IETF Logo Mail Archive

[saag] Ubiquitous Encryption: content filtering

Natasha Rooney <nrooney@gsma.com> Thu, 18 June 2015 07:58 UTC

Return-Path: <nrooney@gsma.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEF711ACD50 for <saag@ietfa.amsl.com>; Thu, 18 Jun 2015 00:58:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xhxxnsM6pnla for <saag@ietfa.amsl.com>; Thu, 18 Jun 2015 00:58:30 -0700 (PDT)
Received: from emea01-db3-obe.outbound.protection.outlook.com (mail-db3on0692.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe04::692]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6914B1A8A09 for <saag@ietf.org>; Thu, 18 Jun 2015 00:58:29 -0700 (PDT)
Received: from HE1PR04MB1033.eurprd04.prod.outlook.com (10.162.26.142) by HE1PR04MB1034.eurprd04.prod.outlook.com (10.162.26.143) with Microsoft SMTP Server (TLS) id 15.1.190.14; Thu, 18 Jun 2015 07:58:07 +0000
Received: from HE1PR04MB1033.eurprd04.prod.outlook.com ([10.162.26.142]) by HE1PR04MB1033.eurprd04.prod.outlook.com ([10.162.26.142]) with mapi id 15.01.0190.013; Thu, 18 Jun 2015 07:58:07 +0000
From: Natasha Rooney <nrooney@gsma.com>
To: "saag@ietf.org" <saag@ietf.org>
Thread-Topic: Ubiquitous Encryption: content filtering
Thread-Index: AQHQqZyDVZfM/qjQ1ki7JjpGF/YhdA==
Date: Thu, 18 Jun 2015 07:58:07 +0000
Message-ID: <99DC814A-2B7D-4802-A1C7-399E77F37BD7@gsma.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.2098)
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [131.113.199.38]
x-microsoft-exchange-diagnostics: 1; HE1PR04MB1034; 3:fvgcc6xSVoMkzJ2SNgV/sVxjtBrOuXOv/niIUdTzDW4GVghUV8ZU3vl3gml05LQJ0hBReHHMtkrWwKAv8haHsb44dDNXMJYhUiZGSrdVg3HZNG2+TBkiD1RueLSdnsKzd2A3lGWvMSgoo1wDhQMnCQ==; 10:7G60UjvDf/xTnX8j4rvOp3nsSLkUCDNAcquBhhIZhy518dBqoE9+WBJzwQo2/uvbwJvYRai1x5rmXYdNUbH7ua+4MsLC7VBb7lNK2qxvo3Y=; 6:+zdYyJTwjxuv2nXFDVZMLV/u+GQJirWq6TVUOzHOlYnozr70EiCG6qgExM0H7R9l
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:HE1PR04MB1034;
x-microsoft-antispam-prvs: <HE1PR04MB10347AF60BD75201D2C5307AC3A50@HE1PR04MB1034.eurprd04.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(520003)(3002001); SRVR:HE1PR04MB1034; BCL:0; PCL:0; RULEID:; SRVR:HE1PR04MB1034;
x-forefront-prvs: 0611A21987
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(52314003)(52044002)(53754006)(19580395003)(19580405001)(50226001)(2501003)(5890100001)(102836002)(87936001)(2351001)(86362001)(229853001)(106116001)(77096005)(450100001)(77156002)(62966003)(40100003)(2900100001)(33656002)(46102003)(16236675004)(92566002)(82746002)(83716003)(2656002)(122556002)(50986999)(66066001)(57306001)(189998001)(36756003)(5002640100001)(5001960100002)(107886002)(110136002)(104396002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR04MB1034; H:HE1PR04MB1033.eurprd04.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: multipart/alternative; boundary="_000_99DC814A2B7D4802A1C7399E77F37BD7gsmacom_"
MIME-Version: 1.0
X-OriginatorOrg: gsma.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Jun 2015 07:58:07.3423 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72a4ff82-fec3-469d-aafb-ac8276216699
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR04MB1034
X-MS-Exchange-CrossPremises-AuthAs: Internal
X-MS-Exchange-CrossPremises-AuthMechanism: 04
X-MS-Exchange-CrossPremises-AuthSource: HE1PR04MB1033.eurprd04.prod.outlook.com
X-MS-Exchange-CrossPremises-SCL: 1
X-MS-Exchange-CrossPremises-messagesource: StoreDriver
X-MS-Exchange-CrossPremises-BCC:
X-MS-Exchange-CrossPremises-originalclientipaddress: 131.113.199.38
X-MS-Exchange-CrossPremises-avstamp-service: 1.0
X-MS-Exchange-CrossPremises-disclaimer-hash: 78ca8040c6722e32c2f5b0a45bf37e74b9409d645a53be96aa19958e0cee0f00
X-MS-Exchange-CrossPremises-antispam-scancontext: DIR:Originating; SFV:NSPM; SKIP:0;
X-MS-Exchange-CrossPremises-processed-by-journaling: Journal Agent
X-OrganizationHeadersPreserved: HE1PR04MB1034.eurprd04.prod.outlook.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/5hjFQj47SJpk-rx-T4xQS1kXWMQ>
Subject: [saag] Ubiquitous Encryption: content filtering
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jun 2015 07:58:33 -0000

Hi all,

I have a new submission for the Ubiquitous Encryption draft. I must admit, this one is a little controversial, and certainly is not something I believe in. However, I had a good think about it, and figured that this is an "effect" of ubiquitous encryption, and maybe would be beneficial for the draft. I am not expecting anything comes out of adding it past education for members of the IETF community that this is an issue for some organisations, governments and maybe users. Please feel free to tweet me if you want to discuss personal views! Anyway, here we go:


2.3.X Content Filtering
Law agencies may request Service Providers to block access to particular sites such as online betting and gambling, sites promoting anorexia, or access to dating sites. Content filtering in the mobile network usually occurs in the core network. A proxy is installed which analyses the transport metadata of the content users are viewing and either filters content based on a blacklist of sites or based on the user’s pre-defined profile (e.g. for age sensitive content). Although filtering can be done by many methods one common method occurs when a DNS lookup reveals a URL which appears on a government or recognised block-list. The subsequent requests to that domain will be re-routed to a proxy which checks whether the full url matches a blocked url on the list, and will return a 404 if a match is found. All other requests should complete.

Even in encrypted connections transport and lower layer metadata is able to be viewed so for many systems content filtering should be able to continue. Cases when they may not work is when TLS proxies are being used which obscure metadata with the proxy metadata, and future versions in HTTP and TCP may encrypt metadata again stopping content filtering software from working (this is currently not the case and has not been standardised).

Some sites involve a mixture of universal and age-sensitive content and filtering software in these cases may use more granular (application layer) metadata to analyse and block; this will not work on encrypted content.


I do have a few questions about what I have written, maybe someone can answer:
[1] Does HTTP2 multiplexing do anything to content filtering software, i.e. when sending multiple requests for one webpage (loading images in particular). I don’t think it does it’s just that my brain isn’t working this afternoon...
[2] Is it fair to mention future versions of HTTP and TCP when nothing has been standardised yet? I don’t think so in which case maybe this should be removed.

Hope this didn’t ruin everyones morning! Thanks!

Natasha


Natasha Rooney | Web Technologist | GSMA | nrooney@gsma.com<mailto:nrooney@gsma.com> | +44 (0) 7730 219 765 | @thisNatasha | Skype: nrooney@gsm.org<mailto:nrooney@gsm.org>
Tokyo, Japan



This email and its attachments are intended for the above named only and may be confidential. If they have come to you in error you must take no action based on them, nor must you copy or show them to anyone; please reply to this email or call +44 207 356 0600 and highlight the error.

v2.23.0 | Report a Bug | By Email