TalkTalk’s new blocking system

May 10th, 2011 at 07:19 UTC by Richard Clayton

Back in January I visited TalkTalk along with Jim Killock of the Open Rights Group (ORG) to have their new Internet blocking system explained to us. The system was announced yesterday, and I’m now publishing my technical description of how it works (note that it was called “BrightFeed” when we saw it, but is now named “HomeSafe”).

Buried in all the detail of how the system works are two key points — the first is the notion that it is possible for a centralised checking system (especially one that tells a remote site its identity) to determine whether sites are malicious are not. This is problematic and I doubt that malware distributors will see this as much of a challenge — although on the other hand, perhaps by setting your browser’s User Agent string to pretend to be the checking system you might become rather safer!

The second is that although the system is described as “opt in”, that only applies to whether or not websites you visit might be blocked. What is not “opt in” is whether or not TalkTalk learns the details of the URLs that all of their customers visit, whether they have opted in or not. All of these sites will be visited by TalkTalk’s automated system — which may take some explaining if the remote system told you a URL in confidence and is checking their logs to see who visits.

On their site, ORG have expressed an opinion as to whether the system can be operated lawfully, along with TalkTalk’s own legal analysis. TalkTalk argue that the system’s purpose is to protect their network, which gives them a statutory exemption from wire-tapping legislation; whereas all the public relations material seems to think it’s been developed to protect the users….

… in the end though, the system will be judged by its effectiveness, and in a world where less than 20% of new threats are detected — that may not be all that high.

Entry filed under: Legal issues, News coverage, Security engineering, Web security

8 comments Add your own

  • 1. Alan  |  May 10th, 2011 at 08:25 UTC

    So who’s liable if the system (for example) double buys something on a poorly implemented website?

  • 2. Gavin Jamie  |  May 10th, 2011 at 12:16 UTC

    I have had a look through my server logs. The ID appears to be “TalkTalk Virus Alerts Scanning Engine”

    It appears to strip the GET parameters before sending (i.e. it will access http://www.foo.com/bar.php?this=that simply as http://www.foo.com/bar.php )

    This seems likely to produce unpredictable results on some websites. Fairly easy to avoid detection if you so wished.

  • 3. Hanco  |  May 10th, 2011 at 18:54 UTC

    I think we can be pretty certain that this anti-malware feature (if indeed it could ever be described as that) is not the real purpose for implementation of this man in the middle snooping. Conjecture of course, but it’s not a big step from DPI for anti-malware to DPI for content categorisation and targeted behavioural advertising.

    Kent Ertugrul and the Phorm investors must be so sorry to have exited this arena by being so bold as to have a go from the moment the starting pistol fired. Still, at least Phorm is close to Huawei and as we know, Huawei is very much involved in this TalkTalk project…

    As always Dr Richard, thank you for your work.

  • 4. igb  |  May 10th, 2011 at 19:00 UTC

    I thought we agreed during the discussions of the RIPA codes of practice that “traffic data” meant the first component in a URL, between the double slash and the first single slash. Thereafter, the rest of the URL (which this TalkTalk system is using) doesn’t fall under traffic data. Now that debate was with regard to the traffic data / content distinction for which interceptions required a home office warrant, but if the language is the same, the distinctions are presumably the same elsewhere in the legislation unless there’s a clear reason otherwise.

  • 5. Pete  |  May 10th, 2011 at 20:26 UTC

    Hi Richard,

    it is possible FIPR could publish an analysis of this scam…?

    Particularly with respect to RIPA 200 (and bilateral consent for interception), the Computer Misuse Act (and the question of replay attacks), Fraud (and the reuse of confidential personal identifiers in URL paths), Copyright Designs and Patents (and the unlicenced processing of copyright protected materials without authorisation).

    You might also refer to the EC Data Retention Directive (No data revealing the content of the communication may be retained pursuant to this Directive) or consent for the processing of sensitive personal data (health/religion/sexuality/political opinion) under the Data Protection Act.

    My own thoughts are here;
    https://nodpi.org/2010/08/07/talktalk-becomes-stalkstalk/

    In the meantime, encryption. The UK’s telecommunications infrastructure is now so hopelessly compromised by illegal mass surveillance, and the extent of the corruption surrounding communications surveillance so shameless, I can’t see any other sensible alternative?

    Speaking of which… https://www.lightbluetouchpaper.org?

  • 6. Steve  |  June 3rd, 2011 at 21:31 UTC

    According to both the press, their website and the configuration settings within “My TalkTalk” account – Home Safe is disabled by default.

    However this does not actually appear to be the case, looking at my webserver logs it shows that the “TalkTalk Virus Alerts Scanning Engine” visited the page less than a minute after I had browsed the page myself. Given that I had just created this page, it was empty and was not linked to from any other source it would indicate that TalkTalk is tracking my browsing.


    XX.XX.XXX.XXX - - [03/Jun/2011:12:49:54 -0700] "GET /email.indigo-solutions.eu/test.html HTTP/1.1" 200 26 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; en-gb) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1"
    62.24.181.135 - - [03/Jun/2011:12:50:26 -0700] "GET /email.indigo-solutions.eu/test.html HTTP/1.0" 200 6 "http://email.indigo-solutions.eu/test.html" "(TalkTalk Virus Alerts Scanning Engine)"

    I’ve reported this to TalkTalk and I’m awaiting a response. Not impressed to say the least.

  • 7. Richard Clayton  |  June 4th, 2011 at 16:34 UTC

    @Steve

    I suggest you read #19 in my document again. TalkTalk monitor (and then assess) _all_ URLs visited by their customers, not just the URLs visited by opted-in customers.

  • 8. Kevin Chadwick  |  September 2nd, 2011 at 17:59 UTC

    I have a system which checks my website is up every five minutes. Now I find an Opal malware bot pretending to be IE8 not even saying it’s a scanning engine connecting from 62.24.222.(132|131) every 5 minutes too.

    I have a passive monitor and my mail server does no layer 7 parsing or virus scanning for the very reason that it can be exploited and then I find my ISP compulsorarily lowering my networks security for me and for what.

    Your right they’ve blinkered MPs yet again for ad revenue, otherwise they would have prevented IP spoofing at a much safer layer. As if a company with such long customer service waiting times and such a low broadband price would pay for this out of the goodness of their hearts.

    All they accomplish is advertising the dodgy sites. The day the judge announced newzbin2 blocked newzbin was back up and I didn’t even know about newzbin. Malware creators like new malware ideas too.

    Do I really have to use a VPN to a server on the net to get around their incompetence.

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to the comments via RSS Feed


Calendar

May 2011
M T W T F S S
« Apr   Jun »
 1
2345678
9101112131415
16171819202122
23242526272829
3031