Failures in a Hybrid Content Blocking System
Three main methods of content blocking are used on the Internet: blocking routes to particular IP addresses, blocking specific URLs in a proxy cache or firewall, and providing invalid data for DNS lookups. The mechanisms have different accuracy / cost trade-offs. This paper examines a hybrid, two-stage system that redirects traffic that might need to be blocked to a proxy cache, which then takes the final decision. This promises an accurate system at a relatively low cost. A British ISP has deployed such a system to prevent access to child pornography. However, circumvention techniques can now be employed at both system stages to reduce effectiveness; there are risks from relying on DNS data supplied by the blocked sites; and unhappily, the system can be used as an oracle to determine what is being blocked. Experimental results show that it is straightforward to use the system to compile a list of illegal websites.
Unable to display preview. Download preview PDF.
- 1.Bright, M.: BT puts block on child porn sites. Observer (June 6, 2004), http://observer.guardian.co.uk/uk_news/story/0,6903,1232422,00.html
- 2.Brightview Internet Services Ltd.: WebMinder, a configuration for restricting access to obscene sites identified by the Internet Watch Foundation, 21 p. (June 9, 2005)Google Scholar
- 3.Dornseif, M.: Government mandated blocking of foreign Web content. In: von Knop, J., Haverkamp, W., Jessen, E. (eds.): Security, E-Learning, E-Services: Proceedings of the 17. DFN-Arbeitstagung über Kommunikationsnetze, Düsseldorf 2003, Lecture Notes in Informatics, pp. 617–648 (2003) ISSN 1617-5468Google Scholar
- 4.Edelman, B.: Web Sites Sharing IP Addresses: Prevalence and Significance. Berkman Center for Internet and Society at Harvard Law School (February 2003), http://cyber.law.harvard.edu/people/edelman/ip-sharing/
- 5.Her Majesty’s Stationery Office: Protection of Children Act (1978)Google Scholar
- 6.Internet Watch Foundation: Annual Report 2003 (March 22, 2004), http://www.iwf.org.uk/documents/20050221_annual_report_2003.pdf
- 7.King Abdulaziz City for Science and Technology: Local Content Filtering Procedure. Internet Services Unit, KACST, Riyadh (2004), http://www.isu.net.sa/saudi-internet/contenet-filtring/filtring-mechanism.htm
- 9.McWilliams, B.: Cloaking Device Made for Spammers. Wired News (October 9, 2003), http://www.wired.com/news/business/0,1367,60747,00.html
- 10.OpenNet Initiative: Google Search & Cache Filtering Behind China’s Great Firewall. Bulletin 006, OpenNet Initiative (Augest 30, 2004), http://www.opennetinitiative.net/bulletins/006/
- 11.Norge, T.: Telenor and KRIPOS introduce Internet child pornography filter. Telenor Press Release (September 21, 2004)Google Scholar
- 12.US District Court for the Eastern District of Pennsylvania: CDT, ACLU, Plantagenet Inc v Pappert, Civil Action 03-5051 (September 10, 2004)Google Scholar
- 13.Zittrain, J., Edelman, B.: Documentation of Internet Filtering Worldwide. Harvard Law School (October 24, 2003), http://cyber.law.harvard.edu/filtering/