Open Rights Group International Says Virgin, Sky Blocking Innocent Sites 83
New submitter stewartrob70 writes with an explanation of the inadvertent (or at least unwarranted) blocking of innocuous sites that UK ISPs Virgin and Sky are engaged in, as reported by PC Pro. The ISPs' filtering systems "appear to be blocking innocent third-party sites with apparently little or no human oversight." stewartrob70 excerpts from a blog posting with an explanation of why:
"In order to understand why this specific issue happened, you need to be familiar with a quirk in how DNS is commonly used in third-party load-balanced site deployments. Many third-party load balanced systems, for example those using Amazon's AWS infrastructure, are enabled by pointing CNAME records at names controlled by those third-party systems. For example www.example.com may be pointed at loadbalancer.example.net. However, 'example.com' usually cannot be directly given a CNAME record (CNAME records cannot be mixed with the other record types needed such as those pointing to nameservers and mailservers). A common approach is to point "example.com" to a server that merely redirects all requests to 'www.example.com.' From forum posts we can see that it's this redirection system, in this specific case an A record used for 'http-redirection-a.dnsmadeeasy.com,' that has been blocked by the ISPs — probably a court-order-blocked site is also using the service — making numerous sites unavailable for any request made without the ''www' prefix."
And this is why (Score:5, Insightful)
Re:BGP instead of DNS filtering makes more sense? (Score:5, Insightful)
No, any IP based filtering is bad if you want to only block websites. As just explained in TFA, the http protocol is used to put more than one website on a single IP address. You will block other websites if you are blocking entire IP addresses.
The big catch here is that to do this "properly" ISPs will have to put up transparent HTTP proxies and MitM https as well, just to be able to block these websites. This will effectively make the entire internet insecure for any serious stuff like banking or purchasing goods, since anyone will be able to spoof https. Not only that, but ISPs will suddenly have complete records of your complete web browsing history. There is no way to deny it, those logs will end up in the hands of the government sooner or later. Having ISPs block web sites is like having road workers make sytems that block foreign people that commit traffic violations, it's just not a feasible concept.