undefined | Better HN

0 pointsRowanH1y ago0 comments

So this one time, I had a bug report at a client site. The business was largely a member of _______ religion. Our images wouldn't load in the app, but did on the website. How odd I thought, that doesn't make sense! Luckily I was able to be physically present, so I hopped down with laptop in tow, ssh'd into the server and started tailing logs....

Sure enough all the API requests for data were coming through, but whenever a request for image happened - nothing would hit the servers.

What the heck I thought to myself?

I said to the client 'that can't be, that's almost impossible....the only way that's possible is if the SSL traffic is decrypted, inspected, and images blocked from being requested, which, is a MITM attack".

He redirected me to his IT provider. I phoned them up, and explained the situation.

"Ahh so they're _____"

Me: "So what does that have to do with the price of fish?"

Them : "Content filtering..., you need to talk to ____"

Sure as the day is long, the content filter was a VPN all members of ____ had to have on their mobile devices (I don't know how widespread this is, whether it was just this business, or the entire ____ )

I applied to have our system approved, it was, and just like magic the next day photos started coming through.

I'm guessing basically it detected any .jpg/.mp4 etc URL's in https requests and flagged it up and blocked them from being requested. You can be sure on those devices the VPN would have been somehow locked in with device management, and there's no way on gods green earth they were getting at Facebook/insta etc.

So, it's not just meta. That really hammered home how seamless it can be to end users that they really can't trust what's actually happening on their devices.

0 comments

leononame1y ago

Not that I'm a fan of it, but in corps it's pretty standard praxis to have a custom root cert installed on all devices and enforce VPN connections on devices outside the network to be able to MITM all requests and do stuff like content filtering (e.g. NSFW, swearwords and obviously malware). It's the company's device and they give it to you for work specific purpose, you shouldn't use it for personal stuff. I don't think it compares to an app that shadily installs its own root cert on an end user's device to spy on them.

RowanHOP1y ago

It's not corporate level it was/is religious group level (of which this particular org I'm guessing largely employed staff from that religion). They are well known within our country to be quite insular.

It certainly seemed for all intents and purposes if you were a member of _____ group (wider than the company) you had the vpn on your device, and it was filtering content. I've found other reports in other countries of that happening with the same group.

So it's not corporate content filtering, it's personal content filtering and our app got caught up in it (and approved).

It certainly made my skin crawl for anyone in that religion. That means the central filtering service could be reading messages. Not sure if they're that sophisticated but certainly they didn't want people to see random images/videos.

leononame1y ago

Is it like required from their religious leadership to install this? That is incredible, and I only now understand your comment to its full extent. That is brutal.

ndriscoll1y ago

This is one reason I think ECH is probably on net a bad idea. Content filtering is a legitimate use-case for lots of users/networks, and if traffic is completely opaque to all networks, you end up needing things like root level processes or full MITM or laws requiring ID for websites instead of more privacy-preserving inspection of basic metadata (like SNI) at the network level.

You could imagine a standard for a network to signal to a client that it does not allow certain privacy features like ECH, and then clients can accept that or not. Instead I expect browsers will eventually mandate ECH, so people will have to MITM instead.

FergusArgyll1y ago

Yes, this exists. There's more than one company you can choose. It's not 'forced' but strongly recommended. Also, my love for hacking started with getting around it...

felsokning1y ago

From the inference of the commenter, I think they were referring to an app on a mobile device and not the device itself.

It also sounds like their issue was at the ISP provider level, as well, which takes the business out of the loop of being the data controller/owner (of the collected data) at that point.

Note: I'm not saying that your comment doesn't have merit, I just don't think that the points that you made apply - specifically - in this case?

leononame1y ago

After re-reasing the comment I think you're right. I had a hard time grokking it it seems. But since the issue was apparently a VPN app installed on the phone, I don't know whether this was the ISP or maybe their IT service provider that did content filtering on behalf of the company (like an outsourced IT department?)

1 more reply

Tijdreiziger1y ago

There are even ‘safe’ (filtered) ISPs aimed at religious communities.

bratwurst30001y ago

Holy shit they can brainwash their peers even better. Those are evil geniuses….

Sorry I meant the optimize the content for their peers and shield them from harmful content for the better of humanity // irony

j / k navigate · click thread line to collapse

0 pointsRowanH1y ago0 comments

Sure enough all the API requests for data were coming through, but whenever a request for image happened - nothing would hit the servers.

What the heck I thought to myself?

He redirected me to his IT provider. I phoned them up, and explained the situation.

"Ahh so they're _____"

Me: "So what does that have to do with the price of fish?"

Them : "Content filtering..., you need to talk to ____"

I applied to have our system approved, it was, and just like magic the next day photos started coming through.

So, it's not just meta. That really hammered home how seamless it can be to end users that they really can't trust what's actually happening on their devices.

0 comments

leononame1y ago

RowanHOP1y ago

So it's not corporate content filtering, it's personal content filtering and our app got caught up in it (and approved).

leononame1y ago

Is it like required from their religious leadership to install this? That is incredible, and I only now understand your comment to its full extent. That is brutal.

ndriscoll1y ago

FergusArgyll1y ago

Yes, this exists. There's more than one company you can choose. It's not 'forced' but strongly recommended. Also, my love for hacking started with getting around it...

felsokning1y ago

From the inference of the commenter, I think they were referring to an app on a mobile device and not the device itself.

It also sounds like their issue was at the ISP provider level, as well, which takes the business out of the loop of being the data controller/owner (of the collected data) at that point.

Note: I'm not saying that your comment doesn't have merit, I just don't think that the points that you made apply - specifically - in this case?

leononame1y ago

1 more reply

Tijdreiziger1y ago

There are even ‘safe’ (filtered) ISPs aimed at religious communities.

bratwurst30001y ago

Holy shit they can brainwash their peers even better. Those are evil geniuses….

Sorry I meant the optimize the content for their peers and shield them from harmful content for the better of humanity // irony

j / k navigate · click thread line to collapse