Hacker News new | ask | show | jobs
by iLoveOncall 1211 days ago
That's not true, at least for VirginMedia. I use Cloudflare DNS servers and I can't access ThePirateBay without a proxy or a VPN, it's more than just a blockage at the DNS level.
5 comments
boudin 1211 days ago
When I was on virgin, I noticed that ip addresses used by some TPB or similar websites weren't routed to the internet, which is obviously quite bad. I'm not sure if it's still what they do. Better ISPs only do DNS blocking though. Some don't block anything actually.
link
ClumsyPilot 1211 days ago
oof, this is serious, thanks for letting me know
link
denton-scratch 1211 days ago
In that case it's your ISP (Virgin Media). My niche ISP gives me unfiltered internet. Also, I run my own recursive resolver.
link
tenebrisalietum 1211 days ago
Try an SSL DOH resolver, which can't be subject to simple transparent intercepts (at least not without you knowing about it).
link
kalium-xyz 1211 days ago
I donno about the UKs system but with South Korea they just check the host in the request header and block by that.
link
jakewins 1211 days ago
How can they do that, the HTTP headers are encrypted by TLS?
link
Nextgrid 1211 days ago
Until encrypted SNI/encrypted client hello is a thing, the hostname is still sent in the clear.

Also, it can still be DNS blocked - just because you use Cloudflare's DNS doesn't mean they can't rewrite the responses as they still transit unencrypted. You'd have to use DNS-over-HTTPS or DNS-over-TLS to work around that.

link
1vuio0pswjnm7 1211 days ago
If it's TLS1.2, certificates containing CNs and/or SANs are sent in the clear too.
link
foepys 1211 days ago
Luckily, ESNI is being supported by an increasing number of implementations.
link
neilalexander 1211 days ago
I believe China's answer to ESNI is just to block all traffic that attempts to handshake with ESNI, so it still won't necessarily get you anywhere.
link
foepys 1211 days ago
Once everything is using ESNI this isn't a problem anymore. It's the lack of implementation that is currently the problem.
link
robertlagrant 1211 days ago
Maybe it's actually SNI.
link
ShowalkKama 1211 days ago
not op, no idea how they do it but they COULD look at the SNI in the client hello
link
PlutoIsAPlanet 1211 days ago
They can block the IPs or watch for SNI requests.

It's far from as complex as the Great Firewall of China.

link
voxic11 1211 days ago
I don't think the main complaint about the Great Firewall of China is its complexity.
link
lvturner 1211 days ago
For now...
link