Ironically, attempts by providers to block access to a class of sites can backfire. Richard Clayton showed how to use one ISP's blocker as an oracle to compile lists of banned sites. The paper is at here's the abstract:
Three main methods of content blocking are used on the Internet: blocking routes to particular IP addresses, blocking specific URLs in a proxy cache or firewall, and providing invalid data for DNS lookups.
The mechanisms have different accuracy/cost trade-offs. This paper ex- amines a hybrid,two-stage system that redirects traffic that might need to be blocked to a proxy cache, which then takes the final decision.
This promises an accurate system at a relatively low cost. A British ISP has deployed such a system to prevent access to child pornography.
However, circumvention techniques can now be employed at both system stages to reduce effectiveness; there are risks from relying on DNS data supplied by the blocked sites; and unhappily, the system can be used as an oracle to determine what is being blocked.
Experimental results show that it is straightforward to use the system to compile a list of illegal websites.
Steven M. Bellovin
Wednesday, June 11, 2008
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment