Slashdot Mirror
BT, Sky, and Virgin Enforce UK Porn Blocks By Hijacking Browsers
An anonymous reader writes with this story at Ars Technica, excerpting: BT, Sky, and Virgin Media are hijacking people's web connections to force customers to make a decision about family-friendly web filters. The move comes as the December deadline imposed by prime minister David Cameron looms, with ISPs struggling to get customers to say yes or no to the controversial adult content blocks. The messages, which vary by ISP, appear during browser sessions when a user tries to access any website. BT, Sky,TalkTalk and Virgin Media are required to ask all their customers if they want web filters turned on or off, with the government saying it wants to create a "family friendly" Internet free from pornography, gambling, extreme violence and other content inappropriate for children. But the measures being taken by ISPs have been described as "completely unnecessary" and "heavy handed" by Internet rights groups. The hijacking works by intercepting requests for unencrypted websites and rerouting a user to a different page. ISPs are using the technique to communicate with all undecided customers. Attempting to visit WIRED.co.uk, for example, could result in a user being redirected to a page asking them about web filtering. ISPs cannot intercept requests for encrypted websites in the same way.
They enforce the law by breaking the law. Sounds like a good plan if you want to piss everyone off.
But only if they are the ones doing it. Who watches the watchers?
If this is legal I can only assume it is also legal to hijack these companie's routers and servers. Right? If it is done in good faith. To protect children.
"free from pornography, gambling, extreme violence and other content inappropriate for children"
And I want a user friendly internet, free from governments, corporations, extreme advertising and other content inappropriate for ANYONE.
Cameron, please, for sanity's sake: Stop talking. Or, better, stop breathing.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
A handful of people have reported that the "would you like to enable parental filters" message crops up. It's onbe of those setup screensthat a lot if ISPs use for initial setup.
Seriously, what's in it for the ISP to push these things? It makes their service less useful and costs the ISP money. Filtering requires servers to run the filters.
Is it not possible, that perhaps the router was reset or something was changed at the exchange and that triggered the setup messag to appear? Click "no" and carry on browsing.
Intentionally running a MITM attack against your customers aside, there is a huge problem with the legislation to begin with. There is a valid answer, and has been for quite a while, for people that want to keep their kids away from porn without the heavy handed Government regulation.
Cybersitter and NetNanny are not for me, but if I had young kids I may use that type of service if I was worried about their access. These companies get paid to manage content for you, and are _completely_voluntary so don't impose restrictions on everyone. And if those services are not available in the UK, or not good enough in the UK, why not create the company and let the free market do the work? As bad as the US has become, I'm glad I'm not from the UK.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Is redirection really that hard to defeat? Can I do it with my own hosts file?
beetlejuice!
beetlejuice!
beetlejuice!
“He’s not deformed, he’s just drunk!”
I'm curious about the security implications of them hijacking your session. And, more importantly, whether I get reimbursed if they fuck up and some critical account of mine gets abused.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Almost all ISPs have this ability. Hijacking plain HTTP is no big deal. You are doing critical account stuff over HTTPS, right?
Good-bye
Brilliant idea.
Now instead of offering the parents an option to enable a porn filter, little Billy goes to a random kids website and gets asked "Do you want to watch porn?".
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
It makes their service less useful
Conservative parents might disagree. They see filtering as a "feature" that lets them use the web as a babysitter without running quite as much of a risk of exposing children to things that parents think their children shouldn't see without context, such as Goatse or Tubgirl.
with the government saying it wants to create a "family friendly" Internet free from pornography, gambling, extreme violence and other content inappropriate for children
Would this exclude, say, a site containing a drawing of kids playing a gambling game with a toy gun?
"Bing -- because everyone forgets you can search for naughty pictures with us."
Ah well, good thing you've elected people who know what's best for your intellectually inferior populace.
Britain has three parties with insignificant differences. So at least voters have slightly more choice than America, where there are two parties with insignificant differences.
Both Tories and Labour are censorious asshats. No-one knows whether the Lib Dems are the same, because they change policies as soon as they get any power.
Use HTTPS. The article mentions:
Uh, Linux geek since 1999.
Then have it your way, with DNS and HTTP to all IP addresses other than your ISP's customer support producing "Connection refused". Would that be a better way to do it?
My brief experience with this was really rather annoying. the filters activated a couple of weeks ago. A bunch of websites (inc my porn) just gave 500 errors. I was not taken to a page to explain what was happening. I only realised that my Cameronwall had been activated when my friends confirmed that they could still access the sites I could not. I logged into my BT account, found the part where I turn them back off again and did so only to be told that it would take up to 24 hours for the change to take effect. Additionally my partner's Macbook started to give a range of weird errors when connecting to a variety of webpages. I'm not overly techy but it seemed our router was remembering the redirect and still using it for a bunch of sites (even though the block had been removed by this point) and the macbook was refusing to display the sites it was being redirected to because it had detected a suspicious re-direct.
It's like you're not even trying. You're not a real European Parliamentary until you've got at least eleven parties with insignificant differences. Throw in some Christian Democrats, Democratic Christians, Republicans, Peoples' Workers Party, and Christian Democratic Republican Peoples' Workers Party, and you're starting to have real variety.
I'm curious about the security implications of them hijacking your session.
How is a one-time HTTP hijack worse than a captive portal showing a click-through TOS page when you open your laptop in a restaurant with open Wi-Fi?
Then they're injecting a Location: header into your connection.
The sodding "no thanks" button would just not work so you had to accept the request, then log back into the BT portal to disable it again. Then it finally went.
What also finally went was my patience with BT, ordered my MAC code and migrating to Andrews and Arnold.
BT, you lost a customer over this. Idiots.
this would not even happen if they were using a different DNS such as google, it only happens with their DNS server
have you seen my sig? there are many others like it but none that are the same
I must say I've never needed a filter to avoid porn on the internet. I'm not sure why the government feels it must block access to something I don't wish to see in the first place, unless it ultimately has ulterior motives, intending to derail the free flow of information necessary for a participative democracy in the name of public morality. It's ironic that a government which recently ruled that health practitioners must refer patients for abortion in spite of their individual moral objections is now suddenly concerned about access to porn. I find it more believable that the ultimate goal is to restrict access to information embarrassing to the ruling party, using the ostensible reason of porn filtering to silence dissent.
The society for a thought-free internet welcomes you.
A hosts file has many uses, but defeating a captive portal isn't one of them. A competent captive portal will produce "Connection refused" on all ports of all other IP addresses until you've completed the authentication and preference-setting process.
Exactly. And on the page you're redirected to, you answer the question, and don't get redirected again. I really don't understand why people are making such a huge deal of this. It's like a T&C page that you see when connecting to public wifi.
I don't have a filter on my bookcase.
I don't have a filter on my movie collection.
I don't have a filter on my video game collection.
Why do I need one on my Internet connection?
I work in schools. Nobody's ever really given me a satisfactory answer that doesn't include pushing parental responsibility to a third party.
I'm with Virgin. They haven't asked me yet. The only time I've ever been asked such things is when I signed up to a mobile network and they asked me if I wanted to turn off the filter on the connection. Given that I work IT, the answer was yes. I want as few third parties between me and my service providers as possible, thanks. But the number of times I'll be using 4G to go looking for anything is going to be slim.
By all means ask... but it would have been so much easier to not ask and let those who worry about it fix it for themselves.
DNS and HTTP to all IP addresses other than your ISP's customer support producing "Connection refused".
this would not even happen if they were using a different DNS such as google, it only happens with their DNS server
If all other IP addresses give "Connection refused" for customers who haven't yet expressed a censoring preference, then you can't even get to Google Public DNS (8.8.4.4 and 8.8.8.8).
Well, then why don't Conservative parents fuck off, do their own parenting
Because the cost of living has increased to the point where parents have to work instead of staying at home and parenting.
I see a small percentage of the population complain about something, and if they come off as being on the side of a society approved message ie; "porn is bad" then they can get their way, an inordinate amount of power for a small whiny percentage of the population.
While I understand that parents don't want their young children watching anal fisting porn, it's troubling parents choose to allow others to be responsible for that control.
I see this a lot, parents complaining about the need for more controls and laws to protect their kids, shifting the responsibility from personal to societal.
Or is that just the media using a "society approved" "we care about the children" propaganda message?
Did you know the CIA says it only takes %3 of a population to effect change, what does that say about the other %97?
Erica Chenoweth wrote an interesting paper on this, she found that for peaceful change, it took a larger percentage of the population to get involved, closer to %5 or higher, but for a violent change a smaller percentage is all that was needed, recall the CIA percentage I just mentioned?
She also found that peaceful change lasted longer and had better results than violent change, gives you an insight into how and what the CIA is about, hence so many "student revolutions" in foreign countries that end poorly and destabilized regions.
Personal responsibility is a sign of a mature person, and a mature society, increasing laws, regulations and societal pressures is the opposite.
"If any question why we died, Tell them because our fathers lied."
The UK have become so politically correct. I remember when ol' Blighty was an amazing place to live and work. Now? Not so much.
- The police in the UK cannot even kick down the doors of muslim suspects because they might interrupt their prayer and offend them.
- The UK porn filter is stupid and easily routed around
- The UK is so politically correct, that over the next couple of years, UKIP will make great gains -- beyond the by-elections already made
- UK citizens are sick and tired of the nanny state, sick and tired of muslim immigrants re-writing social mores, dictating special foods in schools, halal this, halal that...
The UK better wake up and fairly quickly. Political correctness is a disease of the highest order.
CAPTCHA: subsume
How are you going to actually your HTTPS-only web sites when every single site you visit gives "Certificate error" until the householder has confirmed his censoring preference? This happens on open hotspots in hotels and restaurants, for example. The answer to "Why is HTTPS Everywhere preventing me from joining this hotel/school/other wireless network?" in the HTTPS Everywhere FAQ recommends visiting an HTTP-only site first in order to be redirected to the login page.
..with the government saying it wants to create a "family friendly" Internet free from pornography, gambling, extreme violence and other content inappropriate for children
Point #1: You do not 'own' the entire Internet
Point #2: It's not up to you to 'clean up' the Internet
Point #3: It has been proven over and over and over again that 'net nanny' and other censorship does not work
Point #4: Governments will subvert any censorship technology for their own propaganda and agenda purposes, destroying the original (misguided) intent
Point #5: Regardless of whatever you're telling your citizens, you likely will end up discriminating against people who don't want your filtering
Point #6: Ultimately your efforts will fail, for reasons of Point #3, and because people will always find a way around it regardless.
..and finally, not a 'point', but just my personal opinion on the matter: I think any government that engages in censorship are a bunch of fucking assholes who don't deserve to be in power. Leave the Internet alone and let people decide for themselves what they do and do not want their families and themselves to encounter or do there. Police UK-hosted sites against outright illegal activity or content? Yes. Make moral decisions for everyone else? Hell, no.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
Subscribe to Slashdot and you'll see the secure URL.
If I don't say "yes", the answer is NO. Period.
... because that's obviously the least convenient time and I'll be most annoyed and most likely to ignore it! Oh, no, wait, I bet their logic is "that's the time I'm definitely sitting there and watching". Either way, I press "exit" and go on. It's annoying to get ads on a service I'm paying for (as opposed to ads on broadcast TV, that's just the way it is).
It will not be long that the UK government will choose to put any site they do not like into the black list.
In a few years time, the internet will contain government-approved material only.
If you want to read an opinion that is different than the government's, you will not be able to without turning the filter off.
If you turn the filter off, then you might be flagged as a terrorist.
The sad part in all this is not what the governments are trying to do though...it is the people's reaction. There is a largs percentage of people willing to accept tyrrany. This thread is full of them...look at all the posts that downplay the signifance of this filter equating it to wifi hotspot login...
where will it all end, though? this does not, as they say, 'scale well'.
suppose everyone who offers inet service wants to do the DPI redirect shit on you? "you cant get to this website unless you take our survey. what was the last car you bought? how much do you make? etc etc."
I understand the free access portals even though I think its still a bad idea to have people 'login' to a free service. but this is your HOME service that you are now being filtered at, unless you 'respond' to this or that question of the day.
that's unacceptable.
it breaks automation (curl, wget, scripts) and sets a really bad precedent, overall.
it reminds me of the traffic stops they have on holidays in the US. they stop every 'n' random car and give the driver a hassle, hoping to fish for something to arrest him on. this is really against the constitution (I realize the article is about UK but I'm not in the UK) and yet, we have let it pass 'for the good of the people' (deep sigh).
same with this: its intrusive and a common carrier should just transport ip packets and nothing else! no filtering, no redirecting, no private local dns maps, no SYN resets, no dpi and no bullshit. just carry my packets - that's ALL we want from you.
--
"It is now safe to switch off your computer."
Enough said. I nearly made the 'l' an 'r' but I must think of the children, as Dave Camoron the suppository salesman has said.
On y va, qui mal y pense!
Cover the UK with cameras and now forbid what you are allowed to watch in the privacy of your own home.
Fuck Cameron. Seriously. This is insulting.
- Zav - Imagine a Beowulf cluster of insensitive clods...
You can't trust the integrity of data you receive via http anyway.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Step 1: Pray that the foundational assumptions of state-of-the-art crypto remain true (no P=NP or quantum computer cracking nonsense, please).
Step 2: Rent/buy/lease/colo a VPS or dedicated server in a country that respects users' freedom and doesn't tamper with their network connection.
Step 3: Set up a VPN on said server.
Step 4: Use the latest crypto algs you can get your hands on; apply security patches aggressively; and watch out for notices of weaknesses.
Step 5: Use the VPN on absolutely every device you own: at work, on your phone, on your home router, etc.
Step 6: ???
Step 7: Eat My Bitstream! No more ISP interference.
IMO Step 1 is the shakiest, but it's all we've got for now.
Since the DNS *is* "poisoned" (redirected), hosts SHOULD work
That'd be true if DNS poisoning is the only layer that a provider uses to corral users into their captive portal. But based on my own experience with captive portals, that's rarely the case. Say you have 123.45.67.89 www.example.com in your hosts file. Any HTTPS connection to 123.45.67.89:443 will produce either "Connection refused" or a certificate error. Any HTTP connection to 123.45.67.89:80 will produce a Location: redirect to the page for expressing filtering preferences.
You're assuming that the connection that they redirect is a web browser. You might want to look at how many other apps poll things over HTTP periodically, and what they do if they don't understand the response (e.g. they expect a simple JSON response and they get a big blob of HTML). Even if it is a web page, what happens when the HTTP request that they hijack is a background AJAX request and not the main page fetch?
I am TheRaven on Soylent News
"As Prime Minister David Cameron announced, we are required to ask ALL of our customers by the end of 2014 whether they wish to opt in or out of filtering of materials deemed offensive by the government's approved third-party monitors. As we have not yet received a response from you to our previous inquiries about this, we are now required to take additional steps to ensure that you have seen and responded to this question."
Or at least that's how I'd phrase it.
fencepost
just a little off
Spliters.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
How do the ISP know that they are not intercepting a RESTful GET request, and interrupting up some application?
I also have the ability to look through people's wallets and purses when they're at my house, but it doesn't make it legal for me to start taking note or changing stuff in their belongings.
seems rather "odd" that WHEN I DON'T MAKE *ANY* DNS REQUESTS @ ALL, that they could stop me thus
That's because a proper captive portal will MITM not only every DNS request on port 53 but also every HTTP request on port 80, no matter to what IP address, and block connections to unapproved IP addresses on all other ports. So even if your machine produces no outgoing packets on TCP or UDP port 53, the captive portal still grabs you when your machine opens a connection on port 80.
The only thing children need protection from are people who think they know what children need protecting from.
Never say never. Ah!! I did it again!
We need magic bunker buster packets to blast through their firewalls. Well, at least I can think of one good use for viruses and worms now. Instead of DDOS we should create a DGOS (Dynamic Guarantee Of Service), something impossible to block. Gonna require wireless though, not much you can do when they decide to drop anchor.
“He’s not deformed, he’s just drunk!”
That's a good point, but you're missing the point that HTTP is not and never has been secure. It wasn't designed to be secure. If your software doesn't check what's received and validate it, then you software has a bad bug.
I think we've pushed this "anyone can grow up to be president" thing too far.
The dark night of Fascism is always descending on America, but it always falls on Europe.
Huh?
My thoughts exactly. OR, since it's required by law to submit your choice, they could always suspend your service till you call/log into account/ mail choice to the appropriate authorities. Yes, this whole thing is bogus but everyone getting their panties in a bunch because the page they visited redirected them to another getting the info straight away is redic.
I'm on BT and I got asked. Once, just once. I said "no filter", obviously.
Thing is, how did they know it was me, and not my 12-year-old daughter?
OK, so I don't HAVE a 12-year-old daughter, but the point remains. Anybody could have been at the PC when it asked the question; there was absolutely no check whatsoever done on the identity of the person clicking. Just a simple "Yes"/"No" choice. It could have been me, could have been my (non-existent) wife, could have been any of my (non-existent) kids, could have been the next-door neighbour come to check something while their internet is down, could have been my aged Mum, could have been anybody.
I guess the ISPs really aren't interested in anything beyond enforcing the letter of the government's request.
While enforcing porn blocks on the Internet is fine in my eyes, I don't care for anything like that anyway but is that why virgin keep adding 'additional features' onto my bill when I know there is no way I watched them and there's no one else in the house?? Take it off the Internet, put it on customers bills instead?
Do you know what the media and courts call people who damage computer systems by triggering bugs? Hackers.
I am TheRaven on Soylent News
If your road surface state sensor stations start submitting their measurements to a page asking them if they want to view porn or not, it's time to beef up the hardware so that it can use SSL... Oh, it's not BT's cost, not their problem. And if people crash on icy road because the info board displayed the last available measurement "Road:Dry" when it iced over, it's surely not the telcos that will go to prison.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
It will not be long that the UK government will choose to put any site they do not like into the black list.
That's how it is now. The "porn" sites are on the list, but the religious sites aren't, and their works are much more harmful to children, least because they include material which could be considered pornography under the government's own guidelines but primarily because of all the violence with specious justification.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
This will backfire like a well fed big dog that hasn't been out all day. If you railroad people to use your broken, half-baked, unreliable networks and render our highly reliable self-contained devices that we pay for inoperative, well what is to stop us from promoting our machines to be APs with your MAC, your AP name and a big path to nowhere while we drink Long Island Iced Tea in your bar and surf 4G on our Note 4? Go ahead, block my phone too. Maybe you want to call your bankruptcy attorney to discuss your business model first. I was in a Sheraton last week that could not come up up with 2.5M down or get above 80Kbps up on $10 a day "10Mbps premium" service. I took the laptop out in the hall and wandered around too. The pipe was fried everywhere. If my MiFi AP had been blocked and my ability to work affected as a result the whole chain would have earned red-tag status on the extended stay far away plan. Some people just don't think things through.
in any event, use a site like that & you get what you get (I get it).
In a lot of areas, it's either the monopoly cable ISP or expensive satellite Internet with a far smaller monthly data quota.
This is LARGELY a combination of clientside script-driven work (like in "registered 'luser'" accounts here) [...] Let me know please when you can - this isn't one I am familar with as to what's going on in it, both client AND server-side, mechanics-wise
The server knows which subscribers have expressed a filtering preference. It also knows which modems' MAC numbers are associated with each subscriber's account. So packets coming from a modem on a "don't know whether to filter" account don't go to the Internet at all. There's no "client-side scripting" about it; the closest thing is how the server intercepts requests on port 80 to all addresses, so that when you open your browser to the start page for the first time on this connection, you get an HTTP response whose Location: header points to the filtering preference page.
It seems to me that the solution is not to interfere with the service they're providing to me, which is the service I ASKED FOR, in the first place.
The only reason they throw up this page is because in their mind, you haven't finished ASKING FOR service. Until they know what specific kind of service you prefer, namely a filtered service or an unfiltered service, they don't provide any service.
So, this ISN'T some website, but rather a way of getting online period?
Correct. It's an ISP that offers an option for censorware as a service to its customers. When you first sign up, or when the ISP first rolls out censorware in your area, it captive-portals all packets until the householder completes the setup of the connection. In this case, completing the setup includes deciding to turn censorware on or off. Some parents will want it; other subscribers won't. Public Wi-Fi hotspots do something similar to ensure that each user has seen the acceptable use policy.
Again - see subject, & thanks for your fast replies
I'm a bit more "stateless" (in the computing sense) than some other Slashdot users. This means I'm not disposed toward ad hominem attacks; I instead take each post on Slashdot as I see it. And you've shown yourself to be reasonable, even if you're a little verbose, and even if at times you've appeared to claim that the hosts file is a panacea.
Yes. And do you know what people call those who send important information over insecure links? Fools.
I think we've pushed this "anyone can grow up to be president" thing too far.
even if at times you've appeared to claim that the hosts file is a panacea.
I never *ONCE* have!
You don't claim that. Others have accused you of claiming that, and that's where they pick up misconceptions. The hosts file is one layer, and in-browser policy add-ons are another layer to pick up anything bad that slips past hosts.
hosts even add anonymity (vs. dns request logs)
This use of hosts essentially treats it as a DNS cache. But you still have to make DNS requests after the cache period expires to see if the record has changed. Otherwise, after the site you're trying to access has moved to a different IP address, you'll likely end up hitting the server of the attacker who has snagged that same address.
The people in the UK asked for it, their political leaders passed it, and their ISPs were left trying to figure out how to implement it... To them (the people in the U.K.) this is acceptable - dice, you know, they asked for it - literally.
What if it is? Can't your application handle a failed HTTP request? They are capturing an unsecured HTTP request, that's all.
As annoying as that sounds I actually think that yes it would. I would really like it if more ISPs did the same thing that mine did - if you try to opt for filtered internet they tell you to leave and find another provider.