3

I know that some ISPs send block pages(like "This site has been blocked because ... ") over HTTP by sending a fake 301/302 redirect.

I also know that instead of sending a block page, some ISPs simple send RST to terminate the connection or do nasty things with DNS when blocking an HTTPS site.

But can they send a block page over HTTPS? And if possible, I'd like to know some other methods of blocking sites(both HTTP and HTTPS).

cynoob2
  • 33
  • 3

1 Answers1

3

ISPs cannot inject their own pages into HTTPS traffic. They can block the traffic and cause the page to fail to load, or they can attempt to hijack a HTTP->HTTPS redirect before the encrypted connection is made, but they cannot modify the contents of the page itself once the connection is established. The only way for them to do this would be if you had installed a root certificate made by them, effectively telling your browser to trust your ISP act as a Certificate Authority for arbitrary websites (a bad idea).

Glorfindel
  • 2,263
  • 6
  • 19
  • 30
forest
  • 65,613
  • 20
  • 208
  • 262
  • could you please explain what do you mean by hijacking a http->https redirect? – cynoob2 May 22 '19 at 19:45
  • @cynoob2 When you connect to an HTTP site, the site might redirect you to the HTTPS version of the site automatically. An ISP could hijack this redirection. – forest May 22 '19 at 19:45
  • Oh I see. Thank you very much, I got the gist of it. – cynoob2 May 22 '19 at 19:46
  • This won't work if the site uses HSTS, however. – gparyani May 22 '19 at 23:17
  • don't quite a few ISPs require you to install their root certificates when you use their modems? (Which they also require you to rent from them)? – Magisch May 23 '19 at 06:23
  • @Magisch No, that would be virtually unheard of. At least no major ISPs I know of do it. – forest May 23 '19 at 06:25
  • @forest Afaik comcast is doing just that in order to display data cap overlay notices, copyright strike overlay notices, ads for service upgrades and past due bill notifications. I'd think comcast qualifies as "major isp". There are also quite a few ISPs in india that require this to inject advertising into https websites their users visit. – Magisch May 23 '19 at 06:57
  • @Magisch I can't find anything about Comcast doing that with a quick search. – forest May 23 '19 at 06:58
  • @forest a quick search on my end turned up https://www.xfinity.com/support/articles/data-usage-will-i-be-alerted-data-usage . How besides root certificate spoofing could comcast display a browser overlay in real time, assuming you don't install any browser plugins by them – Magisch May 23 '19 at 07:01
  • @Magisch It seems like they're doing that to HTTP pages, which are unencrypted. – forest May 23 '19 at 07:12