Conroy's filtering plan: security worries
Communications Minister Stephen Conroy has welcomed "improvements" in ISP filtering technologies, but will a broad-scale roll-out make ISPs a thief's favourite target?
The great success of the ISP filtering trial was that current technologies impose far less interference on an ISP's network than similar tests done five years ago.
Improvements like this give the impression that yes, the government has its collective head around the challenge of making the internet a safe place.
But after an interesting chat with Internode's core networks and infrastructure group team leader Mark Newton, I came to the conclusion that any concerns about network degradation are peanuts compared to security worries around what could happen if the technology is implemented — in particular to the protocol used to conduct secure Web sessions with your bank or the tax office — HTTPS.
Newton raised an interesting idea: for an ISP to filter HTTPS sessions it would have to engage in a Man in the Middle attack, where the attacker intercepts and changes information being transmitted between two parties.
One of the key attributes the government was looking for in the tested filtering technologies was the ability to analyse content for smut so that it can accurately filter information rather than just block a bad source. While the filters were unable to analyse content over peer-to-peer networks, all the products were able to analyse Web protocols HTTP and HTTPS. (See table)
So what happens when granular filtering is applied to your transactions with a bank or the tax man?
Normally HTTPS means that data streams pass unfettered between your computer and the bank's servers, but ISP filtering would see that data unencrypted at the ISP, inspected, re-encrypted and then forwarded on to you and the bank.
Now, I don't use Dodo, Exetel or TPG, but these ISPs don't seem to be able to afford call centre staff, so can we rely on these ISPs to implement whatever technology the government approves?
And if the filtering products run on Windows operating systems, what happens if and when those systems become infected with a trojan or virus that siphon information to cybercrims?
Let's hope we find out a little more about the security and privacy implications in the "live" trials the government plans to run in the coming months.