Slashdot Mirror

← Back to Stories (view on slashdot.org)

Thanks To Encryption, UK Efforts To Block Torrent Sites Are Pointless (betanews.com)

Posted by timothy on from the praise-be-to-jeebus dept.

Mark Wilson writes: In the UK, ISPs are required to block access to a number of big-name torrent sites — the thinking being that sites such as The Pirate Bay are used primarily for (gasp!) downloading pirated material. Despite the government's desire to control what people can access online, good old HTTPS means that people are able to very easily bypass any blocks that may be put in place. There are all manner of proxy services and mirror sites that provide access to otherwise-blocked content, but these are really not needed. With the likes of The Pirate Bay and Kickass Torrents offering secure, encrypted connection, accessing the goodies they contain could involve little more than sticking an extra 's' in the URL.

13 of 79 comments (clear)

  1. Um by penguinoid · · Score: 4, Informative

    Adding an 's' won't change the name nor IP address of the website you're visiting.

    --
    Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
    1. Re: Um by Esteanil · · Score: 2

      Works here. Blocked on http, no problem with https (ISP: Get.no, Norway)

      --
      I'm a dreamer, the world is my playpen. But hey, I'm a serious person, I can't dream all the time.
    2. Re:Um by Anonymous Coward · · Score: 2, Informative

      From TFA:

      "In theory ISPs could also block the site’s IP-addresses, but since many use shared IPs from CloudFlare this would also take down other unrelated websites."

    3. Re: Um by Kardos · · Score: 3, Insightful

      That doesn't seem right....the SNI is not encrypted. They can block based on SNI, see https://en.wikipedia.org/wiki/...

    4. Re: Um by Lennie · · Score: 2

      They are probably using deep packet inspection and some configuration recipe provided by the manufacturer. It will probably take them a couple of years to figure out they can block on the SNI.

      --
      New things are always on the horizon
  2. won't work for long by pedantic+bore · · Score: 2

    The TLS handshake passes the name of the host being connected to (for the purpose of fetching its certificate) in plaintext. So if a site isn't being blocked, it's just a matter of time before the ISPs close this trivial loophole.

    The next step is to ask for a different certificate that is being used on the same IP, by hacking the TLS handshake to specify a different hostname in the handshake than it uses in the HTTP request it sends later. This will probably just annoy whoever ends up paying for the bandwidth, and the loophole will get closed eventually.

    --
    Am I part of the core demographic for Swedish Fish?
    1. Re:won't work for long by cdrudge · · Score: 2

      So if a site isn't being blocked, it's just a matter of time before the ISPs close this trivial loophole.

      You're presuming your ISP cares. Unless they are also a media company, they likely don't beyond the extent of the nuisance it creates in maintaining it and the small additional cost for hardware.

      If blocking packets based on simple HTTP host headers is the cheapest option that satisfies the requirements of the legal order while also creating the least collateral damage, then they really don't care if it's an ineffective measure easily circumvented (proxy, https, vpn, etc)

  3. Been playing that game for ten years... by Pollux · · Score: 2

    ...I mean, after all, as a school technology director, I've been playing that cat-and-mouse game with Facebook, etc. for 10 years. Block facebook.com, students figure out the "https" workaround...block all Facebook IPs, students use proxies...block all proxies, facebook.com now accessible w/ new IP address...neverending game of whack-a-mole.

    And you just keep playing the game. As long as you make the efforts, you can say you're doing what you can, and that covers your back.

    1. Re:Been playing that game for ten years... by DarkOx · · Score: 2, Informative

      Well then you are doing it wrong. A ISP does not have the option but a organization like a school certainly can MTIM SSL.

      There is no reason you should allow any SSL out you are not in the middle of.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    2. Re:Been playing that game for ten years... by Anonymous Coward · · Score: 4, Funny

      "Local teacher's union hacked by school administration"

      "Hundreds of teacher's bank accounts compromised by security breach"

      "School IT admin fired after uncovering principal's BDSM activity"

    3. Re:Been playing that game for ten years... by Thiez · · Score: 2

      Seems pointless, don't they all have phones with mobile internet these days?

    4. Re:Been playing that game for ten years... by Thiez · · Score: 2

      Since you can't actually block the students from accessing facebook, isn't attempting to do so a waste of taxpayer money?

  4. Sick of torrent sites by Andy+Smith · · Score: 2

    I'm so sick of most torrent sites nowadays. There's one I still use, an ExtraTorrent proxy, that is just about tolerable, but every other site I've tried over the past year is full of popups, popunders, redirects, etc. I've got popups blocked, adverts blocked, everything blocked that I know how to block, and still the sites are practically unusable.

    When I read this story, just out of interest I went to the https version of the pirate bay to see if it worked. Clicked on the search box and immediately I had a full-screen popup, two smaller popups, and a text-to-speech reader (ffs!!) reading out a warning message about my system having been compromised and giving me a phone number to call.