IETF Logo Mail Archive

Re: [saag] Ubiquitous Encryption: content filtering

Joseph Lorenzo Hall <joe@cdt.org> Fri, 19 June 2015 13:10 UTC

Return-Path: <jhall@cdt.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9289F1A8F4F for <saag@ietfa.amsl.com>; Fri, 19 Jun 2015 06:10:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.501
X-Spam-Level: *
X-Spam-Status: No, score=1.501 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HnIfatyuRjAP for <saag@ietfa.amsl.com>; Fri, 19 Jun 2015 06:10:28 -0700 (PDT)
Received: from mail-lb0-f174.google.com (mail-lb0-f174.google.com [209.85.217.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CFC991A8F4D for <saag@ietf.org>; Fri, 19 Jun 2015 06:10:27 -0700 (PDT)
Received: by lbbvz5 with SMTP id vz5so23775262lbb.0 for <saag@ietf.org>; Fri, 19 Jun 2015 06:10:26 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=R4UOkMY59ZYdhzhNzebH4NrL3z5E7WE8IEXU+r52AJ0=; b=j5lIygMKJ8zKfuXAmYGfseUeAJhoNfFEuSfH2F2pEwf2e2I7+09Ls1gI6HYnp63MTe Xp6f9oNDeD/TaxWhea0P36SpJA5VU82mw7RK2h5axV/vFeaxwPIgvydtOoCG789oYgUO iUF5svuUFWduxkbAZlKnvys1w1oaD+CMpLIFnrtqVN3LK55M8c26gu6d7F7Qghj7ibjz eWYCYwuKmSOzcDC9O+AF8TyD1BL5bPHzlMiO2sCEE08tUUAbYM7x0NJX0KkKhPA0FWKJ eR5wqepNJYQToYoIsBE2CqVIdxINMtXYy2pB8AbR3b/7R3NB47g3Pccsa1tovOvzWRTT eLuQ==
X-Gm-Message-State: ALoCoQkZcMN6q+rn75mCSOLfAyBI/B3HHRDaC0EIzMX5doogGKfw41zKxII3i9QabsmUltNfuLKb
X-Received: by 10.152.5.65 with SMTP id q1mr17801512laq.110.1434719426141; Fri, 19 Jun 2015 06:10:26 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.25.154.5 with HTTP; Fri, 19 Jun 2015 06:10:05 -0700 (PDT)
In-Reply-To: <99DC814A-2B7D-4802-A1C7-399E77F37BD7@gsma.com>
References: <99DC814A-2B7D-4802-A1C7-399E77F37BD7@gsma.com>
From: Joseph Lorenzo Hall <joe@cdt.org>
Date: Fri, 19 Jun 2015 09:10:05 -0400
Message-ID: <CABtrr-U9kLfq4GQbWSgPN=wCD=Cdi0uQ+bQqXj35j+PFtuE8Pg@mail.gmail.com>
To: Natasha Rooney <nrooney@gsma.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/rml5M8HJYGOQRZG6xsN-I6TEJd0>
Cc: "saag@ietf.org" <saag@ietf.org>
Subject: Re: [saag] Ubiquitous Encryption: content filtering
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jun 2015 13:10:35 -0000

I would at least like this to acknowledge that it's possible to do
filtering at the endpoint. As you can imagine, I would argue another
term for content filtering is censorship. best, Joe

On Thu, Jun 18, 2015 at 3:58 AM, Natasha Rooney <nrooney@gsma.com> wrote:
> Hi all,
>
> I have a new submission for the Ubiquitous Encryption draft. I must admit,
> this one is a little controversial, and certainly is not something I believe
> in. However, I had a good think about it, and figured that this is an
> "effect" of ubiquitous encryption, and maybe would be beneficial for the
> draft. I am not expecting anything comes out of adding it past education for
> members of the IETF community that this is an issue for some organisations,
> governments and maybe users. Please feel free to tweet me if you want to
> discuss personal views! Anyway, here we go:
>
>
> 2.3.X Content Filtering
> Law agencies may request Service Providers to block access to particular
> sites such as online betting and gambling, sites promoting anorexia, or
> access to dating sites. Content filtering in the mobile network usually
> occurs in the core network. A proxy is installed which analyses the
> transport metadata of the content users are viewing and either filters
> content based on a blacklist of sites or based on the user’s pre-defined
> profile (e.g. for age sensitive content). Although filtering can be done by
> many methods one common method occurs when a DNS lookup reveals a URL which
> appears on a government or recognised block-list. The subsequent requests to
> that domain will be re-routed to a proxy which checks whether the full url
> matches a blocked url on the list, and will return a 404 if a match is
> found. All other requests should complete.
>
> Even in encrypted connections transport and lower layer metadata is able to
> be viewed so for many systems content filtering should be able to continue.
> Cases when they may not work is when TLS proxies are being used which
> obscure metadata with the proxy metadata, and future versions in HTTP and
> TCP may encrypt metadata again stopping content filtering software from
> working (this is currently not the case and has not been standardised).
>
> Some sites involve a mixture of universal and age-sensitive content and
> filtering software in these cases may use more granular (application layer)
> metadata to analyse and block; this will not work on encrypted content.
>
>
> I do have a few questions about what I have written, maybe someone can
> answer:
> [1] Does HTTP2 multiplexing do anything to content filtering software, i.e.
> when sending multiple requests for one webpage (loading images in
> particular). I don’t think it does it’s just that my brain isn’t working
> this afternoon...
> [2] Is it fair to mention future versions of HTTP and TCP when nothing has
> been standardised yet? I don’t think so in which case maybe this should be
> removed.
>
> Hope this didn’t ruin everyones morning! Thanks!
>
> Natasha
>
>
> Natasha Rooney | Web Technologist | GSMA | nrooney@gsma.com | +44 (0) 7730
> 219 765 | @thisNatasha | Skype: nrooney@gsm.org
> Tokyo, Japan
>
>
> This email and its attachments are intended for the above named only and may
> be confidential. If they have come to you in error you must take no action
> based on them, nor must you copy or show them to anyone; please reply to
> this email or call +44 207 356 0600 and highlight the error.
>
>
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
>



-- 
Joseph Lorenzo Hall
Chief Technologist
Center for Democracy & Technology
1634 I ST NW STE 1100
Washington DC 20006-4011
(p) 202-407-8825
(f) 202-637-0968
joe@cdt.org
PGP: https://josephhall.org/gpg-key
fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871

v2.23.0 | Report a Bug | By Email