#openinternet - a bit of a technical description of the problem
2009-Dec-17, Thursday 17:49![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
thorfinnTLDR version
Most Internet traffic is not encrypted at the moment. It is trivial in cost and setup to use some form of encryption on all Internet traffic, which means that any Internet filtering solution will be unable to inspect that traffic and block sites.Aside from that, if people access illegal content using non-encrypted communications, that is a good thing. Why? Because that means your ISP can actually detect them and send the information to law enforcement agencies. That sort of thing is common practice within the ISP industry already.
All that implementing a net filter would do is force people actually doing illegal things to get clever and use encryption technologies like the above, rather than leaving at least some of them out in the open as they are now.
Layer Cake
The Internet works on a layered communication method, where "protocols" are run on top of each other. I'm going to simplify some and leave out some things that aren't necessary to mention, but that's okay.
At the base, there exists "hardware" - wires, radio waves, that kind of thing.
Each type of hardware has a type of hardware specific communication that things use to communicate over it. (DSL, DSL2, 56k modem, wireless 802.11b/g/n, etc).
On top of that hardware specific communication is layered a protocol called "IP" (Internet Protocol), in which every device on the Internet has a numerical IP address.
At each endpoint of those bits of hardware are things called "routers", which essentially take traffic from one part of the network and "route" it to another part.
On top of IP is layered a protocol called "DNS" (Domain Name Resolution), which lets you look up a domain name (like www.google.com) and have it translated to some IP address.
In order to make a connection between one computer (e.g., yours), and another (e.g., a web server), your computer uses DNS to find the IP address, then connects to it on a "port" (another number) which is related to a particular service.
HTTP is a protocol that runs on top of IP. When you put a URL like http://www.google.com.au/intl/en/options/ into your web browser, your computer asks via the "DNS" protocol for the IP address to contact. It then contacts that IP address on port 80, and makes a "request" for the content that lives at /intl/en/options. The server then sends the content back to your computer, which feeds it to your web browser, which then renders it.
Because all of that traffic is not encrypted, your ISP (which controls the routers between you and the rest of the Internet) can inspect that traffic, and if it sees a request for the "wrong" sort of content, it can block the rest of the traffic. That is what is proposed under the net filtering trials that have been conducted.
Sounds good. The problem is that there already exist technologies in common use today that defeat this approach completely.
There is a protocol called SSL (Secure Sockets Layer), which is another protocol layered on top of IP. It actually provides exactly the same function as IP, in that you make a connection from your computer to the other side, but what it supports (that IP doesn't) is encryption and authentication. When your computer makes an SSL connection to another server, it can tell if the other side has a "certificate" which, when "signed" by the appropriate well known authorities (Thawte and Verisign are the primary providers), proves that the server in question is really the server that is supposed to live at that hostname. In addition to that, all data passing back and forth over an SSL connection is encrypted, so nobody in between can read it.
The analogy is that "IP" traffic is like postcards - they're being passed around readable by anyone. "SSL" traffic is instead like sending a sealed and signed and stamped envelope - tampering is obvious to the other end, and you in fact can't even tamper with the envelope without destroying the contents.
HTTPS is defined as being exactly the same protocol as HTTP, except that instead of making a connection using "IP", it runs over SSL. This is the protocol used by all of your Internet banking services, and indeed by many webservers that require login of some kind, because they don't want your password and details flying around the Internet for anyone to inspect.
If your ISP wants to "filter" HTTPS traffic, it essentially can't do that effectively. It can block access to specific hostnames (e.g., groups.google.com.au), but it can't block say, https://groups.google.com.au/groups/dir?sel=topic%3D46479.46478%2C without blocking all traffic to everything at groups.google.com.au.
So, anyone wanting to host RC content under the proposed filtering system simply has to provide it over HTTPS, and that will defeat any filtering attempt.
There is another protocol called IPSec (Internet Protocol Security), which is IP tunnelled over IP. Sounds weird, I know. What use is it? It's the same deal as SSL - it's an encryption/authentication protocol. This is what your corporate road warriors use to connect to their corporate network via a VPN (Virtual Private Network). All the traffic leaving your computer is essentially encrypted and sent down the "VPN tunnel", to your VPN server, which then decrypts it and sends the "real" traffic out to the Internet at large. All the ISP sees is a bunch of encrypted IPSec traffic, which it cannot decipher.
Now, there are quite a large number of providers in the US and elsewhere, who are happy to sell you a VPN service. What does that do? It makes your computer appear to, as far as the Internet is concerned, be coming from the US. This is commonly available technology, costs you about USD5 a month at the low end, more than that for better services. Anyone using one of these VPN services is, essentially, totally immune to the filter, because their Internet connection effectively originates in the US (or elsewhere), instead of in Australia.
These are just the two most commonly used encryption and authentication protocols out there, that are in common use by a lot of people. They are both designed to be entirely secure and not breakable in a real-time manner, not even by governments.
No filtering technology can possibly block these protocols, because to do so would cripple Australia as far as the ecommerce world is concerned. Imagine not being able to use https://paypal.com/ or https://amazon.com/ or https://ebay.com/ to do anything. Imagine the CEO of IBM visiting Australia and not being able to access corporate email. We're already considered an Internet backwater due to our slow bandwidth and terrible usage caps. Inability to use basic encryption would just be madness.
Aside from that, if people access illegal content using non-encrypted communications, that is a good thing. Why? Because that means your ISP can actually detect them and send the information to law enforcement agencies. That sort of thing is common practice within the ISP industry already.
All that implementing a net filter would do is force people actually doing illegal things to get clever and use encryption technologies like the above, rather than leaving at least some of them out in the open as they are now.
Relevant links
- A less technical and more useful-to-normal people explanation: SMH: Gadgets on the go blog: How to easily bypass Australia's internet filters for free
- Google Australia writes: Our views on Mandatory ISP Filtering
- Crikey weighs in on how to actually write to ministers: Bernard Keane’s guide to writing to Ministers
- Computerworld reports: Child groups slam Conroy’s ISP filtering plans
- Whirlpool has a full chronology: Cleanfeed chronology
(no subject)
Date: 2009-12-17 11:31 (UTC)Also, good post, keeps things at a roughly comprehensible level, I think.
As far as SSL design goes, there's been one rather GLARINGLY bad design choice (causing glaringly large security hole in all or at least almost all SSL implementations). I do not know to what extent this was used before, to wiretap SSL comms, but it is a protocol-supported man-in-the-middle attack.
(no subject)
Date: 2009-12-18 00:35 (UTC)(no subject)
Date: 2009-12-18 01:01 (UTC)(no subject)
Date: 2009-12-18 02:21 (UTC)(no subject)
Date: 2009-12-18 11:29 (UTC)(no subject)
Date: 2009-12-17 17:06 (UTC)(no subject)
Date: 2009-12-18 00:28 (UTC)(no subject)
Date: 2009-12-18 04:37 (UTC)(no subject)
Date: 2009-12-23 04:42 (UTC)(no subject)
Date: 2009-12-23 05:00 (UTC)(no subject)
Date: 2009-12-23 05:48 (UTC)Snow Leopard
Date: 2009-12-23 04:53 (UTC)Upgrade to Snow Leopard, fire up the Console and inspect for stuff that might be broken and need removal.
Mostly things just work. The things I found that didn't were mostly stuff that was still hanging around from old PPC migrations.
(no subject)
Date: 2009-12-18 02:21 (UTC)(no subject)
Date: 2009-12-17 21:52 (UTC)While you're talking about VPNs, it could be worth mentioning OpenVPN, which uses ssl instead of IPsec, so a tunnel can be set up by an ordinary user rather than needing sysadmin privileges. It also lacks the proprietary fragmentation->incompatibility that plagues IPsec implementations.
(no subject)
Date: 2009-12-18 00:33 (UTC)Authenticated Encryption defeats the whole idea of filtering, as in, makes it genuinely impossible. Not merely "difficult/expensive/hard/costly". Genuinely impossible.
I intentionally try above to leave out as much as possible above, whilst hopefully keeping enough information to actually make the problem explicitly obvious. It's hard, walking that line.