ISP anti-Pornography Fitlers: Easy to Break Them?

This is the second in a series of article looking at some of the common technical objections raised whenever people suggest the introduction of anti-pornography filters by all UK-based ISP’s which could then be switched off by the user if desired. The first article looked at the (lack of) impact on internet speeds by these proposed filters. Thanks are once again given to Leigh Porter, a Systems Architect who has worked at UK Broadband for several years who has kindly provided clarification and correction where it was needed.

ISP Level Filters can be Circumnavigated: The argument here is that any ISP level filter will be easily circumnavigated by various methods. These include (1) changing the port used by the computer, (2) using a proxy server, (3) use of SSH Tunnelling and VPN Tunnelling. While changing the port turns out to be irrelevant, the others are also weaknesses used to work around PC based filters as well. We will address these in turn.

1) Computer PortsChanging the port will not affect ISP level filters because the Deep Packet Inspection filters routinely used by ISPs analyze all web traffic regardless of the port being used.

In computer networking / web access, the Port is a bit of software that acts as a gate through which data is sent. For the internet they are used by various ‘Transport Layer’ protocols like TCIP (Transmission Control Protocol) and UDP (User Datagram Protocol) as outlined in this wkipedia article.

Ports are assigned a number, with some port numbers reserved by convention for particular services. Traditionally, Port 80 was reserved for use by the Hypertext Transfer Protocol (HTTP) used on the web. This is the meaning of ‘http’ seen at the beginning of all web page addresses or URLs.

The argument is that an ISP level filter can simply be bypassed by forcing the computer to use a different port to connect to the web, either by changing various settings on the computer or simply inserting the required port number after the website URL (e.g. sending the request to would force the use of port 4000 instead of port 80).

Port Changing no Longer Relevant: While that argument was true in the past, the universal use of DPI filters that analyze all traffic regardless of port means this argument is no longer relevant.

2) Proxy Server – The problems of proxy servers applies to the ISP-level anti-pornography filter as well as the PC based parental control. A proxy server acts as an intermediary, or middleman, for requests from, in this case, the home computer to their ISP. The argument is that it is easy to by-pass ISP-level filters by using a proxy.

Proxy servers are actually used by some PC based pornography filters. Here, the users traffic is passed first to the proxy server used by the PC filter company. This checks the request against a blacklist and then allows the data through if cleared. Incoming data is also cleared in a similar way, going through the company’s proxy. OpenDNS is a proxy server system with adjustable filtering built in. The user points traffic to the OpenDNS (proxy) servers that contain adjustable filtering systems.

Proxies are very useful for those in countries that try to restrict web access. An increasingly popular proxy is run by the non-profit Tor Project which passes the encrypted data through 3 different servers before sending it onto the final destination, providing greater anonymity. However, it is easy to see how, just as proxies play useful roles, they can also be used to by-pass filtering systems. Proxies are one way to work around firewalls, filters and parental controls. This is true of both PC base and proposed ISP-level anti-pornography filters.

Some people also use SSL proxy servers, though while encrypting data these tends to be significantly slower. Even then it would be possible to work out the IP addresses of filtered sites and then inspect the SSL encrypted traffic to those sites. Leigh Porter states the ISP would ‘act as a middleman for those sites when they are encrypted thereby decrypting the traffic’. He acknowledges that this would probably not be popular, would be more processor intensive and might slow things down a little, but it is possible to do and implement in a voluntary ISP-level filter system. This extra level of protection is not possible on PC based filters.

Combating the use of Proxies: For both PC based and ISP level filters there are two things that parents can do to reduce the risk of proxy server use. They can (a) set the administration settings to ensure that they are the only ones able to change the various settings required for a computer to use proxy settings (see this Blocking Proxy Servers tutorial) and (b) obtain a blacklist of proxy server URLs (also available from ShallaList) and ensure that access to these domains is blocked within the browsers.

Parents should note that it will also be necessary to prevent users from being able to install another browser which does not contain the list. It is possible to block domains globally for all browsers on Windows OS machines via the HOSTS file within Windows, also described here.

3) SSH Tunnelling and VPN Tunnelling: The more determined user may resort to SSH (Secure Shell) Tunnelling and VPN (Virtual Private Network) Tunnelling to circumvent filters. As explained in this Suite 101 article, this works by ‘one computer initiating an encrypted SSH connection to another. The remote computer has a proxy server installed. All web browser traffic is then configured to go through the encrypted SSH tunnel, thus bypassing all Internet filters.’

As the article suggests, the best way to prevent this is to ensure that all outbound traffic to the Internet other than HTTP (port 80) and HTTPS (port 443) on the computers through the admin settings within the Operating System. You then need to ensure that the other users are not able to change these settings. It is noted that blocking VPN and SSH may cause problems with legitimate services that use these connections. However, SSH servers are not common and most VPN services require credit card payments.

Conclusion: Changing the port will not affect ISP-level filters. Using proxy servers, SSH or VPN Tunnelling are issues that apply to both ISP-level and PC based filters. All require changes to the OS or Browser settings, which can be restricted through admin control levels.


Tags: , ,

2 Responses to “ISP anti-Pornography Fitlers: Easy to Break Them?”

  1. Peterthewomble Says:

    There is so much that’s frustrating about this that I don’t know where to start.
    You’ve outlined three methods of circumventing filtering which are far less trivial that the most obvious, which is to use SSL.
    Where you do mention SSL it’s in the context of one of the biggest understatements possible:

    “Even then it would be possible to work out the IP addresses of filtered sites and then inspect the SSL encrypted traffic to those sites. Leigh Porter states the ISP would ‘act as a middleman for those sites when they are encrypted thereby decrypting the traffic’. He acknowledges that this would probably not be popular,”

    What’s being suggested as ‘probably not popular’ is giving your ISP the ability to decrypt all of your encrypted traffic. So that means it will be able to see the content of all traffic between your computer and the bank.

    This is essentially what’s known as a ‘man in the middle’ attack, and can only work properly over SSL if the client browser (on your PC) is trusting the ‘man in the middle’ by having a root certificate installed.

    SSL certificates (when used properly) are both for encryption (hiding the content), and for authentication (proving beyond doubt who the server is).

    Asking people to install a root certificate for their ISP is obviously dangerous for two reasons:

    1) malicious people will start sending bogus emails with ‘you need to update your root certificates, here’s ours….’

    2) We suddenly need to start trusting the ISPs and their employees to never do anything bad.

    SSL is one of the most important tools in making the web secure. To just casually suggest that breaking it ‘might not be popular’ is astonishing.


  2. proxy sites Says:

    Fantastic web site. Plenty of helpful information here.
    I’m sending it to several buddies ans additionally sharing in delicious. And of course, thank you in your effort!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: