User comments on ISPs
  >> Vodafone


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | >> (show all)   Print Thread
Standard User MarcuT
(newbie) Fri 26-May-17 13:16:52
Print Post

Vodafone blocks sites with user submitted content


[link to this post]
 
I noticed this week that most images on Reddit (UK's #5 website according to Alexa!), and comments sections on many websites stopped loading, but only on Vodafone broadband. On the Vodafone forum, people have been reporting this intermittently for several years! I wish I had known before switching to them.

The reason the sites are not loading appears to be Vodafone's poor implementation of the Internet Watch Foundation web filter. UK ISPs are normally required to block or monitor access to specific URLs someone has flagged up to IWF. Any changes users try in Vodafone's Content Control interface have no effect on this.

When you access https://disqus.com or https://imgur.com for example, the OS finds the site's IP address from the modem and Vodafone's DNS servers. In this case, Vodafone's servers don't return the actual IP of disqus.com anymore, but rather their own IP 90.255.255.1. The browser then connects to that IP, requests the URL asked for, and presto, Vodafone has hijacked your connection and fulfilled their IWF duty. The only trouble is that Vodafone customers opening HTTPS links get an ugly error message instead and can't open anything on the site at all.

Your connection is not private

Attackers might be trying to steal your information from disqus.com (for example, passwords, messages, or credit cards). NET::ERR_CERT_COMMON_NAME_INVALID

This server could not prove that it is disqus.com; its security certificate is from contentcontrol.vodafone.co.uk. This may be caused by a misconfiguration or an attacker intercepting your connection.


Thanks to web certificates, the browser stops this intercept attempt. Vodafone's support suggests to ignore the message and reduce the browser's security, but that's not possible in all browsers. My daily browsing of Reddit nonsense through their mobile app forces imgur.com content over https, so all the images from there are blank. There goes part of the entertainment of a home broadband.

Further, if the error is ignored, the site seems to work, but the response headers contain this:
Via: 1.0 iwffilter.broadband.vodafone.co.uk (squid)


With the internet moving more and more to HTTPS, in many cases redirecting any HTTP access to HTTPS, this is going to become a major issue in the future. What can we do?
Standard User MarcuT
(newbie) Sat 03-Jun-17 01:04:41
Print Post

Re: Vodafone blocks sites with user submitted content


[re: MarcuT] [link to this post]
 
A week later:
Sites with the comments section from Disqus.com are loading again.
Imgur.com site HTML over HTTPS loads now as well, but images do not load. They're hosted at i.imgur.com, which is still on the list of domains to hijack.

Glad to see things are improving, and I do hope it's because someone actively addressed the issue. I only wish support would acknowledge that the problem is on Vodafone's end, and not force people through the usual broadband troubleshooting act.
Standard User arendall667
(regular) Sat 03-Jun-17 06:28:50
Print Post

Re: Vodafone blocks sites with user submitted content


[re: MarcuT] [link to this post]
 
Have you tried changing the DNS servers at PC level? I'm on Demon (now owned by Vodafone) and if you use Demon DNS servers you get random errors from the IWF filter about trying to use this website as a Proxy. Changing the PC DNS servers to Google or Open DNS made these go away.

Anthony


Register (or login) on our website and you will not see this ad.

Standard User mbames
(member) Sat 03-Jun-17 15:10:03
Print Post

Re: Vodafone blocks sites with user submitted content


[re: arendall667] [link to this post]
 
Either try using googles DNS servers, or if you know that i.imgur.com is blocked, then add an entry to your local hosts file:

c:\windows\System32\drivers\etc\hosts

in the form of:

151.101.16.193 i.imgur.com


obviously not an ideal solution, but a temporary workaround at least.

Sky Fibre (40/10), Draytek 130, DrayTek 2925, DrayTek AP-700
(Gone but not forgotten: 2820n x 2, 2800vg, 2800, HG612)

Speedtests:
ThinkBB - Mini | ThinkBB - Full | Speedtest.net
Standard User MarcuT
(newbie) Sat 03-Jun-17 21:37:49
Print Post

Re: Vodafone blocks sites with user submitted content


[re: mbames] [link to this post]
 
Yes! Both of those workarounds work. I could probably change the DNS server IP on the modem instead, but I don't want to mess with it too much since people everywhere are saying that Vodafone's HHG2500 is an unreliable one. It's a bit of a pain to set IPs everywhere, especially on Android where it seems to want the device IP static before letting me change DNS addresses.

It's worrying that Vodafone have let people complain about the intermittent domain blocks since 2015, and only admitted in February 2017 that their Content Controls are at fault. Support still haven't got the news of course... It's like when Wikipedia got blocked almost 10 years ago, there's been no progress.
Standard User MarcuT
(newbie) Wed 07-Jun-17 18:47:37
Print Post

Re: Vodafone blocks sites with user submitted content


[re: MarcuT] [link to this post]
 
Like a satnav that refuses to take you to Blackpool, Vodafone's DNS is once again blocking all of imgur.com, www, and i. Why does it keep changing? The Time to Live of the responses is always 5 minutes, so it shouldn't be about unexpected caching. It doesn't really bother my personal broadband experience since I don't use the provided satnav anymore, but the risk of things suddenly breaking with nobody batting an eye is a huge concern.
Administrator MrSaffron
(staff) Wed 07-Jun-17 18:59:03
Print Post

Re: Vodafone blocks sites with user submitted content


[re: MarcuT] [link to this post]
 
Usual issue is the proxy that handles the blocking is overwhelmed by the amount of work checking to make sure a specific URL is not on the block list, i.e. so its not a block per-se of a site usually, but a side effect of what happens when a popular site ends up going through the URL inspection process.

The author of the above post is a thinkbroadband staff member. It may not constitute an official statement on behalf of thinkbroadband.
Standard User MarcuT
(newbie) Mon 07-Jan-19 21:40:44
Print Post

Re: Vodafone blocks sites with user submitted content


[re: MarcuT] [link to this post]
 
This was mentioned in another thread so I thought I'd add a bit more detail.

Vodafone's inadvertent blocking of Imgur and other sites is on its fourth year, still with the same broken setup. People unaware of the DNS workaround are still being redirected to the Vodafone proxy on and off, and still getting the same error messages, if not worse. I've added some of the output from the openssl tool below just as concrete proof.

But not to worry, Vodafone have made some progress as well. In the name of Security, the routers now have an option called "Allow only encrypted access to your Vodafone Connect via https". Enabling it does just that, and also returns a "Web UI.cer" certificate file, which the user is instructed to install. Sounds really good to protect you from all the nasties at home right? What they don't mention is that it's a root certificate, and anyone with its private key can issue certificates for other websites, which will be trusted by browsers with the router's certificate installed. Backdoor to certificate spoofing without error messages, disguised as a security improvement, A*! But we all trust our ISPs to be competent enough to choose trusted solutions, keep our traffic untouched, and private keys safely stored and not embedded in all customer devices, right??

Here's the certificate details:

openssl x509 -in "WEB UI.cer" -text -purpose
Certificate:
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=GB, O=Vodafone Broadband, CN=vodafone
Subject: C=GB, O=Vodafone Broadband, CN=vodafone
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:vodafone, DNS:vodafone.connect, IP Address:192.168.1.1
X509v3 Basic Constraints:
CA:TRUE

Certificate purposes:
SSL client : Yes
SSL client CA : Yes
SSL server : Yes
SSL server CA : Yes
Netscape SSL server : Yes
Netscape SSL server CA : Yes
S/MIME signing : Yes
S/MIME signing CA : Yes
S/MIME encryption : Yes
S/MIME encryption CA : Yes
CRL signing : Yes
CRL signing CA : Yes
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : Yes
Time Stamp signing : No
Time Stamp signing CA : Yes


On to the Imgur connection attempts then, which Vodafone luckily aren't stirring up with spoofed certificates yet.

Google's DNS for comparison:
nslookup imgur.com 8.8.8.8
Name: imgur.com
Address: 151.101.16.193


HTTPS request to that real Imgur IP:
openssl s_client -connect 151.101.16.193:443 -servername imgur.com
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
depth=0 C = US, ST = California, L = San Francisco, O = "Imgur, Inc.", CN = *.imgur.com
---
GET / HTTP/1.1
Host: imgur.com



HTTP/1.1 200 OK
Content-Length: 4287
Server: cat factory 1.0
[...etc what you'd expect in a genuine response...]


Vodafone router's DNS:
nslookup imgur.com 192.168.1.1
Name: imgur.com
Address: 90.255.255.1


HTTPS request to the Vodafone IP:
openssl s_client -connect 90.255.255.1:443 -servername imgur.com
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
depth=0 C = GB, ST = Berkshire, L = Newbury, O = Vodafone Group Services Limited, CN = contentcontrol.vodafone.co.uk
---
GET / HTTP/1.1
Host: imgur.com



HTTP/1.0 301 Moved Permanently
Retry-After: 0
Location: https://imgur.com/
Content-Length: 0
Server: cat factory 1.0
X-Cache: MISS from iwffilter.broadband.vodafone.co.uk
X-Cache-Lookup: MISS from iwffilter.broadband.vodafone.co.uk:3128
Via: 1.0 iwffilter.broadband.vodafone.co.uk (squid)


Cue redirect loop where the browser requesting https://imgur.com/ is told to go to https://imgur.com/ instead (like reported here and here). If the browser doesn't give up first with ERR_TOO_MANY_REDIRECTS, the proxy will after a few more loops:

HTTP/1.0 500 Internal Server Error
Server: squid
X-Squid-Error: ERR_ICAP_FAILURE 0
X-Cache: MISS from iwffilter.broadband.vodafone.co.uk
X-Cache-Lookup: NONE from iwffilter.broadband.vodafone.co.uk:3128
Via: 1.0 iwffilter.broadband.vodafone.co.uk (squid)

[...cruft removed...]
<p>The following error was encountered while trying to retrieve the URL: <a href="http://imgur.com/">http://imgur.com/</a></p>

<blockquote id="error">
<p><b>ICAP protocol error.</b></p>
</blockquote>

<p id="sysmsg">The system returned: <i>[No Error]</i></p>

<p>This means that some aspect of the ICAP communication failed.</p>

<p>Some possible problems are:</p>
<ul>
<li><p>The ICAP server is not reachable.</p></li>
<li><p>An Illegal response was received from the ICAP server.</p></li>
</ul>

<br>
</div>

<hr>
<div id="footer">
<p>Generated Mon, 07 Jan 2019 21:40:38 GMT by iwffilter.broadband.vodafone.co.uk (squid)</p>
<!-- ERR_ICAP_FAILURE -->
</div>


See how the error message is for http even though https (port 443) was requested. That explains the redirect loop, since Imgur normally responds to http requests with a redirect to https.

So, not only are Vodafone recommending customers to ignore browser security warnings and otherwise playing with fire, they're sending customer data out unencrypted. I haven't seen any ISP go this far with misguided filtering attempts yet, but it'll be interesting to see if Vodafone's example will be seen as positive or negative by the less techy customers.
Standard User caffn8me
(eat-sleep-adslguide) Tue 08-Jan-19 06:38:55
Print Post

Re: Vodafone blocks sites with user submitted content


[re: MarcuT] [link to this post]
 
That's really interesting. Thank you for posting.

Just out of curiosity, does Vodafone's proxy support TLSv1.3 yet?

I notice that the standard www.vodafone.co.uk site doesn't redirect from HTTP to HTTPS - which is pretty poor these days.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User ukhardy07
(knowledge is power) Tue 08-Jan-19 10:44:36
Print Post

Re: Vodafone blocks sites with user submitted content


[re: MarcuT] [link to this post]
 
If I understand this right they are basically performing MiTM on all traffic to certain sites, and hence they are requesting users install their certificate to facilitate this which is 1) Encouraging users to think it is normal and acceptable to utilise untrusted certificates in this way and 2) Breaking down the trust relationship intended by certificates in the first place.

In an attempt to filter traffic they have eroded basic security, and what concerns me the most is whenever I have researched this issue (albeit a year+ ago now), Vodafone always discuss working with their "vendor" to fix this. So we have users installing this VF certificate, potentially transmitting this data to a random VF vendor, where the data can be viewed in the clear.

It is almost in your face spying... If this data was ever compromised there would be an overarching question "why was the data transmission broken down to facilitate encrypted traffic being processed/transmitted in the clear in the first place?"
Standard User Oliver341
(eat-sleep-adslguide) Tue 08-Jan-19 12:07:26
Print Post

Re: Vodafone blocks sites with user submitted content


[re: ukhardy07] [link to this post]
 
In reply to a post by ukhardy07:
In an attempt to filter traffic they have eroded basic security

Agreed, what Vodafone is doing here is concerning. Maybe Ofcom should be asked what they make of all this.

Oliver.
Pages in this thread: 1 | 2 | >> (show all)   Print Thread

Jump to