21

I want certain web pages blocked (within my country) by my Govt on a website that uses HTTPS on all pages. My Govt agrees that the specific URLs need to be blocked but expresses helplessness as their ISPs claim they can't selectively block HTTPS URLs but must block the entire website/domain / sub-domain which will cause genuine users to be affected. The prominent website in question has refused to take down the impugned web pages despite notices from my government and law enforcement requests.

Soufiane Tahiri
  • 2,667
  • 12
  • 27
Desmond
  • 327
  • 2
  • 3
  • 3
    More generally: https://security.stackexchange.com/questions/4388/are-urls-viewed-during-https-transactions-to-one-or-more-websites-from-a-single – Gilles 'SO- stop being evil' Jan 18 '21 at 00:44
  • 12
    On grounds of ethics, I would still refuse to cooperate with the OP to provide help/guidance in achieving what is expected from the question. – usr-local-ΕΨΗΕΛΩΝ Jan 20 '21 at 12:06
  • @usr-local-ΕΨΗΕΛΩΝ There could be very valid reasons to block certain content, while not wanting to block the entire site. One wonders, though, what site would be important enough that they would not want to block it altogether, but would not accept legitimate requests for removal of specific content. To me, either the site is quite rogue, and it should not matter if it was completely blocked (it could lead them to revise their behaviour) or the reasons for removal are not legitimate enough to be universally recognised. – jcaron Jan 20 '21 at 13:44
  • Is this why Wikipedia has gone to mandatory modern encryption (which breaks older platforms)? – Harper - Reinstate Monica Jan 21 '21 at 04:07

3 Answers3

52

No, the ISP cannot block specific HTTPS protected pages because it cannot determine which page is being accessed.

HTTPS does not hide the server that is being accessed, because it needs the SNI (Server Name Indication) to be on the clear, so the server can know which certificate to use on the connection. Once the handshake is established, everything else is encrypted, including which page you are requesting.

So the ISP have two non-optimal ways to answer: don't block anything, or block the entire server.

Encrypted SNI is actually a thing (I think Cloudflare did add support back in 2018). Admittedly I have no idea how widespread it is. – s1lv3r

Encrypted SNI is a thing for the future. It is part of the TLS 1.3 specification, but isn't something that can be enabled by changing a configuration option on the webserver. It needs changes on the DNS records, and support from the webserver. It still don't have widespread support among webservers and web browsers, and is still not mature enough for high-traffic servers to adopt it.

ESNI would help hide the domain you are accessing from your ISP and government (depending heavily on your network configuration), but would not help the ISP selectively block pages on the domain.

Community
  • 1
ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
  • 5
    [Encrypted SNI](https://tools.ietf.org/html/draft-ietf-tls-esni-09) is actually a thing (I think Cloudfare did add support back in 2018). Admittedly I have no idea how widespread it is. Otherwise your answer is correct of course (+1). – s1lv3r Jan 18 '21 at 11:49
  • 1
    Not sure if others have faced this issue but sometimes, I cannot access a website say www.example.com because it has been blocked and see an error message instead, but at the same time I can access any subpages like www.example.com/archives. What happens in that case? Thanks – ThankYouSRT Jan 18 '21 at 11:52
  • 3
    At a guess, the site is either not served over HTTPS or sometihng is doing the blocking before the encryption is applied. – Richard Ward Jan 18 '21 at 12:16
  • 20
    @ThankYouSRT Possibly you have a corporate style firewall between you and the internet which is decrypting the internet traffic, selectively blocking it, and re-encrypting it with a certificate that corporate IT has installed only your machine. Check the "lock" symbol beside the URL and see who provided the certificate for the page. – throx Jan 18 '21 at 12:30
  • Thanks for the answer. As a followup, if the TLD used by the offending website is a country specific domain ie the CCTLD used is under the control of my Govt including the domain Registrar, would it be possible to block specific web pages using HTTPS ? – Desmond Jan 18 '21 at 18:18
  • 2
    @Desmond No, the specific TLD has nothing to do with the mechanics of HTTPS. – user1937198 Jan 18 '21 at 20:12
  • @Desmond The CCTLD gives your government the right to seize the domain, not monitor or control access to specific HTTPS endpoints. – Ivan Jan 18 '21 at 20:12
  • 2
    @Desmond You Government may attempt to issue themselves with the same certificates as the website thereby allowing them to insert a transparent HTTPS proxy between you and the website and blocking specific pages but if they get caught browser manufacturers will simply ban all SSL/TLS certificates from your government forcing all websites to buy their certificates somewhere else. This has happened several times before, most recently for Khazakstan. Browser vendors do this because falsely issuing certificates is a flagrant violation of trust – slebetman Jan 19 '21 at 01:06
  • I removed the info about ESNI which is not relevant to the actual answer. Replies to comments should go in the comments. – FrederikVds Jan 20 '21 at 11:14
  • Never mind, someone removed the edit. Sigh... – FrederikVds Jan 20 '21 at 19:36
23

Just for completeness, there are actually ways to achieve this, but they are usually the work of totalitarian regimes who want to eavesdrop on everyone's conversations and/or block content not matching the "party line", and of course won't be done "just for you": force all users to install an alternate root certificate, and have all traffic to that site to go through a proxy which will present a TLS certificate signed by that alternative root before forwarding to the original server, except for the page in question of course.

jcaron
  • 3,365
  • 2
  • 15
  • 22
  • 10
    For the record, Kazakhstan attempted to do this back in July (or August?) 2019. – iBug Jan 18 '21 at 15:35
  • 10
    @iBug they've tried at least twice most recently in Dec 2020, but the browser makers just keep responding by refusing to trust the spyware cert. https://www.zdnet.com/article/apple-google-microsoft-and-mozilla-ban-kazakhstans-mitm-https-certificate/ – Dan Is Fiddling By Firelight Jan 18 '21 at 18:08
  • Declaring roots as unusable in the browser code is not a move taken lightly. (Yes, that's what they did.) – Joshua Jan 18 '21 at 18:42
  • 4
    In practice, governments with a better PR office already have root certificates [included](https://wiki.mozilla.org/CA:GovernmentCAs) in the browsers' standard lists, so in principle they could do this without you installing anything. – Federico Poloni Jan 19 '21 at 07:35
  • 3
    @FedericoPoloni In theory, if they attempted to use such a root cert in the manner described in the answer at any detectable scale, they would probably get their cert ejected from browsers pretty quickly. Of course, if they do it in a very targeted fashion to stay under the radar... – jcaron Jan 19 '21 at 10:46
  • 1
    @FedericoPoloni this is what certificate transparency tries to prevent – usr-local-ΕΨΗΕΛΩΝ Jan 20 '21 at 12:08
2

Like others said, for most cases inspecting TLS traffic would require installing certificates or even some software, which don't applies for most people. In the other hand, depending on how you consider blocking, there is a method which can make it possible:

There is a study that shows that in some cases HTTPS encrypted content can be identified: there is a paper (PDF) that shows that's possible to build a database of fingerprints which can be used to identify HTTPS-protected Netflix videos in real-time. There some limitations, such as taking some time to identify the video: "[...] the majority of the identifications occurring less than two and a half minutes into the video stream.".

It doesn't identify which exact URL was being accessed and cannot be used to block content completely, but if the URL just points to a video and the content that need to be blocked is after the detection margin, it can be used to detect when someone started to watch it then block connections to the server after that. In the context of totalitarian regimes, it could even be used to find those who watched videos against it. In the context of ISPs, it could be used to guess if some user-watched some popular video then sell this data to advertisers.

As this paper dates from 2017, before TLS 1.3, is possible that this method isn't working anymore. I hope.

Soufiane Tahiri
  • 2,667
  • 12
  • 27
Gustavo Rodrigues
  • 123
  • 6
  • 1
    Oooooh that's a funny one. It's quite specific to video streaming though. – jcaron Jan 20 '21 at 15:59
  • 1
    [Deep Fingerprinting: Undermining Website Fingerprinting Defenses with Deep Learning](https://arxiv.org/pdf/1801.02265.pdf) Sirinam etal. 2018 *Overall, our study reveals the need to improve WF defenses to be more robust against attacks using deep learning, as attacks only get better, and we have already identified several directions to improve the DF attack further.* – brynk Jan 21 '21 at 04:35
  • 1
    and a bit more recent: [Triplet Fingerprinting: More Practical and Portable Website Fingerprinting with N-shot Learning](https://dl.acm.org/doi/pdf/10.1145/3319535.3354217) Sirinam etal. 2019 *WF attacks pose a serious threat to users’ online privacy, including for users of Tor ... WF attacks like Deep Fingerprinting (DF) have reached up to 98% accuracy. DF requires large amounts of training data that needs to be updated regularly ... we examine how an attacker could leverage N-shot learning- a machine learning technique requiring just a few training samples to identify a given class...* – brynk Jan 21 '21 at 04:52