Coordinated by Italy last month, a huge law enforcement operation reportedly ‘dismantled’ a pirate IPTV service with 22 million users. That’s an extraordinary number and shows why countries like Italy have adopted mass site blocking measures. Logic suggests that the removal of such a huge player from the market might reduce the need for blocking measures, if only temporarily. The data shows that in the wake of the action, blocking demands significantly increased.
Everyone gansta till DPI system is installed.
We already have that. It’s usually not used for this use-case though. And it’d be hard to do so, as nowadays most traffic is encrypted, we have certificate pinning etc. So it won’t work.
The alternative would be IP based blocking. And the article mentions this, and it’s contained in the graphs. That’s much harder to circumvent. But also harder to do, since websites share IPs, they’re in the cloud on AWS…
It would not be hard at all. China, Iran and Russia already do that. Clienthello is not encrypted and that is all you need.
And ECH would not solve this as you can just block cloudflare-ech (or other, depending on CDN) domain itself and force clients to fallback to non-encrypted clienthello.
Sure, I forgot to think about that properly. This only works if you have a large amount of control about everything already, including the people. China is known to do it for a long time now. And back in the old days, deep packet inspection and reading the content was pretty easy. My browser has some certificates reay. I have HSTS and all the bells and whistles, have connected to the servers already and their policies and certificates cached. Many websites support this. And it warns me if I’m dropping to non encrypted connections. All of them complain on sending forms over HTTP only, logins and display something in the address bar. I suppose it’s easy in China because they force users to use certain browsers. They have alternative domestic services for everything, replacing the messengers, video platforms and social media networks we use. And that’s why it works so well in the current days. I’m not sure if that would translate to a western democracy. I think it’d be hard to implement it here. Well, technically, it’s easy as you pointed out. But everyone would notice and it’d change how we interact with the internet to quite some degree.
I’m not sure about Iran. They seem to claim they can break encryption. I doubt that’s possible. And the most effective thing is not allowing connections to 70% of the internet anyways. But that’s not inspecting packets, just disallowing communication. I’m not sure about other measures.
And all of this isn’t the whole story, you can for example “circumvent encryption” on the server side, as it’s done. Force service providers to provide interfaces for lawful intercept.
I don’t think the TCP hello contains anything useful like the domain name? Isn’t that sent later on?
TLS clienthello contains unencrypted string, called SNI, that contains the domain of a destination web site. It must be unencrypted to work, because web sites read this string to determine which certificate to use.
You do not break encryption. It is unencrypted by design.
With all due respect, but it seams to me that you do not quite understand how HTTPS works. For encryption it relies on TLS protocol. And TLS does not encrypt everything, it encrypts only payload, but it also has to share some additional data to even establish encrypted connection. The majority of that work is done by exchanging clienthello and serverhello. To do that client has to clarify what server he is even trying to reach as there can be multiple servers on IP, but they have separate certificates, support different cyphers etc. For that a string “SNI”, that contains domain name is used. Only after client and server exchange all the necessary information encrypted conversation can start. So, by looking into clienthello and reading SNI any MITM can determine what web site are you trying to reach.
Oh, thank. Now I know what ECH stands for. I’ll look it up.