In compliance with direction given by Uttharakhand high court, Indian ISPs started blocking pornographic sites. In this article I will dissect the implementation used to enforce the blockade as well as techniques to circumvent. Finally we will discuss better implementations that address the current pitfalls.
A while back one of my friends recommended the tv series, 24, but I couldn’t find it on any of the streaming services, when inquired she reverted back with a link to 123moviestime.com, which for some reason was blocked in India. I started digging into the implementation of the block.
When I tried to resolve the domain name with dig it gave the following response
$ dig 123moviestime.com +noall +answer ; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> 123moviestime.com @220.127.116.11 +noall +answer ;; global options: +cmd 123moviestime.com. 10 IN A 18.104.22.168
A quick whois on the ip revealed that it belonged to the ISP. There was no change in the response even when I forced dig to use google’s dns resolver, confirming that the ISP was using DPI technique on DNS.
To circumvent, I configured my local-dns to the original ip by making an entry in /etc/hosts and requested the website using http and https, while the http request failed https worked. This behavior proves that the ISP is inspecting http request headers and proxying the request when it matches blocked sites, also confirming that the ISP is not inspecting SNI header to block https traffic.
DNS has been one of the weakest links on the internet susceptible to man in the middle attacks, and looks like the ISPs are exploiting it to enforce the ban. It’s a smart strategy, inspecting DNS traffic is way cheaper and more effective than analyzing other protocols(DNS traffic will at least be 10x less than other protocols like http or https). But this is gonna change soon, with the advent of DoH and DoT all DNS traffic will be encrypted while verifying the authenticity of the response. Mainstream browsers like Firefox and chrome started integrating this feature in their nightly code. On the mobile front Google added support for the same on Android Pie. Cloudflare released a dns daemon that runs on major platforms(Linux/Windows/MacOS), and proxies the dns request via DoH, inturn rendering the embargo ineffective.
The above developments does not mean that ISPs will become incapable of enforcing the ban. Mind that above workaround helps only when the http traffic is encrypted i.e. when using https. ISPs could start DPI on https and lookout for blocked hostnames in SNI to effectively enforce it for the time-being. I mention for the ‘time-being’ because cloudflare announced its support for Encrypted SNI, as an extension of TLS/1.3, that will engender sni inspection fruitless.
As a philosophical foot note, I believe that ban on certain content on the internet can only be implemented by exploiting the existing vulnerabilities, while the academia and the industry works tirelessly to ensure that they are mitigated. DoH,DoT,ESNI have been created to alleviate attacks such as DoS. I also think that ban on content is by definition ineffective on the distributed internet and in some cases backfires, I learned about the documentary India’s daughter only when the government tried to ban it. I will end this philosophical prose on a lighter note with a quote by mega reverend of the church Our Lady of Perpetual Exemption: John Oliver “Internet is like quicksand, the more aggressively you fight to remove from it, the deeper you sink down into it”.