[lapser]

> Try to access thepiratebay.org or other pirate sites, or other sites that the UK gov deems inappropriate (CP obviously), etc.

I don't know about the "other sites", but tpb isn't part of any "Great Firewall". It's just ISPs have been required to update their DNS servers to _not_ resolve the DNS record. Even then, there are still quite a few ISPs that have not implemented it. It's why changing your DNS servers to something like Google or Cloudflare means you can easily access tpb.

So blocked websites in the UK are nowhere near on the same level as the Great Firewall.

My guess is those other sites are a bit more sophisticated, or if not, ISPs are willing to comply easier.

[Renaud]

How he block is implemented is not of any concern to the public at large. Whether it's a simple DNS block or stateful packet inspection, the vast majority of people won't be able to access.

Once any blocking requirement is in place, it's only a matter of moving the slider to more technical means of enforcement to plug the holes in the system.

So you're right, the UK is nowhere near China in terms of filtering, neither does it need to be to still become a digital island.

[iLoveOncall]

That's not true, at least for VirginMedia. I use Cloudflare DNS servers and I can't access ThePirateBay without a proxy or a VPN, it's more than just a blockage at the DNS level.

[boudin]

When I was on virgin, I noticed that ip addresses used by some TPB or similar websites weren't routed to the internet, which is obviously quite bad. I'm not sure if it's still what they do. Better ISPs only do DNS blocking though. Some don't block anything actually.

[ClumsyPilot]

oof, this is serious, thanks for letting me know

[denton-scratch]

In that case it's your ISP (Virgin Media). My niche ISP gives me unfiltered internet. Also, I run my own recursive resolver.

[tenebrisalietum]

Try an SSL DOH resolver, which can't be subject to simple transparent intercepts (at least not without you knowing about it).

[kalium-xyz]

I donno about the UKs system but with South Korea they just check the host in the request header and block by that.

[jakewins]

How can they do that, the HTTP headers are encrypted by TLS?

[Nextgrid]

Until encrypted SNI/encrypted client hello is a thing, the hostname is still sent in the clear.

Also, it can still be DNS blocked - just because you use Cloudflare's DNS doesn't mean they can't rewrite the responses as they still transit unencrypted. You'd have to use DNS-over-HTTPS or DNS-over-TLS to work around that.

[1vuio0pswjnm7]

If it's TLS1.2, certificates containing CNs and/or SANs are sent in the clear too.

[foepys]

Luckily, ESNI is being supported by an increasing number of implementations.

[neilalexander]

I believe China's answer to ESNI is just to block all traffic that attempts to handshake with ESNI, so it still won't necessarily get you anywhere.

[robertlagrant]

Maybe it's actually SNI.

[ShowalkKama]

not op, no idea how they do it but they COULD look at the SNI in the client hello

[PlutoIsAPlanet]

They can block the IPs or watch for SNI requests.

It's far from as complex as the Great Firewall of China.

[voxic11]

I don't think the main complaint about the Great Firewall of China is its complexity.

[lvturner]

For now...