Tonnerre Lombard


Archive for the ‘Net Neutrality’ Category

German anti-censorship petition hits 100’000 signers

Thursday, June 4th, 2009

The petition against censorship which was filed to the German parliament from April 24th, 2009 has finally passed the 100’000 signers. On June 4th, 12 days before the end of the petition, 110’298 people have signed it.

The powers that be however decided to ignore the petition so far. Apart from a lapsus of the German minister of economy, von Gutenberg, who declared that everybody who was against censorship is a pedophile, none of the politicians of the social democrats (SPD) or the christian union (CDU), the governing parties in Germany, has mentioned the petition in any way. Family minister Ursula von der Leyen, who is currently campaining for her reelection, even removed the time for questions from her campaign events.

Since the petition has passed the necessary limit of 50’000 signers, the petition committee of the German parliament will at least have to consider it. The result of this will be very interesting.

German petition against Internet censorship attracts attention

Wednesday, May 6th, 2009

A petition against Internet censorship launched on the petition web site of the German parliament has recently gained a lot of attention, and consequently, a lot of signatures.

The subject of the petition is a proposal of the German federal police, which aims to introduce an infrastructure using which the government can block arbitrary sites on the infrastructure of all ISPs in Germany. The basic idea is that if cases of child pornography or similar are brought to the attention of the federal police, the sites are added to a blacklist. This blacklist is then distributed to all ISPs in Germany, which consequently have to redirect the users to a server of the federal government using DNS spoofing. This server will then record the IP address of the person visiting the site as a suspected consumer of pornographic material involving minors.

Ineffective measures

The Chaos Computer Club, as well as a lot of other organizations and computer magazines such as c’t, have already protested against the proposal, calling it ineffective — which is indeed the case. Any potential consumer of child pornography can simply configure their own  name server or set one of a server hosted by a friend or not located in Germany, thus escaping the measure. Also, the whole material remains on the Internet, for everybody not living in Germany to see. In order to stop the abuse of the children in question, the only effective measure would be to ask the content provider, which means the company providing hosting or housing to the web site owner, to take down the web site. Experience shows that in the vast majority of cases, this happens immediately.

Moreover, the proposal will simply not work, for a very simple reason. What the German government wants to impose here is simple basic DNS spoofing, just like the DNS spoofing attack presented by Dan Kaminsky. Since susceptibility to DNS spoofing is a serious security issue, measures have been proposed and built into major DNS servers and clients now. The principle, nowadays known as DNSSEC, is a simple public key infrastructure by the means of which every DNS zone owner (i.e. every person hosting host name records for a domain) signs their zone digitally using a so-called zone key. The public part of this key is then published to a special, cryptographically secured, service which can then subsequently be queried for such keys. If the presence of the DNS Security extension is detected on a domain, the client host will then request the public key and verify the signature of the queried data.

Since there is no way the federal police could forge such a signature, the modified DNS data would be noticed immediately and cause an error to be displayed to the user. But not only will this ruin the use case of finding people visiting child pornography sites, it will also potentially affect other data in the same zone, thus having a serious effect on the end user experience.

Creating terrorists

Another case which could be brought against these measures is that they enable an arbitrary attacker to generate terrorists. The procedure is very easy to implement, hard to notice and can be used by any random home page owner. The only thing one needs to do is to include a small iframe or image on one’s home page which leads to a server on the child pornography block list. This will get every visitor of the web site onto the list of suspected consumers of child pornographic material.

If this appears too offensive, it is possible to have a server side include or CGI script which only includes the iframe or image every once in a while. This will make the mechanism very hard to detect.

Another method would be to include an URL to the site in a banner exchange facility. This would mark a small fraction of the visitors of every web site which is a member of the banner exchange as a suspected consumer of child pornographic material.

As a summary, the mechanisms are very easy to overcome and carry a massive inherent potential for abuse. (The government could for example block the web sites of political activists, automatically, and nobody would be able to tell.) The fact that the governmental agencies threatened to sue everybody who receives, owns or publishes a copy of the list does not really help to establish the trust that this list will not be abused for somebody’s agenda.

References

If you want to help fighting this, here are some links:

Germany wants stronger age verifications and bans on foreign providers

Sunday, December 9th, 2007

The German Federal Court of Justice has decided in case Az. I ZR 102/05 that even stronger age verification mechanisms are required for providing access to adult content on the Internet. According to the Federal Court, the current practice of verification of ID card numbers and bank accounts are not sufficient, because any minor could gain access to this information easily.

The court proposes a verification process which involves the local postal delivery services. The deliverer is supposed to verify the age of the future web site user in an eye-to-eye process.

For the various providers of adult content which are not subject to German law, the Federal Court sees the Internet Service Providers in the responsibility to block the web sites in question.

The Internet without Net Neutrality

Monday, October 1st, 2007

An illustration of the Internet without net neutralityFredy Künzler has found a nice illustration of why Net Neutrality is such an important aspect. This drawing shows what network access would be like if the marketing departments had the final word.