Last week, users of Facebook and Twitter in Pakistan began reporting a strange security problem. When they visited those sites, they found they were logged in–but with the accounts and privileges of complete strangers. Private Facebook information and Twitter direct messages belonging to other users were viewable, and the surprised Pakistani users had complete control over these accounts. Soon after the problem was noticed, Facebook and Twitter themselves blocked anyone attempting to log in from Pakistan. Eventually the problem went away.
What could have caused such strange and privacy-violating behavior? From the reported symptoms, it sounds like Pakistan’s main Internet Service Provider (ISP), PTCL, was experimenting with a transparent proxy server for certain Web sites. Proxy servers are machines that sit between a user and the Web site they visit, and rewrite or replace the content of the original destination. Proxy servers often have positive uses; volunteer-run proxies, for example, are famous for offering a way around censorship in Iran and China.
PTCL’s experimentation occurred shortly after Pakistan had enforced (and then lifted) a block on Facebook. (A campaign on Facebook had been soliciting caricatures of the Prophet Muhammad, which many Pakistanis found blasphemous.) Such timing suggests that PTCL might be using proxies to construct a better local censorship system, not evade it. One configuration that an ISP-wide proxy such as PTCL seems to be using is a relatively sophisticated form of Internet blocking called CleanFeed. It’s used by British Telecom in the United Kingdom to block Web pages reported as child pornography.
The difference between CleanFeed and the current filtering used in Pakistan is that CleanFeed-style systems permit individual Web pages to be blocked, rather than whole sites. That means that in the future, if the Pakistani authorities demand that a single page on Facebook has violated local laws, ISPs there could block that single page, rather than the whole of Facebook.
One side effect of the CleanFeed system is that traffic to sites that host those Web pages (but no other traffic) is redirected through a set of proxy machines at the ISP. If those proxy machines were misconfigured, you’d see exactly this kind of broken behavior that Pakistani users saw this week. Individual PTCL users would receive each others’ logins on censored sites, but not on others.
The evidence of PTCL experimenting with CleanFeed isn’t conclusive. There are other explanations that fit the known facts. It may be that PTCL was trying to save international bandwidth by using proxies to keep local copies of all Web pages (a more common use of proxies, and one which tripped up AT&T earlier this year when implemented for their mobile users). Some Pakistani users have described problems with sites that Pakistan has made no effort to censor, such as Google’s main site and Hotmail.
If this was an attempt to introduce a CleanFeed solution, however, it won’t have been the first time that PTCL’s attempts to comply with censorship demands have backfired.
In February 2008, PTCL tried to introduce a country-wide block of YouTube by announcing a new route to the Internet addresses used by YouTube’s own machines. That’s a very unusual act by a major ISP; usually a net provider will only announce routes to addresses it owns. In this case, however, PTCL was effectively claiming that it knew the best route to YouTube–but instead of directing Internet machines to the real servers, it sent everyone to the Internet equivalent of a ditch on the side of the road. PTCL intended the announcement to propagate only in Pakistan, but an international provider, PCCW, applied it to the rest of the global Internet. For a few hours, PTCL went from being YouTube’s censor in Pakistan, to its censor across the world.
It’s not just Pakistan’s censorship systems that have collateral damage outside of their borders. This week, one of China’s filtering strategies leaked onto the wider Internet. China’s Great Firewall not only blocks direct connections to sites like Facebook and Twitter, it is designed to return false information to anyone in China asking the whereabouts of those sites.
When you instruct your Web browser to go to a Facebook page, your PC will first ask the domain name service (DNS) for the location of www.facebook.com servers. Make that request across the Great Firewall, and the Firewall’s servers will answer faster than any other domain name server (including Facebook’s). Like PTCL, the fake addresses you will be given will redirect your browser into the ditch.
China’s fraudulent DNS results are intended to affect only the Chinese, but like Pakistan’s block, sometimes its censorship system leaks. As Earl Zmijewski at Renesys noted, many countries that are “near” China in the geography of Internet connectivity have ended up using servers within the PRC, making them vulnerable to China’s fake results. Ironically, one of those nearby countries is Pakistan, meaning that while Pakistani authorities have lifted their ban on Facebook, some users will still suffer from nearby China’s perpetual block on the Web site.
It’s not surprising that these censorship systems have unintended consequences and destabilize the smooth operation of the Internet. In the slang of technologists, they’re “hacks,” clumsy patches onto existing systems that attempt to use them in ways that they were never designed to support. Middle men, like ISPs, aren’t supposed to mess with your data based on the Web address you type; route announcements are supposed to point Internet traffic to the right servers; and if you ask a particular domain name server for an address, you should get the address it sends, not a forged reply from the Chinese government.
The good news is that there are technical solutions to all of these problems that can improve the resiliency of the Internet from censorship hacks. Web sites can use SSL (the encryption protection you get when you use an “https” address) to protect communications between browser and Web server, which would prevent CleanFeed-like systems from intercepting these requests. This week, a group of U.S. civil liberties groups petitioned Facebook to turn on such protection by default.
Defending the Internet’s routing and domain name systems requires a more coordinated effort. Changing the protocols behind route announcements and DNS to be more secure involves an arduous and convoluted task for network operators, but it is possible. Just this week, the custodians of the Internet’s primary domain name servers, ICANN, officially “signed the root”, the first step in a long road of cryptographic protections that will eventually defend DNS from forged responses, such as those seen emanating from China.
The old saying that the “Internet perceives censorship as damage and routes around it” may no longer be true in the short term. But as long as local censorship causes damage to the global Internet, we can hope to see technologists work to route around the real problems it causes to us all.