37
Dismantling a 22m User Pirate IPTV Service Led to Big Rise in ISP Blocking
(torrentfreak.com)
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 20 Dec 2024
37 points (100.0% liked)
Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ
55049 readers
382 users here now
⚓ Dedicated to the discussion of digital piracy, including ethical problems and legal advancements.
Rules • Full Version
1. Posts must be related to the discussion of digital piracy
2. Don't request invites, trade, sell, or self-promote
3. Don't request or link to specific pirated titles, including DMs
4. Don't submit low-quality posts, be entitled, or harass others
Loot, Pillage, & Plunder
📜 c/Piracy Wiki (Community Edition):
💰 Please help cover server costs.
 |
 |
|---|---|
| Ko-fi | Liberapay |
founded 2 years ago
MODERATORS
It would not be hard at all. China, Iran and Russia already do that. Clienthello is not encrypted and that is all you need.
And ECH would not solve this as you can just block cloudflare-ech (or other, depending on CDN) domain itself and force clients to fallback to non-encrypted clienthello.
Sure, I forgot to think about that properly. This only works if you have a large amount of control about everything already, including the people. China is known to do it for a long time now. And back in the old days, deep packet inspection and reading the content was pretty easy. My browser has some certificates reay. I have HSTS and all the bells and whistles, have connected to the servers already and their policies and certificates cached. Many websites support this. And it warns me if I'm dropping to non encrypted connections. All of them complain on sending forms over HTTP only, logins and display something in the address bar. I suppose it's easy in China because they force users to use certain browsers. They have alternative domestic services for everything, replacing the messengers, video platforms and social media networks we use. And that's why it works so well in the current days. I'm not sure if that would translate to a western democracy. I think it'd be hard to implement it here. Well, technically, it's easy as you pointed out. But everyone would notice and it'd change how we interact with the internet to quite some degree.
I'm not sure about Iran. They seem to claim they can break encryption. I doubt that's possible. And the most effective thing is not allowing connections to 70% of the internet anyways. But that's not inspecting packets, just disallowing communication. I'm not sure about other measures.
And all of this isn't the whole story, you can for example "circumvent encryption" on the server side, as it's done. Force service providers to provide interfaces for lawful intercept.
I don't think the TCP hello contains anything useful like the domain name? Isn't that sent later on?
TLS clienthello contains unencrypted string, called SNI, that contains the domain of a destination web site. It must be unencrypted to work, because web sites read this string to determine which certificate to use.
You do not break encryption. It is unencrypted by design.
With all due respect, but it seams to me that you do not quite understand how HTTPS works. For encryption it relies on TLS protocol. And TLS does not encrypt everything, it encrypts only payload, but it also has to share some additional data to even establish encrypted connection. The majority of that work is done by exchanging clienthello and serverhello. To do that client has to clarify what server he is even trying to reach as there can be multiple servers on IP, but they have separate certificates, support different cyphers etc. For that a string "SNI", that contains domain name is used. Only after client and server exchange all the necessary information encrypted conversation can start. So, by looking into clienthello and reading SNI any MITM can determine what web site are you trying to reach.
Oh, thank. Now I know what ECH stands for. I'll look it up.