Here we go again - ISP DPI, but is it interception?

Peter Fairbrother zenadsl6186 at zen.co.uk
Wed Jul 28 18:22:31 BST 2010 

James Firth wrote:
>> It seems that they are monitoring their outbound servers to compile
>> lists
>> of IP addresses to which stuff is being sent. That would be perfectly
>> legal if used, for example, to fine-tune their routeing tables.
>>
>> But they go further by examining the port number and only including
>> packets addressed to port 80 in their lists. That is trickier,
> 
> More research is needed on this.  I have server logs from sites I run that I
> can use to establish shadow visitors, and whether any - if found - go to the
> exact page (i.e. full URL) or just the top level website.

If they don't go to the full URL they won't be able to detect whether 
there is some bad stuff on the served page - and thus they won't be able 
to do the job they claim to be doing.


>> So basically, I think what they are doing is potentially a Good Thing,
>> and
>> most likely lawful.
> 
> What if shadow visits to the site, hypothesising that the full URL is
> visited, caused undesired consequences such as repeat posting or triggered
> other state-changing behaviour in the destination website?

Extremely likely - for instance, another access to a session-cookied 
site will almost always change the server state.

It's evil, and should not be allowed.

> 
>> Once they have a list of addresses of sites, they they are perfectly
>> entitled to visit those sites (as is anybody else) and to probe them
>> for
>> malware. If the site declines their probes, or demands some password
>> that
>> they don't know, then the site is perfectly entitled to do that.
> 
> And herein could lie a flaw in such technology.  Already I've seen posted
> online the alleged IP range for the servers used for the shadow visits.
> 
> Sites hosting malware could easily use this information to block or send
> clean pages to the monitoring sites.  And of course it would be far more
> questionable if the monitoring itself spoofed the IP address of the original
> visitor, leading to scenarios such as "you claim you accidentally visited a
> website hosting questionable content, but never returned, yet logs retrieved
> from the server in question show you made a second visit less than 2 minutes
> later."
> 
> (OK that's a tad tenuous but hopefully explains a point).

Yes - and double charging for doubled access, and ... so on.



It won't work, so it's not a good thing.

It will do damage, so it's a bad thing.

It's illegal anyway. So it should be stopped.


-- Peter Fairbrother
> 
> James Firth
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
>

More information about the ukcrypto mailing list