Thanks To Encryption, UK Efforts To Block Torrent Sites Are Pointless (betanews.com) 79
Mark Wilson writes: In the UK, ISPs are required to block access to a number of big-name torrent sites — the thinking being that sites such as The Pirate Bay are used primarily for (gasp!) downloading pirated material. Despite the government's desire to control what people can access online, good old HTTPS means that people are able to very easily bypass any blocks that may be put in place. There are all manner of proxy services and mirror sites that provide access to otherwise-blocked content, but these are really not needed. With the likes of The Pirate Bay and Kickass Torrents offering secure, encrypted connection, accessing the goodies they contain could involve little more than sticking an extra 's' in the URL.
Re: (Score:1)
Which is hilarious when you remember that he was always a democrat and is a good friend of the Clintons.
It is almost like, the entire slate on both "sides" is just a bunch of actors playing parts.....almost right?
Re: (Score:2)
Interesting, so basically, he plays whatever part is most convenient at the time. Sounds like someone the politicians must love.
Re: (Score:2)
Ouija board, or knock twice for yes?
(goes to Google)
Shit, really?
Um (Score:5, Informative)
Adding an 's' won't change the name nor IP address of the website you're visiting.
Re: Um (Score:3)
Works here. Blocked on http, no problem with https (ISP: Get.no, Norway)
Re: Um (Score:4, Insightful)
That doesn't seem right....the SNI is not encrypted. They can block based on SNI, see https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:3)
They are probably using deep packet inspection and some configuration recipe provided by the manufacturer. It will probably take them a couple of years to figure out they can block on the SNI.
Re: (Score:2, Informative)
From TFA:
"In theory ISPs could also block the site’s IP-addresses, but since many use shared IPs from CloudFlare this would also take down other unrelated websites."
Re: (Score:2)
Actually, in this case it's not government mandated blocking. The BPI, our equivalent of the RIAA, took the ISPs to court and got an order requiring them to block. It only affects the larger ISPs because the smaller ones were not included in the order.
Many people have known about this for years. Like Usenet, we just kept quiet about it. I'd love to know how Sky is blocking these sites... DNS perhaps, which is easily circumvented, or some pretty horrific DPI.
Re: (Score:2)
Re: Um (Score:1)
It is harder to access BBC iplayer, than Torrent-sites. So it's easier to download BBC-material from Piratebay.
Kinda poetic.
Re: (Score:2)
Turns out many of the verboten sites are using cloud-based hosting and CDNs. You can't block those IPs without affecting (possibly many) legitimate sites. I'm assuming the "Host:" HTTP header must be part of the encrypted traffic, and therefore impossible to filter against.
Re: (Score:2)
You are correct that the host header (and all headers, including the URL) are encrypted. The only thing you see is the SNI host that might be the entrypoint to any number of other hosts.
Re: (Score:2)
So there will be incitement for content providers to put pressure on their hosting solutions to make sure they not host anything torrent related...
Re: (Score:2)
Only if they start blocking at the IP address level, and I'm not seeing that happening because every time ISPs have tried it there was such a backlash they had to back off.
Re: (Score:2)
Adding an 's' won't change the name nor IP address of the website you're visiting.
Yes, TFA acknowledges that. They point out a lot of these sites actually rent cloud for their service, so blocking the address will block a lot more sites than just theirs.
Re: (Score:2)
No, no it won't.
Still works though.
Re: (Score:1)
Actually, the name portion of the request is sent within the encrypted packet, so HTTPS does help there. Still, if you're using your ISP's DNS servers it probably wouldn't be hard for them to figure it out.
Re: (Score:2)
The name is encrypted and the IP address can't be blocked without blocking other non-infringing sites hosted at the same place.
won't work for long (Score:3)
The TLS handshake passes the name of the host being connected to (for the purpose of fetching its certificate) in plaintext. So if a site isn't being blocked, it's just a matter of time before the ISPs close this trivial loophole.
The next step is to ask for a different certificate that is being used on the same IP, by hacking the TLS handshake to specify a different hostname in the handshake than it uses in the HTTP request it sends later. This will probably just annoy whoever ends up paying for the bandwidth, and the loophole will get closed eventually.
What part of Proxy don't you get? (Score:2)
Good grief, we know this is Slashdot so reading TFA is generally scoffed at, but at least read past the first sentence of a summary. The Subject of my post says it all. It is trivial to set up a proxy so that customer => Cloud service which can't be blocked => TOR. If an ISP blocks a cheap Amazon node's IP they move the service to a different node/vendor. They can't block all of Amazon, all of Azure, etc..
It would take tons of manpower for ISPs to block and unblock addresses the the level needed t
Re: (Score:2)
Good grief, we know this is Slashdot so reading TFA is generally scoffed at, but at least read past the first sentence of a summary. The Subject of my post says it all. It is trivial to set up a proxy so that customer => Cloud service which can't be blocked => TOR.
You wrote that a proxies "aren't really necessary". I was responding to that. Good grief, indeed.
If you'd like to move the goalposts by claiming that the summary isn't want you wrote, that's fine. I'll respond to your claim that proxies are easy to set up. Yes, they are. And they're really easy to block too, if someone is motivated to do so. If they weren't difficult to block, there would be laws in place that would make them harder to set up.
Re: (Score:3)
You're presuming your ISP cares. Unless they are also a media company, they likely don't beyond the extent of the nuisance it creates in maintaining it and the small additional cost for hardware.
If blocking packets based on simple HTTP host headers is the cheapest option that satisfies the requirements of the legal order while also creating the least collateral damage, then they really don't care if it's
Re: (Score:2)
Mmm, I'm pretty sure sending the hostname is optional, and if a web browser didn't implement it, you'd just get a certificate warning. The user doesn't give a rip about real security, only that the ISP can't snoop and block. Of course if all standard browsers implement it, the average user might find it inconvenient to bypass.
Been playing that game for ten years... (Score:3)
...I mean, after all, as a school technology director, I've been playing that cat-and-mouse game with Facebook, etc. for 10 years. Block facebook.com, students figure out the "https" workaround...block all Facebook IPs, students use proxies...block all proxies, facebook.com now accessible w/ new IP address...neverending game of whack-a-mole.
And you just keep playing the game. As long as you make the efforts, you can say you're doing what you can, and that covers your back.
Re: (Score:3, Informative)
Well then you are doing it wrong. A ISP does not have the option but a organization like a school certainly can MTIM SSL.
There is no reason you should allow any SSL out you are not in the middle of.
Re:Been playing that game for ten years... (Score:4, Funny)
"Local teacher's union hacked by school administration"
"Hundreds of teacher's bank accounts compromised by security breach"
"School IT admin fired after uncovering principal's BDSM activity"
Re: (Score:2)
Re: (Score:1)
...I mean, after all, as a school technology director, I've been playing that cat-and-mouse game with Facebook, etc. for 10 years. Block facebook.com, students figure out the "https" workaround...block all Facebook IPs, students use proxies...block all proxies, facebook.com now accessible w/ new IP address...neverending game of whack-a-mole.
And you just keep playing the game. As long as you make the efforts, you can say you're doing what you can, and that covers your back.
So... poison the facebook DNS over to a page that logs a report and warns the student, and don't allow any 3rd-party DNS queries through your edge firewall.
Sure, some kids will eventually figure out they can use a VPN provider to get access to a working 3rd party DNS, at least on equipment they own and control, but you'll at least get rid of the bulk of the problem on the school equipment.
DNS (Score:1)
Do you control the DNS server? assuming you don't let your desktop zone connect to external DNS (or at the very least users don't have local admin and can't change DNS/hosts files), just have your DNS resolved override all facebook.com domains and point them at another IP. For shits and giggles you could even have an internal facebook-look-alike page that has some obscure maintenance message making it look like the issue is on FB's end, or just redirect them to hellokitty.com etc etc
Re: (Score:1)
To add to that:
While torrent sites might not care about such things, Facebook still requires a login. Assuredly they're not going to process cross-site POST requests from non-facebook domains (and their cookie policy should similarly reject such) so even if they find some alternate URL for facebook it's not going to let them actually log in and post anything.
That said, why even both with Facebook whack-a-mole? I remember in one case parents got upset because some kid posted mean stuff about another kid on F
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
It's not about keeping Facebook out of the school; it's about limiting the use of school resources (i.e. taxpayer dollars) to approved activities.
Re: (Score:3)
Err... (Score:2)
Surely all the naughty pirates with any sense have already signed up to a VPN for their actual torrenting, making ISP-level tracker site blocks completely irrelevant?
Not a blanket ban (Score:2)
Sick of torrent sites (Score:3)
I'm so sick of most torrent sites nowadays. There's one I still use, an ExtraTorrent proxy, that is just about tolerable, but every other site I've tried over the past year is full of popups, popunders, redirects, etc. I've got popups blocked, adverts blocked, everything blocked that I know how to block, and still the sites are practically unusable.
When I read this story, just out of interest I went to the https version of the pirate bay to see if it worked. Clicked on the search box and immediately I had a full-screen popup, two smaller popups, and a text-to-speech reader (ffs!!) reading out a warning message about my system having been compromised and giving me a phone number to call.
Re: (Score:2)
I'm so sick of most torrent sites nowadays. There's one I still use, an ExtraTorrent proxy, that is just about tolerable, but every other site I've tried over the past year is full of popups, popunders, redirects, etc. I've got popups blocked, adverts blocked, everything blocked that I know how to block, and still the sites are practically unusable.
When I read this story, just out of interest I went to the https version of the pirate bay to see if it worked. Clicked on the search box and immediately I had a full-screen popup, two smaller popups, and a text-to-speech reader (ffs!!) reading out a warning message about my system having been compromised and giving me a phone number to call.
I use Linux with Firefox (plus Adblock and NoScript). A lot of the advertising tricks don't work with that combo. HMA VPN and Transmission.
Re: (Score:2)
Disable JavaScript for those sites. YesScript is great for that.
Re: (Score:2)
Sounds like you really should be sick of your crappy adblocker.
Seriously I didn't know TPB had pop-ups until you mentioned it just now, and I certainly didn't configure anything or put any effort into blocking things.
Likewise with Kickass Torrents. I have noticed one of the aggregators torrentz.eu did have a popup, but that cumulated to nothing more than an annoying flash on the screen as the popup blocker did it's work.
Just like buying the wrong sized condom can lead to breaking at an unfortunate time it s
Blocking 'unauthorized' encryption is trivial (Score:1)
And https? Please [arstechnica.com]!
Media companies + security ... (Score:2)
Basically the media companies are going to say encryption is evil because people could use it for piracy, and the security assholes are going to claim encryption is bad because they can't spy on everybody.
Between the two of them they're probably going to convince idiot politicians to undermine all security to give them what they need.
Welcome to a work in which your rights and security are undermined by corporate rights, and people who are lying through their fucking teeth claiming to protect your rights and