12

Can ISP block HTTPS selectively i.e. certain websites cannot be accessed using HTTPS while others can be ?

rintec
  • 121
  • 1
  • 3

4 Answers4

9

Current browsers all do SNI (Server Name Indication) to make it possible to setup different hostnames on the same IP but with different certificates. To make this work the hostname of the target server is included in clear in the initial handshake packet from the client (ClientHello).

By selectively blocking the ClientHello if it contains specific strings inside the SNI extension a firewall could block specific SSL sites, even without affecting other SSL sites behind the same IP. On less capable firewalls (without deeper inspection) you could simply have broader rules to block access to specific IPs.

Because this is SSL and the firewall has no access to the real certificate it cannot send the client a proper error page, so the client just gets strange error message inside the browser because the connection was either reset or it times out, depending on how the firewalls handles the blocking.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
8

Technically, an ISP can block any traffic since they are your path out to the rest of the Internet. They can block any ports, websites, etc.

If you are asking if they can downgrade a site you request with HTTPS to regular HTTP, it possible they could serve you such a page. But it would not appears as HTTPS, you would see the URL as HTTP and would see no lock icon, etc. At the packet level, HTTPS and HTTP look different and provide different information.

Eric G
  • 9,701
  • 4
  • 31
  • 59
  • This means ISP can block https for facebook only , and see my facebook traffic. Isn't it ? – rintec Aug 28 '14 at 19:43
  • Does this mean ISP can block TLS encryption as well ? You may be in position to answer this https://security.stackexchange.com/questions/66342/tor-security-if-isp-blocks-tls-channel – rintec Aug 28 '14 at 19:47
  • 1
    Not without you knowing its blocked. If they "blocked" it and you went to **https**://facebook.com you would get a 404. If they redirected from **https**://facebook.com to **http**://facebook.com your browser would not tell you its still HTTPS. – Eric G Aug 28 '14 at 19:47
  • If you live in a country with high censorship, etc. they may would not block HTTPS, they would ensure that your computer has their certificate on it, they would then do a MitM attack, but it would not be obvious you were connecting through them. Blocking does not equate to intercepting. – Eric G Aug 28 '14 at 19:49
  • can they install certificate w/o access to the computer ? – rintec Aug 28 '14 at 19:51
  • I think certain sites like facebook fall back to http is https is blocked. But I got your point, thanks. – rintec Aug 28 '14 at 19:51
  • no they cannot install a certificate without access to the computer, but I would imagine if a computer was legally imported into a country where the government wanted to intercept, they could modify the OS, firmware, etc. – Eric G Aug 28 '14 at 20:16
  • 7
    "*If they redirected from https://facebook.com to http://facebook.com your browse...*" They can't do that. An https redirect has to come from the site you're trying to reach, which they can't impersonate (unless they have you install something that lets them do so). – David Schwartz Aug 28 '14 at 21:50
  • 1
    @EricG you won't get a 404 as that requires an actual request being made which won't happen is https is blocked, instead you get a "server won't respond" error – ratchet freak Aug 28 '14 at 23:49
  • @DavidSchwartz you are refering to a site at http redirecting to https you mean? If you control the flow of packets, you can set up whatever proxy and responses you want. You are talking about a site behavior, I am talking about the ISP setting up a device where they do packet inspection and then modify your request, create new requests, whatever they want. – Eric G Aug 29 '14 at 02:34
  • @ratchetfreak Yes, that seems correct in this case, good catch. – Eric G Aug 29 '14 at 02:36
  • @EricG I'm quoting you talking about a site at https redirecting to http. That is not possible. Even if you control the flow of packets, you cannot complete the SSL handshake successfully, so you cannot redirect. – David Schwartz Aug 29 '14 at 17:28
8

What an ISP could do

  • As the network operator, the ISP could block all traffic to/from some IP addresses for port 443, which is the standard TCP port used for HTTPS. That could be a simple firewall rule. By "block", I mean preventing the TCP connection from being established at all. (Sending back a denial page over HTTPS is quite a bit more challenging — in theory, not possible.)
  • If you request http://example.com/ and the server would normally send back an HTTP redirect telling your browser to go to https://example.com/ instead, the ISP could intercept that redirect response.

What an ISP cannot do

Let's assume that the ISP is unable to crack or otherwise work around the cryptography.

  • The ISP cannot distinguish between a request to https://example.com/some/permissible/location and https://example.com/some/objectionable/location, and therefore cannot selectively block URLs within one website.
  • The ISP cannot distinguish between https://virtualhost1.example.com/ and https://virtualhost2.example.com/, if both virtual hosts are hosted on the same IP address, and they share a wildcard SSL certificate. However, DNS can be spoofed to make this happen — see below.

Caveats

  • If the user obliviously dismisses all SSL certificate mismatch warnings, then that defeats all man-in-the-middle protection that SSL normally provides.
  • If the user's browser recognizes a corrupt or compromised Certificate Authority as authoritative, then the ISP could also take advantage of that misplaced trust to decrypt all HTTPS traffic as if it were unencrypted.
  • The ISP runs a DNS server, and chances are that you use their DNS server. Their DNS server could be configured to return spoofed responses, such that virtualhost2.example.com or encrypted.google.com maps to an IP address that they block.
200_success
  • 2,154
  • 2
  • 15
  • 20
  • Good answer but please consider SNI as per Steffen Ullrich's answer. In this case, the server name is sent in plaintext which could let a third party differentiate between hosts on the same IP. – David Houde Aug 29 '14 at 01:30
0

Yes, they can. For example, https connections to Google are blocked in China while user can access other websites via https, such as Bing.

Wang Ye
  • 1