The blocking mechanism used to censor Wikipedia in the UK has been described as "fragile" and "easy to evade" by Cambridge University security expert Richard Clayton.
Access to Wikipedia was restricted between 5 and 9 December after child-abuse watchdog the Internet Watch Foundation (IWF) recommended that ISPs block two Wikipedia pages. The pages contain an image of the 1978 Virgin Killer album cover by German rock band the Scorpions, which shows a naked girl.
According to Wikipedia, the UK ISPs which enforce the IWF list include Be, BT, Demon, Eclipse, Orange, PlusNet, Sky Broadband, T-Mobile, TalkTalk, Telefonica O2, Tesco.net, and UK online. However, Clayton said there was "some confusion" as to which operators had blocked access to the Wikipedia page. Virgin Media, Plusnet, and Be Broadband all made statements this week saying they had blocked the site.
However, much of the blocking was ineffectual, wrote Clayton in a blog post on Thursday, due to case sensitivity. Whereas the IWF had recommended that a URL ending in 'virgin_killer' be blocked, the two Wikipedia pages that the ISPs attempted to censor were listed as "Virgin_Killer" and "Virgin_killer".
At ISPs where the URL matching was case sensitive, the pages were not blocked. Users could also unintentionally circumvent the blocking mechanism if they used their own DNS server or a remote proxy mechanism, Clayton added. They could then report that they could see the page, further "muddying the waters", Clayton said.
Further confusion was caused over whether ISPs showing 404 error pages were blocking the pages deliberately, or whether the error messages were being returned for another reason.
Clayton said ISPs don't block entire websites, but instead pass the traffic to suspect sites through a web proxy. The proxy checks the web request and blocks specific URLs that are on the IWF list.
However, as part of its policy to prevent vandalism on the site, Wikipedia blocks large numbers of requests from limited IP addresses. The use of proxies meant that all Wikipedia visitors using major ISPs appeared to have "one of a handful" of IP addresses, and so were blocked from editing.
Clayton said it is unknown why the IWF chose to block the web page URLs instead of the image URLs. However, future attempts at blocking images would probably be ineffectual, wrote Clayton.
"The bottom line is that these blocking systems are fragile [and] easy to evade (even unintentionally)," wrote Clayton.