thomasbeagle: The filter has to be able to see what website and URL has been requested so it can decide whether to block it or not.
Isn't the filter based on a list of IP addresses, so it doesn't matter if the request is SSL, you will still be browsing to an URL, which will then resolve to an IP address, which could then be blocked?
We also would like to reiterate that we are not currently participating in any kind of Internet filtering, nor do we have any plans to in the immediate future.
Common sense is not as common as you think.
thomasbeagle: Yuxec - that is correct.
The filter has to be able to see what website and URL has been requested so it can decide whether to block it or not.
HTTPS encrypts everything between you and the webserver. The filter can't decrypt the request and therefore can't tell whether you're going to a "bad site" or a "good site" at that network address, so it just lets it through.
This is one of the big problems with filtering and surveillance on the internet - the only way to make sure you see everything going through is to ban encryption (or provide the government with back doors so that they can access it anyway).
Indeed, the filter can only intercept HTTP (i.e. normal unencrypted web traffic). It can't see email, chat, peer-to-peer file sharing, ftp, etc, etc.
but couldn't they manually type in the url? like on some internet filtering software you can download for your pc, you just type in a url and it's blocked, so couldn't the government type in https://www.url.com and block it like that?
1. User types in https://www.url.com
2. User's computer uses DNS to resolve that to 10.1.1.1
3. User's computer requests a secure HTTPS session to 10.1.1.1
4. The ISP sees that 10.1.1.1 is on the filter list and diverts it to the filter
5. The govt filter sees the encrypted connection request to 10.1.1.1, but it can't see which URL was requested as that is also encrypted.
6. The govt filter can't decrypt it and therefore lets it through
The problem (from the govt's perspective) is that they never see the URL for HTTPS connections. Therefore they either have to block all HTTPS to that IP address... or none.
Urr dude, I think your forgetting a pretty relevant fact in this statement. The entire HTTPS session is redirected through the proxy (filter) hence it's a man in the middle... think this through... as eventually every ISP WILL have a "government approved" filter appliance.
Google "man in the middle +ssl"... at best your going to get a strange certificate error - which most people will accept anyway... but more than likely your not going to know that your SSL session is totally transparent to "big brother".
BTW your DNS requests basically give you away anyways (and can be used in court without any other evidence). If you need privacy use a VPN or similar.
nate: Orcon have made clear their stance on this:We also would like to reiterate that we are not currently participating in any kind of Internet filtering, nor do we have any plans to in the immediate future.
I wonder if use of this filter will be made mandatory in the future, then ISPs would have no choice.