Breaking News: eBay, Trading Post help catch tax cheats

ZDNet / Broadband / Story

Conroy's filtering plan: security worries

By Liam Tung, ZDNet.com.au on August 4th, 2008

Topics

broadband, conroy, dodo, exetel, filter, internode, isp, security, tpg

Top related stories

BitTorrent hole in ISP filter tests

UK ISPs lockstep on P2P

EU vote forces ISPs to disconnect pirates

Related gallery

Houses linked up in Tassie NBN: photos

Houses linked up in Tassie NBN: photos

Related video

NBN Co's Quigley talks NBN business case

Communications Minister Stephen Conroy has welcomed "improvements" in ISP filtering technologies, but will a broad-scale roll-out make ISPs a thief's favourite target?

The great success of the ISP filtering trial was that current technologies impose far less interference on an ISP's network than similar tests done five years ago.

Improvements like this give the impression that yes, the government has its collective head around the challenge of making the internet a safe place.

But after an interesting chat with Internode's core networks and infrastructure group team leader Mark Newton, I came to the conclusion that any concerns about network degradation are peanuts compared to security worries around what could happen if the technology is implemented — in particular to the protocol used to conduct secure Web sessions with your bank or the tax office — HTTPS.

Newton raised an interesting idea: for an ISP to filter HTTPS sessions it would have to engage in a Man in the Middle attack, where the attacker intercepts and changes information being transmitted between two parties.

One of the key attributes the government was looking for in the tested filtering technologies was the ability to analyse content for smut so that it can accurately filter information rather than just block a bad source. While the filters were unable to analyse content over peer-to-peer networks, all the products were able to analyse Web protocols HTTP and HTTPS. (See table)

So what happens when granular filtering is applied to your transactions with a bank or the tax man?

Normally HTTPS means that data streams pass unfettered between your computer and the bank's servers, but ISP filtering would see that data unencrypted at the ISP, inspected, re-encrypted and then forwarded on to you and the bank.

Now, I don't use Dodo, Exetel or TPG, but these ISPs don't seem to be able to afford call centre staff, so can we rely on these ISPs to implement whatever technology the government approves?

And if the filtering products run on Windows operating systems, what happens if and when those systems become infected with a trojan or virus that siphon information to cybercrims?

Let's hope we find out a little more about the security and privacy implications in the "live" trials the government plans to run in the coming months.

Related stories

BitTorrent hole in ISP filter tests

UK ISPs lockstep on P2P

EU vote forces ISPs to disconnect pirates

ISPs: Govt porn filters 'could cripple internet'

ISP filtering to get Fed govt subsidy: Budget 08

Google tools to help users keep ISPs fair

Conroy gives rural ISPs guidance on bush broadband

ISP gang of nine dobs in Telstra to ACCC

Rural ISPs: Labor won't cut bush broadband funding

ISP porn filters now ready for testing

ISPs demand intervention on Telstra ADSL2+ block

ISPs the new bad guys on Ombudsman's list

Infamous porn and phishing ISP rolls Bank of India

ISPs to blame for new worm affecting MSN users

Talkback

Scary

This entire ISP level filtering is a very scary prospect. There seems to be a lot of "Black Hat" techniques used to prevent access. DNS poisoning, Man-In-The-Middle attacks, the potential for security compromises are just mind boggling.

Imagine your small tier 3 ISP using filtering software that performs the required filtering. These kind of ISP can't afford teams of people to look after security, if the filter becomes compromised then all manner of attacks become possible, on and entire ISP of users, rather then just a single computer. How about re-directing all ANZ users to a copy of the page that collects your login information, or send a copy of any information that you send to Westpac, whist til showing you all the correct information you need, so as not to suspect anything. Scary.

Couple this with the fact that the filtering technology does not filter non HTTP/S traffic and you really ask why on earth we are doing this.

Surely the money would be better spent on providing hardware level filtering for families, education in schools, and most importantly educating parents on how to monitor and talk to their children about internet usage.

AnonymousAnonymous August 4th, 2008
Report offensive content Reply (0) (0)

Australia, Iran, China, Libya

Ignoring the idea that in a Democracy, the Government shouldn't be drawing up secret lists of allowed ideas or applying punitive measures against citizens *before* crimes have been committed...

Filtering would work so much better on the customer end anyway. Hell, if the Commonwealth are so intent on wasting my tax $$$ because they're "thinking of the children" then why don't they just team up with an ADSL modem vendor and get them to implement upgradable software filters into ADSL modems - and then let people decide if they want a device that snoops on them or not.

And what of the legal issues - is the Commonwealth planning on indemnifying ISPs against misuse of the filter? Or if the filter incorrectly tampers with client data causing a loss of income? Better still, if a criminal with a filtered connection gets caught with kiddie porn, or hacking a bank, or ... couldn't they argue that "they have a filtered connection, it couldn't have been me"? (Think about that one for a sec, imagine the arguments in Court from the Government side of things, hehehe)

Even worse, are the Government ministers going to start drinking even more of the kool-aid and think that the filter will actually work and cut manpower from operations that actively hunt down online nefarious activities?

There are just so many holes in the Government filtering agenda it'd be laughable if it wasn't so likely to be implemented.

AnonymousAnonymous August 5th, 2008
Report offensive content Reply (0) (0)

Conroy - The new improved Sen. Alston

If parents couldn't be bothered taking more interest in their childrens online safety and habits, then they don't deserve to own a computer.

What's next? Government funded CCTV monitoring of my kids bath-time because i couldn't be bothered to watch or install one myself?

The whole thing is a massive waste of taxpayer money. If you don't have the time or the brains to install filtering software yourself, then pay/ask someone who does to do it for you.

AnonymousAnonymous August 4th, 2008
Report offensive content Reply (0) (0)

Conroy is No Alston

Atleast with the new Government under Rudd there is some promising signals that the bad old days of using Telstra as a "Political Football" are over under Conroy!!!

Coonan/Alston certainly done the Australian Public no favours and are partly to blame for the mess we now face!!!

AnonymousAnonymous August 4th, 2008
Report offensive content Reply (0) (0)

speaking of content filtering...

...would it be possible to block the IP address range of Telstra PR and marketing? wouldn't it be nice to read informed comments from intelligent ZD readers, rather than the over-exclaimed dogma of the people who manufacture the Telstra kool-aid?

popo August 4th, 2008
Report offensive content Reply (0) (0)

All of the Communication Ministers just have no idea.

All of the Communication Ministers just have no idea.

Alston: "The internet is only for porn and gambling"
Conroy: "Labor makes no apologies to those who argue that regulation of the Internet is like going down the Chinese road"

Believing that any of these politicians are "better" is fraught with danger!

AnonymousAnonymous August 5th, 2008
Report offensive content Reply (0) (0)

It's about blame

People could be borthered, but anything happened it's the government's fault. That's why the government want to do something about it.

As CCTV, you may never know, if there are enough death tolls...

AnonymousAnonymous August 5th, 2008
Report offensive content Reply (0) (0)

Exetel

does have a Call Centre

AnonymousAnonymous August 5th, 2008
Report offensive content Reply (0) (0)

https - Content filtered or address filtered?

A vital question in assessing the security risk of ISP-based filters is whether they really perform content filtering. All of the filters which were evaluated employ a combination of index-based filtering (looking for IP address or URL in a list), and analysis-based filtering (keyword or content type analysis). Only the latter method involves looking inside the packets. See ACMA's website for the papers. My guess is that none of the filters decrypts https packets - they filter https on the basis of address (either IP or URL). If my hunch is correct they do not pose the security risk that is suggested in the article. However, now that the matter has been raised it is incumbent on ACMA or Conroy's department to reassure the public.

Keith HealeKeith Heale August 5th, 2008
Report offensive content Reply (0) (0)

Huh?

What you described is simple IP/port blocking. It's not possible (without a man-in-the-middle-attack) to decrypt HTTPS sessions or links within content. You make it sound as if the URL are exposed in plain text for HTTPS.

AnonymousAnonymous August 5th, 2008
Report offensive content Reply (0) (0)

Re: Huh?

What I'm saying is that I don't believe that these filters could possibly be decrypting and scanning the content of https packets. Read the ACMA papers. The filters are all in software and they impose only a minimal performance degradation on the traffic. So I'd say they are doing something quite simple, and certainly not decrypting encrypted packets. But I'd really like ACMA or Stephen Conroy to come out and tell us whether we have something to worry about.

Keith HealeKeith Heale August 5th, 2008
Report offensive content Reply (0) (0)

the premise of this article is wrong

HTTPS is by design immune to man-in-the middle attacks, unless you can break strong encryption. The only way around this is for every filtering ISP to hold the private encryption keys of every bank or other entity using HTTPS, which is plainly absurd as, if it were possible logistically (which it is not), it would spell the end of Internet commerce in Australia. The HTTPS filtering must therefore be limited to examining the source URL, etc.

The filtering schemes are, however, another stunning example of government naivety when it comes to IT and the Internet. The fact that they can easily be subverted by using HTTPS is just one example of how moronic these schemes are.

AnonymousAnonymous August 6th, 2008
Report offensive content Reply (0) (0)

You're wrong actually

In order to filter HTTPS content, the initial HTTPS request is intercepted, and a HTTPS proxy acts a relay (man-in-the-middle).

conf tconf t August 6th, 2008
Report offensive content Reply (0) (0)

well no you're wrong actually

The certificate wouldn't verify because it wouldn't match the website's URL, and thus the browser would reject it. I say this as an ex-principal engineer from RSA Security. SSL (and hence HTTPS) was deliberately constructed to defeat man-in-the-middle attacks, otherwise anyone on an intervening node of the *public* Internet could do such things.

AnonymousAnonymous August 6th, 2008
Report offensive content Reply (0) (0)

Re: the premise of this article is wrong

I agree; the suggestion that these filters are effectively mounting a man-in-the-middle attack on https sessions is an absolute nonsense. Mark Newton should have known better, and Liam Tung - you should check the facts before racing into "print". I'm afraid your article (and to some degree your credibility) is in tatters.

One point about the whole idea of filtering. Although filters can be circumvented in various ways, most sites publishing "objectionable" material are not going to change their methods just to reach a few more Aussies. We are too insignificant on a world scale to even worry about. To the extent that this is true, the filters could be effective.

AnonymousAnonymous August 11th, 2008
Report offensive content Reply (0) (0)

Destination IP

The destination IP from the SSL cert will be blocked.

conf tconf t August 6th, 2008
Report offensive content Reply (0) (0)

gobbledygook

Certificates don't contain an "IP". They do however contain the website domain name.

AnonymousAnonymous August 6th, 2008
Report offensive content Reply (0) (0)

another gov feel good exercise

just like claims "no child shall live in poverty"
and "make Australia a safer place"

just more moronic , draconian waste of taxpayers $$$ so some ignorant pollie can waffle on about how they are gonna save the world.

whats the REAL agenda? Censorship,control and political grandstanding

AnonymousAnonymous August 6th, 2008
Report offensive content Reply (0) (0)

Call Centres...

Call centres have nothing to do with whether or not an ISP is competent enough to integrate a filter into their network. That's a job for the engineers.

AnonymousAnonymous September 15th, 2008
Report offensive content Reply (0) (0)
Add your opinion

In order to post a comment, you need to be registered. (Sign In or register below)

Post your comment

Power Centre Useful content from our premier sponsors

Resource Centre Useful content from our premier sponsors

ZDNet Australia Live

A user from Brisbane measured 9817kbps @ Broadband Speedtest.

6 minutes ago, Click here to find out how fast your internet speed is.

RT @seesmic: Seesmic listed by @ZDNet - Top 25 Android apps: The best of the best http://ping.fm/goi9K

Dell Inspiron i14R-2265MRB http://bit.ly/caPUGs

Microsoft's Windows Phone 7 marketing pitch: 'I'm a phone too': We'll be really aggressively marketing Windows Pho... http://bit.ly/cYmvOo

News: Microsoft's Windows Phone 7 marketing pitch: 'I'm a phone too' #Geek #WebTech #News http://bit.ly/bdmUY0

Apple or Jailbreakers: Who are you gonna hang with? http://bit.ly/bA7cI0

Microsoft's Ballmer: Windows 7 slates are 'job number one': Microsoft CEO Steve Ballmer reiterated at FAM that the... http://bit.ly/cyqr98

The Facebook imperative for enterprise software http://bit.ly/dm3GtZ

Apple unveils Safari Extensions Gallery for extensions, updates for security http://bit.ly/aEpt6v

Microsoft's Windows Phone 7 marketing pitch: 'I'm a phone too' http://bit.ly/b0Z6aQ

BlackBerry encryption 'too secure': National security vs. consumer privacy - http://bit.ly/cjBUzd

BlackBerry encryption 'too secure': National security vs. consumer privacy: It's so secure, that tho... http://bit.ly/bxXN6J @sardarlawfirm

RT @ldignan: Microsoft's Windows Phone 7 marketing pitch: 'I'm a phone too' http://bit.ly/cYmvOo .. plays 2nd fiddle with "i" and phone

RT @TeamViewer: TeamViewer among 10 outstanding cross-platform apps according to ZDNet UK http://bit.ly/aNYpJ5 Thank you, Jack!

RT @seesmic: Seesmic listed by @ZDNet - Top 25 Android apps: The best of the best http://ping.fm/goi9K

RT @EverythingMS: Microsoft Internet Explorer 9 beta due in September http://bit.ly/aJoGyu

Microsoft's Windows Phone 7 marketing pitch: 'I'm a phone too' http://bit.ly/cYmvOo

Microsoft's Windows Phone 7 marketing pitch: 'I'm a phone too' http://bit.ly/cgwuDf

Microsoft's Windows Phone 7 marketing pitch: 'I'm a phone too': By Larry Dignan | July 29, 2010, 2:30pm PDT Micros... http://bit.ly/cYmvOo

Microsoft's Windows Phone 7 marketing pitch: 'I'm a phone too' http://bit.ly/bNdd9l

Microsoft's Windows Phone 7 marketing pitch: 'I'm a phone too': By Larry Dignan | July 29, 2010, 2:30pm PDT Micros... http://bit.ly/cYmvOo

Microsoft's Windows Phone 7 marketing pitch: 'I'm a phone too': By Larry Dignan | July 29, 2010, 2:30pm PDT Micros... http://bit.ly/cYmvOo

Microsoft's Windows Phone 7 marketing pitch: 'I'm a phone too': By Larry Dignan | July 29, 2010, 2:30pm PDT Micros... http://bit.ly/cYmvOo

First impressions of Apple's refreshed desktop lineup http://bit.ly/cFScu9

http://bit.ly/beopRX accounting toolbar icons News and Other Resources | ZDNet

Microsoft's Windows Phone 7 marketing pitch: 'I'm a phone too': Microsoft CEO Steve Ballmer gave analysts a glimps... http://bit.ly/cYmvOo

"Not greatly dissimilar to the public jubilation felt at the end of the second World War, Sydney-siders ..." http://bit.ly/cTvyuB #reallysad

Hilarious coverage of the iPhone 4 launch from the CNET guys. http://bit.ly/cTvyuB

What a sad way to live if the only joy in your life is to queue for a piece of defective technology sold by a vendor who accused his loya...

1 hour ago by fred9999 on iPhone 4 Australian launch: pictures

@Jetttje: outlook-alternatieven: http://www.zdnet.com.au/top-alternatives-to-microsoft-outlook-339295046.htm

RT @NASAWatch: NASA photos mooned in abandoned Maccas (LOIRP) http://bit.ly/arFI4Y

http://bit.ly/9y8rsU Multimedia Toolbar Icons - Free Software Downloads - ZDNet Australia

I am happy to know I was right about predicting Symantec's stock price and the furture trend. As I have pointed out a few times, I th...

6 hours ago by strelaoz on iPhone midnight launches across Australia

Just weirdly found out Michael Yell - Country and Regional Director for OEM, XSP and Services Business at Symantec Asia Pacific and Japan...

6 hours ago by strelaoz on iPhone midnight launches across Australia

As I have reported to Symantec Ethics about David Freer’s (VP, Symantec – Norton, APJ) misconducts (fraud, having dissented sex with ...

6 hours ago by strelaoz on iPhone midnight launches across Australia

David Freer (VP, Symantec Consumer Business Units - Norton, APJ) is a BIG LIAR! He lied to me for more than two and half years for my tru...

6 hours ago by strelaoz on iPhone midnight launches across Australia

My speed is 33 807 I'm with bigpond cable

8 hours ago by francoo on Broadband Speedtest

That is a beautiful boat,but, I'd still rather go to sea on a first flight 688 boat.Preferably the 689 if Clinton hadn't decommis...

9 hours ago by rogue689 on Get wet with submarine tech photos

For many other reasons, than just the net filter, the current has to go. Still, I wouldn't trust Abbot either. There are however chec...

10 hours ago by ian_from_oz on Conroy's filter masterstroke

RT: @zdnetaustralia: http://bit.ly/cJU6Mf We've added Virgin to our iPhone 4 pricing table comparison.. See which telco has the best deal.

The pick: five business iPad apps http://fb.me/DOid8NXt

Apple to look at iPhone 3G iOS 4 problems - Software - News http://bit.ly/cmaTAJ _ that's nice of them

Stop trying to dodge the filter issue, Conboy; it'll bite you in the **** whether you like it or not.

12 hours ago by Hyperion on Conroy pledges NBN map, same policies

@merejames http://bit.ly/9YJ6e7

Facebook va lansa un serviciu de răspunsuri la întrebările utilizatorilor http://bit.ly/aS4kLC

Survey proves #AUS e-health demand http://j.mp/ah9Iwf /via @ZDNetAustralia

A "profound cultural change" is required for a truly open government http://bit.ly/bTht86 /via @zdnetaustralia #gov2au

As one who has been as critical as any of the Sol era Telstra...as long as Telstra are leaving feasible room for profit margins for their...

14 hours ago by RS on Is Telstra the scorpion or the frog?

David, while the popular opinion, at least in the eyes of Telstra opponents, is to use every devious argument to stifle the operations of...

14 hours ago by sydneyla on Is Telstra the scorpion or the frog?

Question two: What is stopping.... "AUSTRALIANS could save up to $1.9 billion a year in travel costs, petrol and time if they spent h...

14 hours ago by Vasso Massonic on Is Telstra the scorpion or the frog?

Survey proves e-health demand: NEHTA http://itrau.com/bt9f8w via @ZDNetAustralia

David, please elaborate on Telstra's response, stating competitors could gain network access for "as Little as $2.50 a month...

15 hours ago by Vasso Massonic on Is Telstra the scorpion or the frog?

RT @zdnetaustralia: Survey by NEHTA proves there is a demand for e-health http://bit.ly/bXuT1K

RT @zdnetaustralia: Telstra cops $18.55 million fine for exchange capping http://bit.ly/9cL91V

RT @zdnetaustralia: Survey by NEHTA proves there is a demand for e-health http://bit.ly/bXuT1K #yam

A good read..RT @zdnetaustralia: Is Telstra the scorpion or the frog? http://bit.ly/cSgC31

RT @zdnetaustralia: eBay and the Trading Post online help the Australian Taxation Office catch tax cheats http://bit.ly/dBDXRz

im gonna get it, if i dont like it i flush it down the toilet i dont care im rich, yeah you negative people should get a life

15 hours ago by booostking on Date set for Aussie iPhone 4 release

Umm, what is wrong with these two, chronological sentences from above, from Paul Fletcher? "We are deeply concerned that the new pro...

15 hours ago by RS on Lundy vs. Ludlam, Fletcher: election debate

RT @zdnetaustralia Tesltra tweaks its data plans for all smartphones (not just the iPhone 4) http://bit.ly/bxO0G2

RT @zdnetaustralia: Is Telstra the scorpion or the frog? http://bit.ly/cSgC31

Is Telstra the scorpion or the frog? http://bit.ly/cSgC31

@mibus http://www.zdnet.com.au/commbank-dives-into-580m-banking-it-revamp-339288467.htm

The tech keeping Plastiki afloat: photos: ZDNet Australia brings you the tech below deck on the epic Plastiki voyage. http://bit.ly/aTj1QU

http://bit.ly/cJU6Mf We've added virgin to our iPhone 4 pricing table comparison.. See which telco has the best deal.

Telstra boosts smartphone data: In a few hours, Apple's hyped iPhone 4 handset will launch in Australia. But Telst... http://bit.ly/a3E7wi

This story has been liked 5 times in the last 24 hours!

Keep up with ZDNet Australia

LinkedinLinkedin Join our network

RSS FeedsRSS Feeds Subscribe now

NewslettersNewsletters Subscribe today

TwitterTwitter Follow us

Compare Broadband Plans

Powered by WhistleOut

« 1 of 3»
1) Telstra BigPond37 plans 1%
2) Optus76 plans 2%
3) 39 plans 1%
4) Virgin Mobile7 plans 4%
5) Netspace36 plans 1%
1) Mobile Broadband Plans 8%
2) ADSL2+ Broadband Plans 5%
3) Cable Broadband Plans 4%
4) Naked DSL Broadband Plans 1%
5) ADSL Broadband Plans 6%

Mobile Phones | Broadband

CBS - ZDNET Australia Partner Services

Sponsored resources