Internet Society — Perspectives on Internet Content Blocking: An Overview
15
internetsociety.org
DPI blocking is very commonly used in enterprises
for data leakage protection systems, anti-spam
and anti-malware (anti-virus) products, and traffic
prioritization (such as boosting the priority of enterprise
videoconferencing) network management. However, it
can also be used for more policy-based blocking purposes.
For example, use of VoIP services not provided by the
national telecommunications carrier are often regulated
or restricted, and DPI blocking is effective at enforcing
those restrictions.
DPI blocking uses devices that can see and control
all traffic between the end-user and the content, so
the blocking party (such as the user’s ISP) must have
complete control over an end-user’s connection to the
Internet. When the traffic is encrypted, as it often is, DPI
blocking systems may no longer be effective. These are
discussed in greater detail in the sidebar “Encryption,
Proxies, and Blocking Challenges” to the right.
DPI blocking is generally an effective technique at
blocking certain types of content that can be identified
using signatures or other rules (such as “block all Voice
over IP traffic”). DPI blocking has been much less
successful with other types of content, such as particular
multimedia files or documents with particular keywords
in them. Because DPI blocking examines all traffic to end
users, it is also quite invasive of end user privacy.
The overall efficacy of DPI blocking varies widely
depending both on the goals and the specific DPI tools
being used. Generally, DPI tools are most effective in
network management and security enforcement, and are
not well-suited for policy-based blocking.
URL-Based Blocking
URL-based blocking is a very popular blocking method,
and may occur both on the individual computer, or in
a network device between the computer and the rest
of the Internet. URL blocking works with web-based
applications, and is not used for blocking non-web
applications (such as VoIP). With URL blocking, a filter
intercepts the flow of web (HTTP) traffic and checks the
URL, which appears in the HTTP request, against a local
database or on-line service. Based on the response, the
URL filter will allow or block the connection to the web server requested.
Generally, URLs are managed by category (such as “sports sites”) and an entire category is blocked, throttled, or
allowed
5
. In the case of a national policy requiring URL blocking, the on-line service and blocking policy would likely
be managed by the government. The URL filter can simply stop the traffic, or it can redirect the user to another
web page, showing a policy statement or noting that the traffic was blocked. URL blocking in the network can be
enforced by proxies, as well as firewalls and routers.
5 URL filtering categories are established by security service providers and are often based on a combination of human analysis of web pages combined with some automated
scanning of web page content. Most security service providers offer URL filtering databases for the purposes of managing corporate network traffic, but they can be used in
other contexts, such as those discussed in this paper.
Sidebar:
Encryption, Proxies, and Blocking Challenges
Several of the techniques discussed in this paper,
including Deep Packet Inspection (DPI)-based blocking and
URL-based blocking, have a very real limitation: they must
be able to see the traffic being evaluated. Web servers
that offer encryption or users who add encryption to their
communications (typically through application-specific
encryption technology, such as TLS/SSL) cannot be reliably
blocked by in-the-network devices. Many of the other
techniques are also easily evaded when user have access
to VPN technology that encrypts communications and
hides the true destination and type of traffic. Although
researchers and vendors have developed some ways of
identifying some types of traffic through inference and
analysis, these techniques often are simply guessing at what
type of traffic they are seeing.
In recent research, 49% of US web traffic (by volume) was
encrypted in February, 2016. (See: http://www.iisp.gatech.
edu/sites/default/files/images/online_privacy_and_isps.
pdf) This traffic would be effectively invisible to URL-based
blocking and DPI tools that look at content, because the
only visible information would be the domain name of the
server hosting the information. To compensate for this
“going dark,” some network blocking uses active devices
(called proxies) that intercept and decrypt the traffic
between the user and the web server, breaking the end-to-
end encryption model of TLS/SSL.
When proxies are used, these cause significant security
and privacy concerns. By breaking the TLS/SSL model,
the blocking party gains access to all encrypted data and
can inadvertently enable third-parties to do the same.
The proxy could also change the content. If the blocking
party has control over the user’s system (for example, a
corporate-managed device would be highly controlled),
the proxy may be very transparent. Generally, however, the
presence of a proxy would be obvious to the end user, at
least for encrypted (TLS/SSL) traffic (e.g. the user may get
an alert that the certificate is not from a trusted authority).
In addition, new industry and IETF standards (such as HTTP
Strict Transport Security [RFC6797], HTTP Public Key Pinning
[RFC 7469], and DANE [RFC 6698]) and new security features
in modern Internet browsers make it more difficult to proxy
(and decrypt) TLS/SSL traffic without the knowledge and
cooperation of the end user.
Proxies installed for content blocking reasons may also
introduce performance bottlenecks into the flow of
network traffic, making services slow or unreliable.