redirected through the proxy (filter) hence it's a man in the middle... think this through... as eventually every ISP WILL have a "government approved" filter appliance.

Google "man in the middle +ssl"... at best your going to get a strange certificate error - which most people will accept anyway... but more than likely your not going to know that your SSL session is totally transparent to "big brother".


If the user doesn't understand certificate errors, that's their problem.  I would find it unlikely that they could successfully pull off a man in the middle attack on an informed user.



BTW your DNS requests basically give you away anyways (and can be used in court without any other evidence).  If you need privacy use a VPN or similar.


This is not how the filter is stated to work.  Unless your ISP is logging your DNS lookups then this is a non-issue.


Go Hawks!
918 posts

Ultimate Geek
+1 received by user: 61

Trusted
Subscriber

  # 308145 17-Mar-2010 08:59
Send private message

nate: Orcon have made clear their stance on this:

We also would like to reiterate that we are not currently participating in any kind of Internet filtering, nor do we have any plans to in the immediate future.


I wonder if use of this filter will be made mandatory in the future, then ISPs would have no choice.


Isn't Orcon now owned by Kordia?  Kordia being an SOE ... 

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Video game market in New Zealand passes half billion dollar mark
Posted 24-May-2019 16:15


WLG-X festival to celebrate creativity and innovation
Posted 22-May-2019 17:53


HPE to acquire supercomputing leader Cray
Posted 20-May-2019 11:07


Techweek starting around NZ today
Posted 20-May-2019 09:52


Porirua City Council first to adopt new council software solution Datascape
Posted 15-May-2019 12:00


New survey provides insight into schools' technology challenges and plans
Posted 15-May-2019 09:30


Apple Music now available on Alexa devices in Australia and New Zealand
Posted 15-May-2019 09:11


Make a stand against cyberbullying this Pink Shirt Day
Posted 14-May-2019 20:23


Samsung first TV manufacturer to launch the Apple TV App and Airplay 2
Posted 14-May-2019 20:11


Vodafone New Zealand sold
Posted 14-May-2019 07:25


Kordia boosts cloud performance with locally-hosted Microsoft Azure ExpressRoute
Posted 8-May-2019 10:25


Microsoft Azure ExpressRoute in New Zealand opens up faster, more secure internet for Kiwi businesses
Posted 8-May-2019 09:39


Vocus Communications to deliver Microsoft Azure Cloud Solutions through Azure ExpressRoute
Posted 8-May-2019 09:25


Independent NZ feature film #statusPending to premiere during WLG-X
Posted 6-May-2019 22:13


The ultimate dog photoshoot with Nokia 9 PureView #ForgottenDogsofInstagram
Posted 6-May-2019 09:41



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.