Thanks To Encryption, UK Efforts To Block Torrent Sites Are Pointless (betanews.com)

← Back to Stories (view on slashdot.org)

Thanks To Encryption, UK Efforts To Block Torrent Sites Are Pointless (betanews.com)

Posted by timothy on Tuesday February 23, 2016 @04:20AM from the praise-be-to-jeebus dept.

Mark Wilson writes: In the UK, ISPs are required to block access to a number of big-name torrent sites — the thinking being that sites such as The Pirate Bay are used primarily for (gasp!) downloading pirated material. Despite the government's desire to control what people can access online, good old HTTPS means that people are able to very easily bypass any blocks that may be put in place. There are all manner of proxy services and mirror sites that provide access to otherwise-blocked content, but these are really not needed. With the likes of The Pirate Bay and Kickass Torrents offering secure, encrypted connection, accessing the goodies they contain could involve little more than sticking an extra 's' in the URL.

42 of 79 comments (clear)

Min score:

Reason:

Sort:

Um by penguinoid · 2016-02-23 04:25 · Score: 4, Informative

Adding an 's' won't change the name nor IP address of the website you're visiting.

--
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
1. Re: Um by Esteanil · 2016-02-23 04:28 · Score: 2
  
  Works here. Blocked on http, no problem with https (ISP: Get.no, Norway)
  
  --
  I'm a dreamer, the world is my playpen. But hey, I'm a serious person, I can't dream all the time.
2. Re:Um by Anonymous Coward · 2016-02-23 04:30 · Score: 2, Informative
  
  From TFA:
  "In theory ISPs could also block the site’s IP-addresses, but since many use shared IPs from CloudFlare this would also take down other unrelated websites."
3. Re:Um by ShaunC · 2016-02-23 04:33 · Score: 1
  
  Turns out many of the verboten sites are using cloud-based hosting and CDNs. You can't block those IPs without affecting (possibly many) legitimate sites. I'm assuming the "Host:" HTTP header must be part of the encrypted traffic, and therefore impossible to filter against.
  
  --
  Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
4. Re: Um by Kardos · 2016-02-23 04:36 · Score: 3, Insightful
  
  That doesn't seem right....the SNI is not encrypted. They can block based on SNI, see https://en.wikipedia.org/wiki/...
5. Re: Um by Anonymous Coward · 2016-02-23 04:36 · Score: 1
  
  It is harder to access BBC iplayer, than Torrent-sites. So it's easier to download BBC-material from Piratebay.
  Kinda poetic.
6. Re:Um by Impy+the+Impiuos+Imp · 2016-02-23 04:50 · Score: 1
  
  Adding an 's' won't change the name nor IP address of the website you're visiting.
  Yes, TFA acknowledges that. They point out a lot of these sites actually rent cloud for their service, so blocking the address will block a lot more sites than just theirs.
  
  --
  (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
7. Re:Um by wonkey_monkey · 2016-02-23 04:51 · Score: 1
  
  No, no it won't.
  Still works though.
  
  --
  systemd is Roko's Basilisk.
8. Re:Um by reanjr · 2016-02-23 04:54 · Score: 1
  
  You are correct that the host header (and all headers, including the URL) are encrypted. The only thing you see is the SNI host that might be the entrypoint to any number of other hosts.
9. Re:Um by AmiMoJo · 2016-02-23 04:56 · Score: 1
  
  Actually, in this case it's not government mandated blocking. The BPI, our equivalent of the RIAA, took the ISPs to court and got an order requiring them to block. It only affects the larger ISPs because the smaller ones were not included in the order.
  Many people have known about this for years. Like Usenet, we just kept quiet about it. I'd love to know how Sky is blocking these sites... DNS perhaps, which is easily circumvented, or some pretty horrific DPI.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
10. Re: Um by Lennie · 2016-02-23 05:34 · Score: 2
  
  They are probably using deep packet inspection and some configuration recipe provided by the manufacturer. It will probably take them a couple of years to figure out they can block on the SNI.
  
  --
  New things are always on the horizon
11. Re:Um by just_a_monkey · 2016-02-23 06:04 · Score: 1
  
  So there will be incitement for content providers to put pressure on their hosting solutions to make sure they not host anything torrent related...
  
  --
  How inappropriate to call this planet Earth, when clearly it is Ocean.
12. Re:Um by phorm · 2016-02-23 08:10 · Score: 1
  
  Actually, the name portion of the request is sent within the encrypted packet, so HTTPS does help there. Still, if you're using your ISP's DNS servers it probably wouldn't be hard for them to figure it out.
13. Re:Um by infolation · 2016-02-23 13:31 · Score: 1
  
  Proportional Representation has unfortunately yet to make an appearance in the UK's voting system.
14. Re:Um by countach · 2016-02-23 14:08 · Score: 1
  
  The name is encrypted and the IP address can't be blocked without blocking other non-infringing sites hosted at the same place.
15. Re:Um by countach · 2016-02-23 14:09 · Score: 1
  
  Only if they start blocking at the IP address level, and I'm not seeing that happening because every time ISPs have tried it there was such a backlash they had to back off.
won't work for long by pedantic+bore · 2016-02-23 04:34 · Score: 2

The TLS handshake passes the name of the host being connected to (for the purpose of fetching its certificate) in plaintext. So if a site isn't being blocked, it's just a matter of time before the ISPs close this trivial loophole.
The next step is to ask for a different certificate that is being used on the same IP, by hacking the TLS handshake to specify a different hostname in the handshake than it uses in the HTTP request it sends later. This will probably just annoy whoever ends up paying for the bandwidth, and the loophole will get closed eventually.

--
Am I part of the core demographic for Swedish Fish?
1. Re:won't work for long by cdrudge · 2016-02-23 05:46 · Score: 2
  
  So if a site isn't being blocked, it's just a matter of time before the ISPs close this trivial loophole.
  You're presuming your ISP cares. Unless they are also a media company, they likely don't beyond the extent of the nuisance it creates in maintaining it and the small additional cost for hardware.
  If blocking packets based on simple HTTP host headers is the cheapest option that satisfies the requirements of the legal order while also creating the least collateral damage, then they really don't care if it's an ineffective measure easily circumvented (proxy, https, vpn, etc)
2. Re:won't work for long by countach · 2016-02-23 14:17 · Score: 1
  
  Mmm, I'm pretty sure sending the hostname is optional, and if a web browser didn't implement it, you'd just get a certificate warning. The user doesn't give a rip about real security, only that the ISP can't snoop and block. Of course if all standard browsers implement it, the average user might find it inconvenient to bypass.
What part of Proxy don't you get? by s.petry · 2016-02-23 04:49 · Score: 1

Good grief, we know this is Slashdot so reading TFA is generally scoffed at, but at least read past the first sentence of a summary. The Subject of my post says it all. It is trivial to set up a proxy so that customer => Cloud service which can't be blocked => TOR. If an ISP blocks a cheap Amazon node's IP they move the service to a different node/vendor. They can't block all of Amazon, all of Azure, etc..
It would take tons of manpower for ISPs to block and unblock addresses the the level needed to have any impact, and even then it's just whack-a-mole.

--
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
1. Re:What part of Proxy don't you get? by pedantic+bore · 2016-02-23 06:22 · Score: 1
  
  Good grief, we know this is Slashdot so reading TFA is generally scoffed at, but at least read past the first sentence of a summary. The Subject of my post says it all. It is trivial to set up a proxy so that customer => Cloud service which can't be blocked => TOR.
  You wrote that a proxies "aren't really necessary". I was responding to that. Good grief, indeed.
  If you'd like to move the goalposts by claiming that the summary isn't want you wrote, that's fine. I'll respond to your claim that proxies are easy to set up. Yes, they are. And they're really easy to block too, if someone is motivated to do so. If they weren't difficult to block, there would be laws in place that would make them harder to set up.
  
  --
  Am I part of the core demographic for Swedish Fish?
Been playing that game for ten years... by Pollux · 2016-02-23 04:50 · Score: 2

...I mean, after all, as a school technology director, I've been playing that cat-and-mouse game with Facebook, etc. for 10 years. Block facebook.com, students figure out the "https" workaround...block all Facebook IPs, students use proxies...block all proxies, facebook.com now accessible w/ new IP address...neverending game of whack-a-mole.
And you just keep playing the game. As long as you make the efforts, you can say you're doing what you can, and that covers your back.
1. Re:Been playing that game for ten years... by DarkOx · 2016-02-23 05:02 · Score: 2, Informative
  
  Well then you are doing it wrong. A ISP does not have the option but a organization like a school certainly can MTIM SSL.
  There is no reason you should allow any SSL out you are not in the middle of.
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
2. Re:Been playing that game for ten years... by Anonymous Coward · 2016-02-23 05:44 · Score: 4, Funny
  
  "Local teacher's union hacked by school administration"
  "Hundreds of teacher's bank accounts compromised by security breach"
  "School IT admin fired after uncovering principal's BDSM activity"
3. Re:Been playing that game for ten years... by WorBlux · 2016-02-23 07:24 · Score: 1
  
  How do you make a block-chain authoritative on data that originates outside of it, like ICANN compliant domain names? Alternatives like the PGP web of trust or the GNU name system will explicit show you the chain of trust, but these webs aren't authoritative.
4. Re:Been playing that game for ten years... by Anonymous Coward · 2016-02-23 07:44 · Score: 1
  
  ...I mean, after all, as a school technology director, I've been playing that cat-and-mouse game with Facebook, etc. for 10 years. Block facebook.com, students figure out the "https" workaround...block all Facebook IPs, students use proxies...block all proxies, facebook.com now accessible w/ new IP address...neverending game of whack-a-mole.
  And you just keep playing the game. As long as you make the efforts, you can say you're doing what you can, and that covers your back.
  So... poison the facebook DNS over to a page that logs a report and warns the student, and don't allow any 3rd-party DNS queries through your edge firewall.
  Sure, some kids will eventually figure out they can use a VPN provider to get access to a working 3rd party DNS, at least on equipment they own and control, but you'll at least get rid of the bulk of the problem on the school equipment.
5. Re:Been playing that game for ten years... by Thiez · 2016-02-23 08:42 · Score: 2
  
  Seems pointless, don't they all have phones with mobile internet these days?
6. Re:Been playing that game for ten years... by StikyPad · 2016-02-23 08:51 · Score: 1
  
  It's not about keeping Facebook out of the school; it's about limiting the use of school resources (i.e. taxpayer dollars) to approved activities.
  
  --
  https://www.eff.org/https-everywhere
7. Re:Been playing that game for ten years... by Thiez · 2016-02-23 09:00 · Score: 2
  
  Since you can't actually block the students from accessing facebook, isn't attempting to do so a waste of taxpayer money?
8. Re:Been playing that game for ten years... by avandesande · 2016-02-23 09:04 · Score: 1
  
  Even better, have a script that once they are authenticated uploads goatse to their timeline.
  
  --
  love is just extroverted narcissism
Err... by RDW · 2016-02-23 04:52 · Score: 1

Surely all the naughty pirates with any sense have already signed up to a VPN for their actual torrenting, making ISP-level tracker site blocks completely irrelevant?
Not a blanket ban by clickclickdrone · 2016-02-23 04:53 · Score: 1

Strictly speaking, in the UK, something like the top ten ISPs are required to block these sites. All the others will happily let you access them.

--
I want a list of atrocities done in your name - Recoil
Sick of torrent sites by Andy+Smith · 2016-02-23 04:54 · Score: 2

I'm so sick of most torrent sites nowadays. There's one I still use, an ExtraTorrent proxy, that is just about tolerable, but every other site I've tried over the past year is full of popups, popunders, redirects, etc. I've got popups blocked, adverts blocked, everything blocked that I know how to block, and still the sites are practically unusable.
When I read this story, just out of interest I went to the https version of the pirate bay to see if it worked. Clicked on the search box and immediately I had a full-screen popup, two smaller popups, and a text-to-speech reader (ffs!!) reading out a warning message about my system having been compromised and giving me a phone number to call.
1. Re:Sick of torrent sites by AntronArgaiv · 2016-02-23 06:02 · Score: 1
  
  I'm so sick of most torrent sites nowadays. There's one I still use, an ExtraTorrent proxy, that is just about tolerable, but every other site I've tried over the past year is full of popups, popunders, redirects, etc. I've got popups blocked, adverts blocked, everything blocked that I know how to block, and still the sites are practically unusable.
  When I read this story, just out of interest I went to the https version of the pirate bay to see if it worked. Clicked on the search box and immediately I had a full-screen popup, two smaller popups, and a text-to-speech reader (ffs!!) reading out a warning message about my system having been compromised and giving me a phone number to call.
  I use Linux with Firefox (plus Adblock and NoScript). A lot of the advertising tricks don't work with that combo. HMA VPN and Transmission.
2. Re:Sick of torrent sites by AmiMoJo · 2016-02-23 10:28 · Score: 1
  
  Disable JavaScript for those sites. YesScript is great for that.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
3. Re:Sick of torrent sites by thegarbz · 2016-02-23 20:18 · Score: 1
  
  Sounds like you really should be sick of your crappy adblocker.
  Seriously I didn't know TPB had pop-ups until you mentioned it just now, and I certainly didn't configure anything or put any effort into blocking things.
  Likewise with Kickass Torrents. I have noticed one of the aggregators torrentz.eu did have a popup, but that cumulated to nothing more than an annoying flash on the screen as the popup blocker did it's work.
  Just like buying the wrong sized condom can lead to breaking at an unfortunate time it sounds like you're attempts at safely browsing the internet haven't really hit the mark.
Blocking 'unauthorized' encryption is trivial by fustakrakich · 2016-02-23 05:28 · Score: 1

And https? Please!

--
“He’s not deformed, he’s just drunk!”
Media companies + security ... by gstoddart · 2016-02-23 05:52 · Score: 1

Basically the media companies are going to say encryption is evil because people could use it for piracy, and the security assholes are going to claim encryption is bad because they can't spy on everybody.
Between the two of them they're probably going to convince idiot politicians to undermine all security to give them what they need.
Welcome to a work in which your rights and security are undermined by corporate rights, and people who are lying through their fucking teeth claiming to protect your rights and security. Sorry, but bypassing our rights and security isn't defending them, it's undermining them.

--
Lost at C:>. Found at C.
DNS by phorm · 2016-02-23 08:14 · Score: 1

Do you control the DNS server? assuming you don't let your desktop zone connect to external DNS (or at the very least users don't have local admin and can't change DNS/hosts files), just have your DNS resolved override all facebook.com domains and point them at another IP. For shits and giggles you could even have an internal facebook-look-alike page that has some obscure maintenance message making it look like the issue is on FB's end, or just redirect them to hellokitty.com etc etc
1. Re:DNS by phorm · 2016-02-23 08:18 · Score: 1
  
  To add to that:
  While torrent sites might not care about such things, Facebook still requires a login. Assuredly they're not going to process cross-site POST requests from non-facebook domains (and their cookie policy should similarly reject such) so even if they find some alternate URL for facebook it's not going to let them actually log in and post anything.
  That said, why even both with Facebook whack-a-mole? I remember in one case parents got upset because some kid posted mean stuff about another kid on FB while at school, but it was done with his phone so short of banning all mobile devices you're not really getting very far with an Intranet-based block. I suppose you could at least disclaim some liability but that should be part of whatever permission forms etc students submit for access anyhow.
Re:Bob Dole by TheCarp · 2016-02-23 09:20 · Score: 1

Interesting, so basically, he plays whatever part is most convenient at the time. Sounds like someone the politicians must love.

--
"I opened my eyes, and everything went dark again"
Re:Bob Dole by Bloke+down+the+pub · 2016-02-25 08:59 · Score: 1

Ouija board, or knock twice for yes?
(goes to Google)
Shit, really?

--
It's true I tell you, feller at work's next door neighbour read it in the paper.