Aug 08 4
Conroy's filtering plan: security worries
Posted by Liam Tung @ 11:49 18 comments
Communications Minister Stephen Conroy has welcomed "improvements" in ISP filtering technologies, but will a broad-scale roll-out make ISPs a thief's favourite target?
The great success of the ISP filtering trial was that current technologies impose far less interference on an ISP's network than similar tests done five years ago.
Improvements like this give the impression that yes, the government has its collective head around the challenge of making the internet a safe place.
But after an interesting chat with Internode's core networks and infrastructure group team leader Mark Newton, I came to the conclusion that any concerns about network degradation are peanuts compared to security worries around what could happen if the technology is implemented — in particular to the protocol used to conduct secure Web sessions with your bank or the tax office — HTTPS.
Newton raised an interesting idea: for an ISP to filter HTTPS sessions it would have to engage in a Man in the Middle attack, where the attacker intercepts and changes information being transmitted between two parties.
One of the key attributes the government was looking for in the tested filtering technologies was the ability to analyse content for smut so that it can accurately filter information rather than just block a bad source. While the filters were unable to analyse content over peer-to-peer networks, all the products were able to analyse Web protocols HTTP and HTTPS. (See table)
So what happens when granular filtering is applied to your transactions with a bank or the tax man?
Normally HTTPS means that data streams pass unfettered between your computer and the bank's servers, but ISP filtering would see that data unencrypted at the ISP, inspected, re-encrypted and then forwarded on to you and the bank.
Now, I don't use Dodo, Exetel or TPG, but these ISPs don't seem to be able to afford call centre staff, so can we rely on these ISPs to implement whatever technology the government approves?
And if the filtering products run on Windows operating systems, what happens if and when those systems become infected with a trojan or virus that siphon information to cybercrims?
Let's hope we find out a little more about the security and privacy implications in the "live" trials the government plans to run in the coming months.
This entire ISP level filtering is a very scary prospect. There seems to be a lot of "Black Hat" techniques used to prevent access. DNS poisoning, Man-In-The-Middle attacks, the potential for security compromises are just mind boggling.
Imagine your small tier 3 ISP using filtering software that performs the required filtering. These kind of ISP can't afford teams of people to look after security, if the filter becomes compromised then all manner of attacks become possible, on and entire ISP of users, rather then just a single computer. How about re-directing all ANZ users to a copy of the page that collects your login information, or send a copy of any information that you send to Westpac, whist til showing you all the correct information you need, so as not to suspect anything. Scary.
Couple this with the fact that the filtering technology does not filter non HTTP/S traffic and you really ask why on earth we are doing this.
Surely the money would be better spent on providing hardware level filtering for families, education in schools, and most importantly educating parents on how to monitor and talk to their children about internet usage.