Conroy's filtering plan: security worries

Conroy's filtering plan: security worries

Summary: Communications Minister Stephen Conroy has welcomed "improvements" in ISP filtering technologies, but will a broad-scale roll-out make ISPs a thief's favourite target?

SHARE:

Communications Minister Stephen Conroy has welcomed "improvements" in ISP filtering technologies, but will a broad-scale roll-out make ISPs a thief's favourite target?

The great success of the ISP filtering trial was that current technologies impose far less interference on an ISP's network than similar tests done five years ago.

Improvements like this give the impression that yes, the government has its collective head around the challenge of making the internet a safe place.

But after an interesting chat with Internode's core networks and infrastructure group team leader Mark Newton, I came to the conclusion that any concerns about network degradation are peanuts compared to security worries around what could happen if the technology is implemented — in particular to the protocol used to conduct secure Web sessions with your bank or the tax office — HTTPS.

Newton raised an interesting idea: for an ISP to filter HTTPS sessions it would have to engage in a Man in the Middle attack, where the attacker intercepts and changes information being transmitted between two parties.

One of the key attributes the government was looking for in the tested filtering technologies was the ability to analyse content for smut so that it can accurately filter information rather than just block a bad source. While the filters were unable to analyse content over peer-to-peer networks, all the products were able to analyse Web protocols HTTP and HTTPS. (See table)

So what happens when granular filtering is applied to your transactions with a bank or the tax man?

Normally HTTPS means that data streams pass unfettered between your computer and the bank's servers, but ISP filtering would see that data unencrypted at the ISP, inspected, re-encrypted and then forwarded on to you and the bank.

Now, I don't use Dodo, Exetel or TPG, but these ISPs don't seem to be able to afford call centre staff, so can we rely on these ISPs to implement whatever technology the government approves?

And if the filtering products run on Windows operating systems, what happens if and when those systems become infected with a trojan or virus that siphon information to cybercrims?

Let's hope we find out a little more about the security and privacy implications in the "live" trials the government plans to run in the coming months.

Topics: Broadband, Censorship, Government AU, Security, Telcos, TPG, NBN

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

19 comments
Log in or register to join the discussion
  • Scary

    This entire ISP level filtering is a very scary prospect. There seems to be a lot of "Black Hat" techniques used to prevent access. DNS poisoning, Man-In-The-Middle attacks, the potential for security compromises are just mind boggling.

    Imagine your small tier 3 ISP using filtering software that performs the required filtering. These kind of ISP can't afford teams of people to look after security, if the filter becomes compromised then all manner of attacks become possible, on and entire ISP of users, rather then just a single computer. How about re-directing all ANZ users to a copy of the page that collects your login information, or send a copy of any information that you send to Westpac, whist til showing you all the correct information you need, so as not to suspect anything. Scary.

    Couple this with the fact that the filtering technology does not filter non HTTP/S traffic and you really ask why on earth we are doing this.

    Surely the money would be better spent on providing hardware level filtering for families, education in schools, and most importantly educating parents on how to monitor and talk to their children about internet usage.
    anonymous
  • Conroy - The new improved Sen. Alston

    If parents couldn't be bothered taking more interest in their childrens online safety and habits, then they don't deserve to own a computer.

    What's next? Government funded CCTV monitoring of my kids bath-time because i couldn't be bothered to watch or install one myself?

    The whole thing is a massive waste of taxpayer money. If you don't have the time or the brains to install filtering software yourself, then pay/ask someone who does to do it for you.
    anonymous
  • Conroy is No Alston

    Atleast with the new Government under Rudd there is some promising signals that the bad old days of using Telstra as a "Political Football" are over under Conroy!!!

    Coonan/Alston certainly done the Australian Public no favours and are partly to blame for the mess we now face!!!
    anonymous
  • speaking of content filtering...

    ...would it be possible to block the IP address range of Telstra PR and marketing? wouldn't it be nice to read informed comments from intelligent ZD readers, rather than the over-exclaimed dogma of the people who manufacture the Telstra kool-aid?
    anonymous
  • Exetel

    does have a Call Centre
    anonymous
  • Australia, Iran, China, Libya

    Ignoring the idea that in a Democracy, the Government shouldn't be drawing up secret lists of allowed ideas or applying punitive measures against citizens *before* crimes have been committed...

    Filtering would work so much better on the customer end anyway. Hell, if the Commonwealth are so intent on wasting my tax $$$ because they're "thinking of the children" then why don't they just team up with an ADSL modem vendor and get them to implement upgradable software filters into ADSL modems - and then let people decide if they want a device that snoops on them or not.

    And what of the legal issues - is the Commonwealth planning on indemnifying ISPs against misuse of the filter? Or if the filter incorrectly tampers with client data causing a loss of income? Better still, if a criminal with a filtered connection gets caught with kiddie porn, or hacking a bank, or ... couldn't they argue that "they have a filtered connection, it couldn't have been me"? (Think about that one for a sec, imagine the arguments in Court from the Government side of things, hehehe)

    Even worse, are the Government ministers going to start drinking even more of the kool-aid and think that the filter will actually work and cut manpower from operations that actively hunt down online nefarious activities?

    There are just so many holes in the Government filtering agenda it'd be laughable if it wasn't so likely to be implemented.
    anonymous
  • All of the Communication Ministers just have no idea.

    All of the Communication Ministers just have no idea.

    Alston: "The internet is only for porn and gambling"
    Conroy: "Labor makes no apologies to those who argue that regulation of the Internet is like going down the Chinese road"

    Believing that any of these politicians are "better" is fraught with danger!
    anonymous
  • It's about blame

    People could be borthered, but anything happened it's the government's fault. That's why the government want to do something about it.

    As CCTV, you may never know, if there are enough death tolls...
    anonymous
  • https - Content filtered or address filtered?

    A vital question in assessing the security risk of ISP-based filters is whether they really perform content filtering. All of the filters which were evaluated employ a combination of index-based filtering (looking for IP address or URL in a list), and analysis-based filtering (keyword or content type analysis). Only the latter method involves looking inside the packets. See ACMA's website for the papers. My guess is that none of the filters decrypts https packets - they filter https on the basis of address (either IP or URL). If my hunch is correct they do not pose the security risk that is suggested in the article. However, now that the matter has been raised it is incumbent on ACMA or Conroy's department to reassure the public.
    anonymous
  • Huh?

    What you described is simple IP/port blocking. It's not possible (without a man-in-the-middle-attack) to decrypt HTTPS sessions or links within content. You make it sound as if the URL are exposed in plain text for HTTPS.
    anonymous
  • Re: Huh?

    What I'm saying is that I don't believe that these filters could possibly be decrypting and scanning the content of https packets. Read the ACMA papers. The filters are all in software and they impose only a minimal performance degradation on the traffic. So I'd say they are doing something quite simple, and certainly not decrypting encrypted packets. But I'd really like ACMA or Stephen Conroy to come out and tell us whether we have something to worry about.
    anonymous
  • the premise of this article is wrong

    HTTPS is by design immune to man-in-the middle attacks, unless you can break strong encryption. The only way around this is for every filtering ISP to hold the private encryption keys of every bank or other entity using HTTPS, which is plainly absurd as, if it were possible logistically (which it is not), it would spell the end of Internet commerce in Australia. The HTTPS filtering must therefore be limited to examining the source URL, etc.

    The filtering schemes are, however, another stunning example of government naivety when it comes to IT and the Internet. The fact that they can easily be subverted by using HTTPS is just one example of how moronic these schemes are.
    anonymous
  • You're wrong actually

    In order to filter HTTPS content, the initial HTTPS request is intercepted, and a HTTPS proxy acts a relay (man-in-the-middle).
    anonymous
  • Destination IP

    The destination IP from the SSL cert will be blocked.
    anonymous
  • well no you're wrong actually

    The certificate wouldn't verify because it wouldn't match the website's URL, and thus the browser would reject it. I say this as an ex-principal engineer from RSA Security. SSL (and hence HTTPS) was deliberately constructed to defeat man-in-the-middle attacks, otherwise anyone on an intervening node of the *public* Internet could do such things.
    anonymous
  • gobbledygook

    Certificates don't contain an "IP". They do however contain the website domain name.
    anonymous
  • another gov feel good exercise

    just like claims "no child shall live in poverty"
    and "make Australia a safer place"

    just more moronic , draconian waste of taxpayers $$$ so some ignorant pollie can waffle on about how they are gonna save the world.

    whats the REAL agenda? Censorship,control and political grandstanding
    anonymous
  • Re: the premise of this article is wrong

    I agree; the suggestion that these filters are effectively mounting a man-in-the-middle attack on https sessions is an absolute nonsense. Mark Newton should have known better, and Liam Tung - you should check the facts before racing into "print". I'm afraid your article (and to some degree your credibility) is in tatters.

    One point about the whole idea of filtering. Although filters can be circumvented in various ways, most sites publishing "objectionable" material are not going to change their methods just to reach a few more Aussies. We are too insignificant on a world scale to even worry about. To the extent that this is true, the filters could be effective.
    anonymous
  • Call Centres...

    Call centres have nothing to do with whether or not an ISP is competent enough to integrate a filter into their network. That's a job for the engineers.
    anonymous