After almost a year since the ban on accessing YouTube in Pakistan; amidst a long and on-going legal battle in the Lahore High Court between the government and an internet rights organizations; and following raging debates on social media, blogs and print media; reports are beginning to surface that the Government of Pakistan is contemplating lifting the ban. Additionally, these reports claim that access to YouTube will be enabled after ensuring that religiously offensive content like the ‘Innocence of Muslims’ video on the web site can be blocked through the use of internet filters.
For anyone who understands the internet architecture and its security protocols, this is worrisome news because of the profound realities buried under these headlines.
Unlike many web sites that use an unencrypted and clear-text based protocol for communication between a user and the web site, called HTTP, YouTube uses HTTPS (notice the additional S for secure) protocol to receive instructions from a user’s computer and send videos and other content back to the user’s web browser. HTTPS protocol is usually used by security sensitive internet web sites like banks or during secure transactions (like supplying a username/password to login or entering payment information during checkouts) on regular web sites. The protocol’s use (ensured by using HTTPS before any web site address) ensures the following at the very least:
- The user is communicating with a legitimate web site endorsed as such by a trusted third party called a Certificate Authority (CA).
- All communication between the user and the web site will be private and encrypted so that no one in the middle can eavesdrop and steal, let’s say, a user’s email password.
In order for the Government or Internet Service Providers (ISPs) to reliably detect that a user has requested an offensive video on YouTube and subsequently block access to just that one video, methods that breach, or more aptly circumvent, the secure HTTPS protocol will have to be employed. Those are very different from the two techniques ISPs commonly use to block complete access to web sites (like presently in the case of YouTube); DNS poisoning and HTTP Response Injection through content-filtering proxies. Let’s first understand both of these techniques.
When a user enters the address of a web site in the address bar of his web browser, the computer contacts an ISP computer, called a DNS server, and requests it to translate the user friendly web site address like www.youtube.com into what’s called an Internet Protocol (IP) address. This IP address is what the user’s computer uses to establish a connection with the web site’s computer.
Using DNS poisoning, the ISPs intentionally translate the offending web site addresses incorrectly and therefore redirect the users to fake websites that typically display an error message like ‘This website is not accessible’.
Notice in the figure above that even though the user requested a web page from www.youtube.com, the returned web page containing the Surf Safely message is in fact not coming from YouTube.
The same effect can be accomplished through a technique called HTTP Response Injection by using specialized computers called Internet Proxies. These proxies, when placed in between a user’s computer and a web server, can read, log and potentially manipulate all internet traffic going through them. Regardless of whether the content was requested using HTTP or HTTPS, these proxies can detect which web site a user is requesting, e.g. YouTube, and decide to either let the request/response continue unaltered for ‘safe’ sites or prevent the message from going further for ‘unsafe’ web sites and return a fake response to the user’s computer containing an ‘Access Denied’ or ‘Surf Safely’ type message.
When web sites are accessed using the HTTP protocol, these proxies can even inspect which content/video was requested and even the contents of the response from the web site (since it’s not encrypted) and block access if it contains any offensive keywords. This is why sometimes these proxies are called content-filtering proxies.
These techniques have been used to block access to offensive websites in Pakistan for years. As a result, the privacy of a Pakistani internet user has potentially been at risk, since these proxies can be made to log what and when an internet user accesses on the internet, unless the communication took place using HTTPS protocol. As if that wasn’t bad enough, the recent news about HTTPS based filtering capabilities will make matters worse!
Thus far, the Government could not block access to a specific piece of content on an HTTPS based web site, e.g. a specific video on YouTube, as the request and response are both encrypted. As a result, the Government has had to ban the entire YouTube web site making a lot of useful content inaccessible alongside the offensive videos. The most common ways the Government or ISPs can block specific YouTube videos without blocking the entire HTTPS-based web site is through one of the following methods:
- Willing cooperation of Google, YouTube’s parent company, to block access to the video for requests originating from Pakistan
- Willing or unwilling cooperation of Pakistani Internet users to deploy filtering and surveillance software on their computers and mobile devices
- Proxying YouTube traffic through a country where Google hasn’t rolled out HTTPS protocol yet and using the existing means of content filtering proxies to block access to specific videos
- A Machine/Man-In-The-Middle or MITM attack which will be discussed shortly
Since HTTPS based traffic is encrypted during its internet journey except at the two end-point computers, i.e. the user’s computer and the web site computer, the first two options rely on cooperation of the owners of those computers.
Google has ruled out cooperating in this regard until the company is offered Intermediary Liability Protection (ILP) through a legislative amendment. That basically requires that a law be passed that protects Google and other content hosting websites from any legal repercussions resulting from any user of that website uploading content to it that’s considered unlawful in Pakistan.
In order to resolve the YouTube access matter, this is arguably the most sensible route to take. Once ILP is offered to Google, it can create what’s called a country specific domain proxy and serve all content in Pakistan through a localized website address like www.youtube.com.pk. Subsequently, Google has offered to consider blocking access to videos that are proven to violate the law of Pakistan. This approach is used by several Islamic states to filter out illegal content on YouTube. One can only speculate as follows on why this option is not being pursued keenly.
- There is no guarantee that Google will block a video blindly merely upon the Government’s request. Every time a video will need to be blocked, it will have to be clearly demonstrated that the video violates the law of the land, an onerous and time consuming undertaking.
- This does not solve the problem of videos and content hosted on other non-Google HTTPS web sites. ILP may not be enough for them or they could have been created with malicious intent to propagate ‘immoral’ content.
- The Government may want more control to ban not just illegal and religiously offensive content, but also other online material that is considered a threat to national security. Music videos by the Baghairat Brigade (link to Google cache since the original is blocked) and President Zardari’s ‘Shut-up’ clip come to mind as recent examples of such internet censorship in Pakistan to curb the voice of political dissidents from spreading.
The second option for HTTPS-based content filtering requires software to be installed at users’ computers and mobile devices which can intercept a request to an offensive video before it’s encrypted so it can be blocked within the web browser. Commonly available parental control software like K9 Web Protection, KidsWatch and Parental Control Bar use this approach.
While such software can be willingly installed by users before access to internet is allowed, a mass-scale, forced and surreptitious deployment of such software, while possible through the use of spyware like Gamma International’s FinFisher system, is not economically feasible or practical. There have been reports, one specifically by University of Toronto based Citizen Lab, that detected presence of FinFisher in Pakistan, but it is likely (and hopefully) only used for targeted surveillance of individuals suspected to be involved in criminal activity or terrorism, not public at large.
The third option is really a temporary measure and requires some fairly intricate network engineering. There are still countries where Google has not yet completed the roll out of site-wide HTTPS protocol. It is theoretically possible to proxy, or re-route, YouTube content from one of those countries and use the existing content filtering proxies to cast out offensive material. Since the traffic will not be encrypted, the content filters can detect when a user is requesting an offensive video and block it. The moment, however, Google rolls out site-wide HTTPS protocol in the country where ISPs are routing traffic from, this measure will be rendered useless.
That only leaves the last option with the authorities to filter specific videos on YouTube in Pakistan, and that entails launching a nationwide, Man-in-the-Middle (MITM) attack on all internet traffic across the country. Here is how that works.
When a user accesses an HTTPS based website like YouTube or Facebook, the identity of that web site is certified by a trusted third party called a Certificate Authority (CA). As shown in the attached picture, www.facebook.com is verified by a CA operated by a company called VeriSign. It further shows that the communication between the computer and Facebook is encrypted using 128-bit encryption.
An MITM attack is launched by placing a proxy computer (at an ISP or the Internet Gateways in Pakistan) between a user’s computer and a legitimate web site, e.g. Facebook. A user’s request to connect with Facebook is re-routed to the proxy, which pretends to be Facebook, and hence can be decrypted by the proxy and analyzed for further action. If it’s a request for a video that should be blocked, the proxy responds with an ‘Access Denied’ message to the user. Otherwise, the proxy, in turn, establishes a connection with the legitimate web site pretending to be the original user and keeps shuttling data back and forth between the two like a post office.com is verified by a CA operated by a company called VeriSign. It further shows that the communication between the computer and Facebook is encrypted using 128-bit encryption.
The only question that remains is why the user’s computer trusts the fake proxy to be a legitimate web site computer. That is accomplished through two common means:
- Creating a new Certificate Authority and requiring that the computers in Pakistan add that CA to the list of trusted CAs pre-stored in the computer or mobile device. This is commonly done by security sensitive corporations since they control all company owned computers. However, in the case of public computers, when a user visits https://www.youtube.com and encounters a new certificate, the browser will notify the user to either not trust the web site or add the new CA validating its identity to the list of trusted CAs in order to proceed. As it’s clear, this method is not very covert and might raise suspicions with savvy computer users. On the other hand, if this is the only way users are offered to access YouTube, they may choose to trust this new CA.
- The other method relies on willing or forced cooperation of one of the pre-configured, trusted CAs in a user’s computer to validate the proxy server’s fake identity. For example, a CA named Trustwave had publicly admitted to issuing certificates to allow a company to run MITM attacks. If the CAs are not willing, sometimes they are forced by using a court order to cooperate with governments, called a Compelled Certificate Creation attack in the research circles. It may be noted that Etisalat, the parent company of PTCL (the largest ISP in Pakistan), is one of the trusted CAs and guardians of HTTPS based internet security. Electronic Frontier Foundation had expressed concerns in this regard because the company, back in 2009, “issued a mislabeled firmware update to approximately 100,000 of its BlackBerry subscribers that contained malicious surveillance software.”
It can be reasonably inferred thus, that the only viable option to centrally block individual YouTube videos before opening up YouTube will require developing capabilities to employ a MITM strategy against the internet users of Pakistan and therefore, severely undermine their right to privacy and compromise the security of their internet transactions and data.
The trust offered by HTTPS, once severed for one web site, allows anyone in possession of the small digital certificate file to compromise the integrity of anyone’s internet communication. Once the new certificate authority is trusted by a user’s browser, faking any legitimate website won’t even raise a warning message in those browsers. Who will ensure the security of that Certificate Authority? In the wrong hands, a small certificate file that can be copied onto a USB drive in under a few milliseconds, can wreak havoc on Pakistani internet users. Banking pins, social media sites’ passwords, secure messaging, personal emails, could all be potentially monitored, logged and analyzed turning Pakistan into a surveillance state.
Even if the Government forms an oversight committee to regulate this surveillance infrastructure, the fact of the matter is, the weakest link are going to be the inadequately paid workers at one of the data centers hosting this digital infrastructure. Identity theft may become commonplace and our private lives and activities could be put on public display or used for blackmail!
The safest, and most reliable options to resolve this long-pending matter involve either getting Google on board and convincing the company to set up a Pakistan-specific domain proxy as discussed earlier in this article; or allowing the internet users of Pakistan to be the custodians of their own morality and use freely available internet filtering software on their computers and mobile phones to keep their families safe. Another, less ideal and middle-of-the-road option has been discussed in one of my earlier articles that involve ISP based value-added service offered to consumers that filters out entire websites based on subscriber preferences.
A summarized version of this article along with additions from the editor was originally published in Dawn Newspaper on Oct 20th, 2013. I felt that the edited article missed some important points, so this version is being shared for full context, background and clarification of some assertions made in the article.
Discussion
No comments yet.