35

Coordinated by Italy last month, a huge law enforcement operation reportedly 'dismantled' a pirate IPTV service with 22 million users. That's an extraordinary number and shows why countries like Italy have adopted mass site blocking measures. Logic suggests that the removal of such a huge player from the market might reduce the need for blocking measures, if only temporarily. The data shows that in the wake of the action, blocking demands significantly increased.

top 9 comments
sorted by: hot top controversial new old
[-] hendrik@palaver.p3x.de 13 points 9 hours ago

Btw, you can get around domain blocking by choosing a different DNS provider than your ISP's. But pay attention if that one is tracking or logging your requests, if privacy is important to you.

[-] doeknius_gloek@discuss.tchncs.de 6 points 6 hours ago

I'd recommend Quad9 or Mullvad as both have a good record on privacy. DNS is also often unencrypted by default, so make sure to use DoT or DoH while you're at it.

[-] hendrik@palaver.p3x.de 3 points 6 hours ago* (last edited 6 hours ago)

I think opennic.org is a nice project, too. In addition to offering privacy-respecting servers, they're also democratic and not for-profit.

[-] khorovodoved@lemm.ee 1 points 7 hours ago

Everyone gansta till DPI system is installed.

[-] hendrik@palaver.p3x.de 1 points 6 hours ago

We already have that. It's usually not used for this use-case though. And it'd be hard to do so, as nowadays most traffic is encrypted, we have certificate pinning etc. So it won't work.

The alternative would be IP based blocking. And the article mentions this, and it's contained in the graphs. That's much harder to circumvent. But also harder to do, since websites share IPs, they're in the cloud on AWS...

[-] khorovodoved@lemm.ee 1 points 6 hours ago* (last edited 6 hours ago)

It would not be hard at all. China, Iran and Russia already do that. Clienthello is not encrypted and that is all you need.

And ECH would not solve this as you can just block cloudflare-ech (or other, depending on CDN) domain itself and force clients to fallback to non-encrypted clienthello.

[-] hendrik@palaver.p3x.de 1 points 4 hours ago* (last edited 4 hours ago)

Sure, I forgot to think about that properly. This only works if you have a large amount of control about everything already, including the people. China is known to do it for a long time now. And back in the old days, deep packet inspection and reading the content was pretty easy. My browser has some certificates reay. I have HSTS and all the bells and whistles, have connected to the servers already and their policies and certificates cached. Many websites support this. And it warns me if I'm dropping to non encrypted connections. All of them complain on sending forms over HTTP only, logins and display something in the address bar. I suppose it's easy in China because they force users to use certain browsers. They have alternative domestic services for everything, replacing the messengers, video platforms and social media networks we use. And that's why it works so well in the current days. I'm not sure if that would translate to a western democracy. I think it'd be hard to implement it here. Well, technically, it's easy as you pointed out. But everyone would notice and it'd change how we interact with the internet to quite some degree.

I'm not sure about Iran. They seem to claim they can break encryption. I doubt that's possible. And the most effective thing is not allowing connections to 70% of the internet anyways. But that's not inspecting packets, just disallowing communication. I'm not sure about other measures.

And all of this isn't the whole story, you can for example "circumvent encryption" on the server side, as it's done. Force service providers to provide interfaces for lawful intercept.

I don't think the TCP hello contains anything useful like the domain name? Isn't that sent later on?

[-] khorovodoved@lemm.ee 2 points 3 hours ago* (last edited 3 hours ago)

TLS clienthello contains unencrypted string, called SNI, that contains the domain of a destination web site. It must be unencrypted to work, because web sites read this string to determine which certificate to use.

You do not break encryption. It is unencrypted by design.

With all due respect, but it seams to me that you do not quite understand how HTTPS works. For encryption it relies on TLS protocol. And TLS does not encrypt everything, it encrypts only payload, but it also has to share some additional data to even establish encrypted connection. The majority of that work is done by exchanging clienthello and serverhello. To do that client has to clarify what server he is even trying to reach as there can be multiple servers on IP, but they have separate certificates, support different cyphers etc. For that a string "SNI", that contains domain name is used. Only after client and server exchange all the necessary information encrypted conversation can start. So, by looking into clienthello and reading SNI any MITM can determine what web site are you trying to reach.

[-] hendrik@palaver.p3x.de 1 points 3 hours ago

Oh, thank. Now I know what ECH stands for. I'll look it up.

this post was submitted on 20 Dec 2024
35 points (100.0% liked)

Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ

55049 readers
392 users here now

⚓ Dedicated to the discussion of digital piracy, including ethical problems and legal advancements.

Rules • Full Version

1. Posts must be related to the discussion of digital piracy

2. Don't request invites, trade, sell, or self-promote

3. Don't request or link to specific pirated titles, including DMs

4. Don't submit low-quality posts, be entitled, or harass others



Loot, Pillage, & Plunder

📜 c/Piracy Wiki (Community Edition):


💰 Please help cover server costs.

Ko-Fi Liberapay
Ko-fi Liberapay

founded 2 years ago
MODERATORS