On 02/18/2010 08:37 AM, Olivier MJ Crepin-Leblond wrote:
French lawmakers voted Tuesday to approve a draft law to filter Internet traffic...
I had lunch with a chap from CISCO France last week and we discussed this. Apparently, 1. the cost of installing the powerful equipment required to perform content filtering of all traffic is so prohibitive ...
Once upon a time, when sorting some data, I learned that in computers there is often an efficient way and an inefficient (in my case a very, very inefficient) way to do it, especially if some of the constraints (such as 100% complete filtering) can be slightly relaxed. Some filter people think that they need to reassemble entire TCP streams and scan the data, all in the real-time packet forwarding path of a router or switch. That's an inefficient way. And it requires mongo amounts of horsepower. One easier way is to use a lesser device that hangs off the span port on a switch that mainly inspects and occasionally injects a TCP RESET. Another better way is to merely look at the first packet after the TCP connection establishment three-way handshake. For HTTP (web) traffic that packet quite often tells you everything you really care about when you are deciding whether to block that TCP connection or not. And this looking at the data can occur slightly outside of the real-time packet forwarding path of the inspection device: Because TCP connections typically last at least a 100 milliseconds, there's plenty of time to inject a TCP RESET or to block the latter data or ACK packets and thus usually vitiate the usefulness even of the data that was successfully transfered on the earlier part of the TCP connection. (An amusing sidelight: Because the TCP RESET approach is so easy, and was used by Comcast in the US, some smart users installed filters on their PC's to block TCP RESETS and thus nullified the effect of the provider content filters.) These "better" ways still requires some heavy duty gear, but we're talking more like a beefy PC dangling off the span port of a switch, rather than a Cisco carrier grade router. Sure, this "better" way will miss a few. But on today's web a typical web page requires several dozen, and often many more, subsidiary web fetches to tracking images, javascript loads, little graphics, etc etc. And blocking even one of those, even if the main page load has occurred, causes the page to render inaccurately (or not at all) and can have nearly the same negative impact as blocking the main page.
2. zip your file and encrypt it using a *free* zip/encryptor and the file cannot be detected/decrypted
That works great - until encrypted data is presumed by the censor to contain bad stuff and thus must be included among the things to be blocked. As they say in the song "paranoia strikes deep".
In other words, it's another law promoted by clueless non-technical "advisors"
Ah, the clueless may be ineffective in achieving their intended purpose, but along the way they are often very effective in creating collateral damage.
... this is France, we've got quantities of laws like that which are never enforced... :-)
California has the same problem. For example, we've got a McCarthy era (early 1950's "red scare") law on the books under which entities such as ICANN are labeled as a "subversive" organization. Unfortunately such laws, even if not routinely enforced today, are like some lost unexploded WW-I shell buried in a farmer's field that could be dug up and cause damage in the future. --karl--