Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Web censorship / blocking / IWF  (Read 3930 times)

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Web censorship / blocking / IWF
« on: October 10, 2020, 04:04:35 PM »

Does web blocking by ISPs (according to, say, the IWF block list) actually work ?
* If I use use https, then that prevents eavesdropping.
* If the ISP censors the results of DNS lookups then don’t I just use an alternative DNS server.
* If an ISP implements a block by censoring traffic going to the web server’s IP address, what happens if the IP address keeps changing because of load-balancing?
* In the block by-dest IP approach, doesn’t the user just use a VPN to access the web server ? Or have I missed something here. This sounds a bit like the Great Firewall of China subversion.
* What happens where a web content publisher behind some website publishes the content on multiple servers at various addresses using a CDN or a DDOS protection service such as Cloudflare ? It then becomes much harder to say what ‘the IP address of the server’ is. If an ISP censors DNS in such a case then the user just avoids the evil DNS server.

If a court makes an order about some ‘website’ blocking do they specify (1) what a ‘website’ is and (2) exactly how it is to be blocked and (3) by whom? There seems to be a certain level of difficulty at which this kind of censorship becomes impractical or even totally impossible. I wonder if courts have any clue what a website actually is apart from definition by ‘usage’ (‘that which does x’ : duck-typing, that which walks like a duck etc) rather than by ‘innards’ (‘that which has a duck’s innards’)
« Last Edit: October 10, 2020, 04:13:49 PM by Weaver »
Logged

j0hn

  • Kitizen
  • ****
  • Posts: 4093
Re: Web censorship / blocking / IWF
« Reply #1 on: October 10, 2020, 04:39:33 PM »

They block by IP.
Changing DNS servers doesn't make any difference.

The IP address changing because of load balancing? How would that be an issue.
The ISP blocks the IP of the site. If said site changes IP by the time DNS filters through the new IP is blocked.
On the fly IP changing, or redirecting to another IP, won't work. The original IP is blocked, i can't t connect to it to be redirected.

A VPN gets round these blocks.

Quote
What happens where a web content publisher behind some website publishes the content on multiple servers at various addresses using a CDN or a DDOS protection service such as Cloudflare ? It then becomes much harder to say what ‘the IP address of the server’ is. If an ISP censors DNS in such a case then the user just avoids the evil DNS server.

As above. The IP i resolve from DNS for a banned site is blocked, I can't connect to it, how can i connect to be redirected to another IP?
Logged
Talktalk FTTP 550/75 - Speedtest - BQM

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: Web censorship / blocking / IWF
« Reply #2 on: October 10, 2020, 05:20:44 PM »

So how effective do you think these ‘blocks’ are ? Does it very often depend on which ISP some particular user uses?

What can a web content publisher do to frustrate censors and the nanny state?
Logged

Alex Atkin UK

  • Addicted Kitizen
  • *****
  • Posts: 5261
    • Thinkbroadband Quality Monitors
Re: Web censorship / blocking / IWF
« Reply #3 on: October 10, 2020, 09:07:39 PM »

They block by IP.
Changing DNS servers doesn't make any difference.

The IP address changing because of load balancing? How would that be an issue.
The ISP blocks the IP of the site. If said site changes IP by the time DNS filters through the new IP is blocked.
On the fly IP changing, or redirecting to another IP, won't work. The original IP is blocked, i can't t connect to it to be redirected.

A VPN gets round these blocks.

As above. The IP i resolve from DNS for a banned site is blocked, I can't connect to it, how can i connect to be redirected to another IP?


Actually I believe its usually done by deep packet inspection, which is why only the big ISPs have to do it as that's extremely resource intensive requiring much beefier routers than you typically would need for that amount of traffic.

It allows them to block specific sites on the same IP presumably by inspecting the headers before TLS kicks in.  This is important as dodgy sites are just as likely to use large shared hosting as anyone else and you can't go around blocking every site at say an Amazon AWS cluster.  ::)

I remember they did accidentally block a whole IP once and it caused uproar as tons of unrelated sites became unavailable.

I remember a while back they DID IP block a whole server once, they rolled
Logged
Broadband: Zen Full Fibre 900 + Three 5G Routers: pfSense (Intel N100) + Huawei CPE Pro 2 H122-373 WiFi: Zyxel NWA210AX
Switches: Netgear MS510TXUP, Netgear MS510TXPP, Netgear GS110EMX My Broadband History & Ping Monitors

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: Web censorship / blocking / IWF
« Reply #4 on: October 10, 2020, 09:15:44 PM »

Ah, of course, I forgot about shared web servers. So if they have to do deep packet inspection, what does that mean in the case of https: ?
Logged

j0hn

  • Kitizen
  • ****
  • Posts: 4093
Re: Web censorship / blocking / IWF
« Reply #5 on: October 10, 2020, 11:29:17 PM »

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/78095/Ofcom_Site-Blocking-_report_with_redactions_vs2.pdf

DPI/URL blocking.

In the past they blocked ANY IP that the URL resolved to.

Thepiratebay spotted this and started pointing their blocked domain/I.P's at a bunch of legitimate sites, and it resulted in those sites being temporarily blacklisted.
I can't find the TorrentFreak article on that atm.

That might have been the straw that broke that camels back.
Logged
Talktalk FTTP 550/75 - Speedtest - BQM
 

anything