Security Flaws In Aussie Net Filter Exposed 182
Faldo writes "There's a three-part interview with a computer security expert on BanThisURL that goes into the flaws in the Aussie net filtering scheme. In addition to SSH tunnels and proxies, more worrying problems like trojaning the boxes to set up man in the middle attacks (which the interviewee has done in his lab), cross site scripting and the Australian blacklist leaking are all discussed. Worrying and relevant, especially since Thailand's blacklist has just been leaked."
Not really news? (Score:5, Interesting)
Re:But What About The Children/Terrorists/Etc. (Score:5, Interesting)
ipv6 (Score:5, Interesting)
I bet the filter isn't ipv6 capable... I just can't see the lawmakers being that tech savvy.
That could be just the boost the protocol needs, in Australia at least.
Could be a router (Score:3, Interesting)
Let's not forget that, if a big important router was compromised (such as the one in charge of the carrier pigeon link between Downunderland and the rest of the world), the same things could be done.
These aren't new problems introduced purely by a porno filter. These are problems introduced by lack of encryption and made easier by insecure porno filters.
If they try to MITM a TLS connection, certificate warnings will pop up. As is supposed to be guaranteed. All the bullshit lately should go a long way to convince people that YES, we need widespread encryption NOW.
I stand by previous statements that Firefox's multi-click certificate override is the Right Thing. But more and more, I'm beginning to think we need an 'httpe' as some people suggested which operates on SSH's "ohhh shits teh key changed!!" model. Push it out in the new Firefox and WebKit. Have a nice, plain-language warning on first visit and a big scary multi-click override when the key changes. And here's something new...
Define a means by which a link, such as from a secure Google search results page, can include the expected key. No need for a warning - you now have a key for that domain if expected agrees with what you get. The reason is simple - big brother can't see your conversation with Google or some other secure/pseudo-trusted authority, but they CAN try to MITM you with a key other than the expected one. Google can lie about the expected key, but you'd get a different one (either the real one or one from aussieland's gov). If either party could do BOTH you'd be screwed anyway, because Google's certs would at that point mean jack shit.
Re:chinese firewall... (Score:3, Interesting)
Another reason it works is because of the general fear of surveillance. The PRC will regularly do strange things like mandate a specific operating system for Internet cafes. Maybe they're spying, maybe they're not, the key is the Orwellian notion that you never know whether you're being observed or not. That is ingrained in the Chinese people after sixty years of Communist rule.
The real question here is not whether a people, most of which have lived their lives under a watchful tyranny, can be cowed by real and imagined Internet surveillance, but whether a free society made of people who were raised with the ideas of personal liberty can ultimately be pushed into the same state of paranoia. Will Australians in general be convinced that this their government can meaningfully prevent them from viewing certain kinds of material, or will they see this for what it is, pandering to Australian religious extremists with little really technical way to prevent anyone with even a modicum of prowess from viewing nasty things.
In a way I'm fascinated by this. I wonder whether it will be tolerated as one of these easily avoidable public morality laws like drug and prostitution prohibitions, or will the people of Australia say "No, it's my right to watch one or more consenting adults doing peculiar sexual things to each other."