Conroy's filtering plan: security worries

Summary:Communications Minister Stephen Conroy has welcomed "improvements" in ISP filtering technologies, but will a broad-scale roll-out make ISPs a thief's favourite target?

Communications Minister Stephen Conroy has welcomed "improvements" in ISP filtering technologies, but will a broad-scale roll-out make ISPs a thief's favourite target?

The great success of the ISP filtering trial was that current technologies impose far less interference on an ISP's network than similar tests done five years ago.

Improvements like this give the impression that yes, the government has its collective head around the challenge of making the internet a safe place.

But after an interesting chat with Internode's core networks and infrastructure group team leader Mark Newton, I came to the conclusion that any concerns about network degradation are peanuts compared to security worries around what could happen if the technology is implemented — in particular to the protocol used to conduct secure Web sessions with your bank or the tax office — HTTPS.

Newton raised an interesting idea: for an ISP to filter HTTPS sessions it would have to engage in a Man in the Middle attack, where the attacker intercepts and changes information being transmitted between two parties.

One of the key attributes the government was looking for in the tested filtering technologies was the ability to analyse content for smut so that it can accurately filter information rather than just block a bad source. While the filters were unable to analyse content over peer-to-peer networks, all the products were able to analyse Web protocols HTTP and HTTPS. (See table)

So what happens when granular filtering is applied to your transactions with a bank or the tax man?

Normally HTTPS means that data streams pass unfettered between your computer and the bank's servers, but ISP filtering would see that data unencrypted at the ISP, inspected, re-encrypted and then forwarded on to you and the bank.

Now, I don't use Dodo, Exetel or TPG, but these ISPs don't seem to be able to afford call centre staff, so can we rely on these ISPs to implement whatever technology the government approves?

And if the filtering products run on Windows operating systems, what happens if and when those systems become infected with a trojan or virus that siphon information to cybercrims?

Let's hope we find out a little more about the security and privacy implications in the "live" trials the government plans to run in the coming months.

Topics: Networking, Government : AU, NBN, Security, Telcos


Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, s... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.