Posts filed under 'Internet censorship

May 18, '07

At their conference in Oxford, the OpenNet Initiative have released the results from their first global Internet filtering survey. This announcement has been widely covered in the media.

Out of the 41 countries surveyed, 25 were found to impose filtering, though the topics blocked and extent of blocking varies dramatically.

Results can be seen on the filtering map and an URL checker. The full report, including detailed country and region summaries, will be published in the book “Access Denied: The Practice and Policy of Global Internet Filtering“.

Posted in Internet censorship, News coverage | (2)

Dec 12, '06

23C3 logoThe 23rd Chaos Communication Congress will be held later this month in Berlin, Germany on 27–30 December. I will be attending to give a talk on Hot or Not: Revealing Hidden Services by their Clock Skew. Another contributor to this blog, George Danezis, will be talking on An Introduction to Traffic Analysis.

This will be my third time speaking at the CCC (I previously talked on Hidden Data in Internet Published Documents and The Convergence of Anti-Counterfeiting and Computer Security in 2004 then Covert channels in TCP/IP: attack and defence in 2005) and I’ve always had a great time but this year looks to be the best yet. Here are a few highlights from the draft programme, although I am sure there are many great talks I have missed.

It’s looking like a great line-up, so I hope many of you can make it. See you there!

Posted in Banking security, Cryptology, Hardware & signals, Internet censorship, Privacy technology | (0)

Aug 25, '06

My book on Security Engineering is now available online for free download here.

I have two main reasons. First, I want to reach the widest possible audience, especially among poor students. Second, I am a pragmatic libertarian on free culture and free software issues; I believe many publishers (especially of music and software) are too defensive of copyright. I don’t expect to lose money by making this book available for free: more people will read it, and those of you who find it useful will hopefully buy a copy. After all, a proper book is half the size and weight of 300-odd sheets of laser-printed paper in a ring binder.

I’d been discussing this with my publishers for a while. They have been persuaded by the experience of authors like David MacKay, who found that putting his excellent book on coding theory online actually helped its sales. So book publishers are now learning that freedom and profit are not really in conflict; how long will it take the music industry?

Posted in Banking security, Cryptology, Hardware & signals, Internet censorship, Legal issues, Meta, News coverage, Security economics, Security engineering | (45)

Aug 11, '06

At the recent HOPE conference, the “secure instant messaging (IM) client”, ScatterChat, was released in a blaze of publicity. It was designed by J. Salvatore Testa II to allow human rights and democracy activists to securely communicate while under surveillance. It uses cryptography to protect confidentiality and authenticity, and integrates Tor to provide anonymity and is bundled with an easy to use user interface. Sadly not everything is as good as it sounds.

When I first started supervising undergraduates at Cambridge, Richard Clayton explained that the real purpose of the security course was to teach students not to invent the following (in increasing order of importance): protocols, hash functions, block ciphers and modes of operation. Academic literature is scattered with the bones of flawed proposals for all of these, despite being designed by very capable and experienced cryptographers. Instead, wherever possible, implementors should use peer-reviewed building blocks, as normally there is already a solution which can do the job, but has withstood more analysis and so is more likely to be secure.

Unfortunately, ScatterChat uses both a custom protocol and mode of operation, neither which are as secure as hoped. While looking at the developer documentation I found a few problems and reported them to the author. As always, there is the question of whether such vulnerabilities should be disclosed. It is likely that these problems would be discovered eventually, so it is better for them to be caught early and users allowed to take precautions, rather than attackers who independently find the weaknesses being able to exploit them with impunity. Also, I hope this will serve as a cautionary tale, reminding software designers that cryptography and protocol design is fraught with difficulties so is better managed through open peer-review.

The most serious of the three vulnerabilities was published today in an advisory (technical version), assigned CVE-2006-4021, from the ScatterChat author, but I also found two lesser ones. The three vulnerabilities are as follows (in increasing order of severity): (more…)

Posted in Cryptology, Internet censorship, Privacy technology | (3)

Jun 27, '06

The Great Firewall of China is an important tool for the Chinese Government in their efforts to censor the Internet. It works, in part, by inspecting web traffic to determine whether or not particular words are present. If the Chinese Government does not approve of one of the words in a web page (or a web request), perhaps it says “f” “a” “l” “u” “n”, then the connection is closed and the web page will be unavailable — it has been censored.

This user-level effect has been known for some time… but up until now, no-one seems to have looked more closely into what is actually happening (or when they have, they have misunderstood the packet level events).

It turns out [caveat: in the specific cases we've closely examined, YMMV] that the keyword detection is not actually being done in large routers on the borders of the Chinese networks, but in nearby subsidiary machines. When these machines detect the keyword, they do not actually prevent the packet containing the keyword from passing through the main router (this would be horribly complicated to achieve and still allow the router to run at the necessary speed). Instead, these subsiduary machines generate a series of TCP reset packets, which are sent to each end of the connection. When the resets arrive, the end-points assume they are genuine requests from the other end to close the connection — and obey. Hence the censorship occurs.

However, because the original packets are passed through the firewall unscathed, if both of the endpoints were to completely ignore the firewall’s reset packets, then the connection will proceed unhindered! We’ve done some real experiments on this — and it works just fine!! Think of it as the Harry Potter approach to the Great Firewall — just shut your eyes and walk onto Platform 9¾.

Ignoring resets is trivial to achieve by applying simple firewall rules… and has no significant effect on ordinary working. If you want to be a little more clever you can examine the hop count (TTL) in the reset packets and determine whether the values are consistent with them arriving from the far end, or if the value indicates they have come from the intervening censorship device. We would argue that there is much to commend examining TTL values when considering defences against denial-of-service attacks using reset packets. Having operating system vendors provide this new functionality as standard would also be of practical use because Chinese citizens would not need to run special firewall-busting code (which the authorities might attempt to outlaw) but just off-the-shelf software (which they would necessarily tolerate).

There’s a little more to this story (but not much) and all is revealed in our academic paper (Clayton, Murdoch, Watson) which will be presented at the 6th Workshop on Privacy Enhancing Technologies being held here in Cambridge this week.

NB: There’s also rather more to censorship in China than just the “Great Firewall” keyword detecting system — some sites are blocked unconditionally, and it is necessary to use other techniques, such as proxies, to deal with that. However, these static blocks are far more expensive for the Chinese Government to maintain, and are inherently more fragile and less adaptive to change as content moves around. So there remains real value in exposing the inadequacy of the generic system.

The bottom line though, is that a great deal of the effectiveness of the Great Chinese Firewall depends on systems agreeing that it should work … wasn’t there once a story about the Emperor’s New Clothes ?

Posted in Internet censorship, News coverage | (73)

Jun 20, '06

I’ve written a rebuttal in today’s Guardian to an article that appeared last week by Martin Rees, the President of the Royal Society. Martin argued that science should be subjected to more surveillance and control in case terrorists do bad things with it.

Those of us who work with cryptography and computer security have been subjected to a lot of attempts by governments to restrict what we do and publish. It’s a long-running debate: the first book written on cryptology in English, by Bishop John Wilkins in 1641, remarked that ‘If all those useful Inventions that are liable to abuse, should therefore be concealed, there is not any Art or Science which might be lawfully profest’. (John, like Martin, was Master of Trinity in his day.)

In 2001–2, the government put an export control act through Parliament which, in its original form, would have required scientists working on subjects with possible military applications (that is, most subjects) to get export licenses before talking to foreigners about our work. FIPR colleagues and I opposed this; we organised Universities UK, the AUT, the Royal Society, the Conservatives and the Liberals to bring in an amendment in the Lords creating a research exemption for scientists. We mustn’t lose that. If scientists end up labouring under the same bureaucratic controls as companies that sell guns, then both science and nonproliferation will be seriously weakened.

Some people love to worry: Martin wrote a whole book wondering about how the human race will end. But maybe we should rather worry about something a bit closer to hand — how our civilisation will end. If a society turns inwards and builds walls to keep the barbarians out, then competition abates, momentum gets lost, confidence seeps away, and eventually the barbarians win. Imperial Rome, Ming Dynasty China, … ?

Posted in Internet censorship, Legal issues, News coverage | (1)

May 8, '06

On Thursday, the OpenNet Initiative released their report, to which I contributed, studying Internet Censorship in Belarus during the 2006 Presidential Election there. It even has managed a brief mention in the New York Times.

In summary, we did find suspicious behaviour, particularly in the domain name system (DNS), the area I mainly explored, but no proof of outright filtering. It is rarely advisable to attribute to malice what can just as easily be explained by incompetence, so it is difficult to draw conclusions about what actually happened solely from the technical evidence. However, regardless of whether this was the first instance the ONI has seen of a concerted effort to hide state censorship, or simply an unfortunate coincidence of network problems, it is clear that existing tools for Internet monitoring are not adequate for distinguishing between these cases.

Simply observing that a site is inaccessible from within the country being studied is not enough evidence to demonstrate censorship, because it is also possible that the server or its network connection is down. For this reason, the ONI simultaneously checks from an unrestricted Internet connection. If the site is inaccessible from both connections, it is treated as being down. Censorship is only attributed if the site can be reliably accessed from the unrestricted connection, but not by the in-country testers. This approach has been very successful at analysing previously studied censorship regimes but could not positively identify censorship in Belarus. Here sites were inaccessible (often intermittently) from all Internet connections tried.

Ordinarily this result would be assumed to simply be from network or configuration errors; however the operators of these sites claimed the faults were caused by denial of service (DoS) attacks, hacking attempts or other government orchestrated efforts. Because many of the sites or their domain names were hosted in Belarus, and given the state strangle-hold on communication infrastructure, these claims were plausible, but generating evidence is difficult. On the client side, the coarse results available from the current ONI testing software are insufficient to combat the subtlety of the alleged attacks.

What is needed is more intelligent software, which tries to establish, at the packet level, exactly why a particular connection fails. Network debugging tools exist, but are typically designed for experts, whereas in the anti-censorship scenario the volunteers in the country being studied should not need to care about these details. Instead the software should perform basic analysis before securely sending the low-level diagnostic information back to a central location for further study.

There is also a place for improved software at the server side. In response to reports of DoS and hacking attacks we requested logs from the administrators of the sites in question to substantiate the allegations, but none were forthcoming. A likely and understandable reason is that the operators did not want to risk the privacy of their visitors by releasing such sensitive information. Network diagnostic applications on the server could be adapted to generate evidence of attacks, while protecting the identity of users. Ideally the software would also resist fabrication of evidence, but this might be infeasible to do robustly.

As the relevance of the Internet to politics grows, election monitoring will need to adapt accordingly. This brings new challenges so both the procedures and tools used must change. Whether Belarus was the first example of indirect state censorship seen by the ONI is unclear, but in either case I suspect it will not be the last.

Posted in Internet censorship, News coverage, Privacy technology | (1)

Mar 9, '06

Since my blog post last week, discussion continues on what has actually happened with the new Chinese TLDs and what the consequences will be. Rebecca MacKinnon’s posting on CircleID triggered an interesting discussion. It has also been mentioned on a few blogs including My Heart’s in Accra, Joho the Blog, China Digital Times, Shanghaiist, Virtual China, the LINX public affairs news and even in a Czech blog which I can’t understand. The ICANN Generic Names Supporting Organization (GNSO) mailing list has a thread discussing the move, as does the DomainState forum.

Michael Geist wrote an article for the BBC, which was also featured in Toronto Star. It includes the quote:

The Chinese development is also noteworthy because it works. Researchers at Cambridge University report that Chinese ISPs recognize the new domains.

I presume this is based on my blog posting, since I am not aware of anyone else in Cambridge having looked into this.

Also in the news is a statement from CNNIC, and reported in People’s Daily Online. CNNIC say that reports of new TLDs are inaccurate, but does not explain what the actual situation is. CNNIC’s DNS servers resolve the new TLDs and claim to be authoritative, but perhaps CNNIC means that they are still only experimental, or simply that the press release did not announce any change. CNNIC are accepting registrations under the new TLDs, which does suggest they consider them official.

As for the discussion about whether what China has done is technically “splitting the root”, in the GNSO thread, Karl Auerbach gives a very succinct description:

It’s a somewhat pointless game of semantics about whether this circumstance is a “split” root or not. However, it has most of the characteristics that ICP3 [link mine] wails about - most particularly names not being globally visible.

I’d say that this situation quacks like a duck and walks like a duck: it’s a non-ICANN approved addition to the top level names of the DNS which is visible to some internet users and not to others.

(And this appearance of a new TLD is true without benefit of plugins or internet exploders.)

It may be an experiment, but if so it’s a rather large one.

Posted in Internet censorship, News coverage | (1)

Mar 1, '06

On 28 February, People’s Daily Online published an article entitled “China adds top-level domain names”. This suggested that China was going to take over .com and .net and split off from the conventional domains managed by ICANN and operated by Verisign. This appears to be not the case, rather the result of a mis-translation. As pointed out by Rebecca MacKinnon, the new top level domains (TLDs) are .中国 (meaning “China”) .公司 (meaning “company”), and .网络 (meaning “net”), which do not conflict with any ICANN managed TLDs.

The normal way to create new TLDs without ICANN’s permission is known as “splitting the root” since it involves creating a new root name server and replacing the root zone file distributed by IANA with your own. For some background on the role of the root zone file there is a short introduction and a slightly longer version by Daniel Karrenberg. Alternative roots are not new, but what makes the current situation different is that the new TLDs have a (powerful) government’s backing, and with around 100m Internet users (second only to the US) has the potential to have a far larger user base than any that have come before it.

There is still some uncertainty on how the new TLDs have been implemented. i-DNS produces a plugin for Microsoft Internet Explorer which allows it to access internationalised domain names as until version 7, IE cannot do this natively. In March 2005 they announced a partnership with the Chinese Ministry of Information Industry to develop the new TLDs and add support to their plugin. Some commenters have assumed that this is the only mechanism used to implement the new TLDs, but as mentioned in the press release, it seems that ISPs have also modified their servers, allowing access to these TLDs from within China without the user having to install any additional software. I do not know when this change was made and how complete the implementation is, but James Seng describes the TLDs as being in operation for 3 years.

It appears that technically China has not “split the root” since there seems to be no new root server. Instead, each ISP might have manually added the three new TLDs to their DNS server configuration. When a domain name under the ICANN TLDs (.com, .net, .uk, etc…) is resolved, the server would go to an ICANN root server to find out which organisation is responsible for allocating second level domains. However, when a domain name under one of the new TLDs is requested, the DNS server already knows the nameserver it needs to ask next and can skip the root server lookup. The advantage of this approach for China is that it avoids the cost and difficulty of setting up a new root server, but the disadvantage is that to add another TLD in the future they would have to ask all the ISPs again, rather than adding it to their root.

Despite this technicality, what China appears to have done is externally almost indistinguishable from splitting the root and carries the same consequences. The primary problem is that a link using one of the new TLDs will work in China but not outside (without a user installing the plugin, or their ISP making a configuration change). This breaks the universality of the Internet and while I will not go into further detail here, the Internet Architecture Board discusses the effects of a split root in RFC 2826, which is in addition to problems of the landrush resulting from any new domain.

I am not familiar with the ISP landscape in China, but I have tried to do some tests to better understand how these changes have been implemented. For testing I am using a DNS server (ns4.bta.net.cn) which I understand to be one used by the customers of a Chinese ISP, but which also allows access from outside. As an example, I used “北京大学.中国” which I think means Peking University in the new “.China” TLD. As Unicode cannot be used directly with DNS, it needs to be translated into Punycode. This gives xn--1lq90ic7fzpc.xn--fiqs8s.

When I ask the Chinese DNS server to resolve this domain name, I get this answer:

$ dig xn--1lq90ic7fzpc.xn--fiqs8s @ns4.bta.net.cn A

;; ANSWER SECTION:
xn--1lq90ic7fzpc.xn--fiqs8s. 3600 IN CNAME www.pku.edu.cn.
www.pku.edu.cn. 47863 IN CNAME tulip.pku.edu.cn.
tulip.pku.edu.cn. 85892 IN A 162.105.129.12

This means that according to ns4.bta.net.cn, the domain 北京大学.中国 is another name for www.pku.edu.cn and its IP address 162.105.129.12.

If this nameserver was configured only with the IANA distributed root zone file, this request would have failed (as it does on my UK DNS server). Instead, it looks like this ISP has somehow added these three new TLDs. To find out more I asked the server for its root zone, i.e. where it will send requests for TLDs it has not encountered before:

$ dig . @ns4.bta.net.cn NS

;; ANSWER SECTION:
. 36996 IN NS A.ROOT-SERVERS.NET.

. 36996 IN NS M.ROOT-SERVERS.NET.

It returned only the 13 IANA root servers ([A-M].root-servers.net). These do not list the new Chinese TLDs but the server still knows about them.

Here I ask the server which nameserver it thinks is authoritative for .中国 (.China and in Punycode — xn--fiqs8s):

$ dig xn--fiqs8s @ns4.bta.net.cn SOA

;; ANSWER SECTION:
xn--fiqs8s. 3600 IN SOA hawk2.cnnic.net.cn. root.cnnic.cn. 2006030104 3600 900 604800 3600

This means that when this server wants to resolve a domain under .中国 is will ask hawk2.cnnic.net.cn. I get the same result with .公司 (”company”), and .网络 (”net”). hawk2.cnnic.net.cn will also resolve domains under these TLDs and considers itself to be authoritive.

Several questions still remain. It is possible that the name server I used is not representative of Chinese ISPs. Also, despite it not listing any alternate roots, it is still conceivable that the server is using one. It may also be acting differently because I am outside of its customer network. However, I think it does demonstrate that there is something happening in addition to the i-DNS plugin.

I did briefly try this plugin and examine some aspects of how it works. Internet Explorer 6 and below do not support internationalised domain names (IDNA) at all. Even though Firefox does, as my DNS server in the UK only uses the IANA root servers, only the ICANN defined TLDs will work. So http://北京大学.cn/ (Peking University) will work in Firefox in the UK and China, as the TLD is .cn, but http://北京大学.中国/ will only work in China, as the TLD is one of the new non-ICANN domains.

Installing the i-DNS plugin adds IDNA support to Internet Explorer but also adds support for the new TLDs. I am not aware of all the details, but when I visit domain-name.中国 it redirects the user to domain-name.cn, domain-name.公司 redirects to domain-name.xn--55qx5d.aced.net and domain-name.网络 to domain-name.xn--io0a7i.aced.net. The nameserver for aced.net is controlled by i-DNS and, as with the DNS server in China, uses hawk2.cnnic.net.cn for further lookups.

It seems that these new TLDs are more complicated than it might first have looked, and this post by no means explains everything. I hope that others will be able to find out more. It remains to be seen what the consequences of this move will be. In their advertisement, i-DNS states that 50m users already have access to these TLDs and if the 4 ISPs which provide access to 95% of China’s Internet users add the TLDs then the remaining 5% will inevitably follow.

Also non-Chinese ISPs with a significant number of Chinese-speaking users will be under pressure to add these TLDs, and have very little incentive to not do so. While previous alternate roots have languished in the obscurity of a narrow user-base, the potential of 100m (and growing) users will make this TLD hard to ignore. Perhaps in an attempt to avoid a split Internet, ICANN will adopt the TLDs and so roll them out to the standard root servers. Whatever they choose, I hope the disruption to the Internet from the resulting politics will not be too severe.

Posted in Internet censorship, News coverage | (17)

Feb 23, '06

The OpenNet Initiative has released a bulletin on China’s website registration policy. This mandates that all non-commercial websites hosted in China be registered with the Ministry of Information Industry (MII), whereas previously this applied only to commercial sites.

Failure to register a site by July 2005 was punishable by a ¥10 000 fine (about €1 000 and 2/3 of an average urban Chinese annual income) as well as removal the website. Sites are required to put their registration number at the center-bottom of the homepage. Failure to comply makes the owner liable for a ¥5 00010 000 fine.

Enforcement is not only by the MII, but also by the hosting ISPs. This is encouraged by a ¥10 000 fine for hosting unregistered content. ISPs are also responsible for cutting off sites in violation of these rules, however IP/port blocks have also been reported, along with the consequent over-blocking of virtual hosts. The MII also operates the “Night Crawler” which searches for sites not displaying a registration number.

Rebecca MacKinnon suggests that this move might shift Chinese bloggers on to commercial sites such as MSN Spaces, Blogbus, Bokee or Sina, which implement their own keyword filtering to prevent themselves being blocked (as Typepad and Blogsome have been). This shifts the cost and accountability of censorship away from the government and to the edges, as has been done for registration enforcement. The remaining bloggers who maintain their own site will be required to register and so are more likely to self-censor.

The registration process is entirely online, and consists of the owner entering personal information (name, address, etc…) as well as the site description, an email address and mobile phone number. The registration request must then be reviewed by the MII and after a few days the owner is notified of the result and given the registration number if successful.

Interestingly, only the mobile phone number and email address are verified by sending a code to them, which ties in well to the compulsory mobile phone registration in December. Criminals in the UK have been known to steal mobile phones to give untraceable communication in the course of committing offences. Perhaps stolen phones will be used in China to produce fraudulent website registrations for people who would like to keep their anonymity?

Posted in Internet censorship, Legal issues, Privacy technology | (2)

Newer Entries »

Calendar

July 2009
M T W T F S S
« Jun    
 12345
6789101112
13141516171819
20212223242526
2728293031  

Posts by Month

Posts by Category