[RowanH]

So this one time, I had a bug report at a client site. The business was largely a member of _______ religion. Our images wouldn't load in the app, but did on the website. How odd I thought, that doesn't make sense! Luckily I was able to be physically present, so I hopped down with laptop in tow, ssh'd into the server and started tailing logs....

Sure enough all the API requests for data were coming through, but whenever a request for image happened - nothing would hit the servers.

What the heck I thought to myself?

I said to the client 'that can't be, that's almost impossible....the only way that's possible is if the SSL traffic is decrypted, inspected, and images blocked from being requested, which, is a MITM attack".

He redirected me to his IT provider. I phoned them up, and explained the situation.

"Ahh so they're _____"

Me: "So what does that have to do with the price of fish?"

Them : "Content filtering..., you need to talk to ____"

Sure as the day is long, the content filter was a VPN all members of ____ had to have on their mobile devices (I don't know how widespread this is, whether it was just this business, or the entire ____ )

I applied to have our system approved, it was, and just like magic the next day photos started coming through.

I'm guessing basically it detected any .jpg/.mp4 etc URL's in https requests and flagged it up and blocked them from being requested. You can be sure on those devices the VPN would have been somehow locked in with device management, and there's no way on gods green earth they were getting at Facebook/insta etc.

So, it's not just meta. That really hammered home how seamless it can be to end users that they really can't trust what's actually happening on their devices.

[leononame]

Not that I'm a fan of it, but in corps it's pretty standard praxis to have a custom root cert installed on all devices and enforce VPN connections on devices outside the network to be able to MITM all requests and do stuff like content filtering (e.g. NSFW, swearwords and obviously malware). It's the company's device and they give it to you for work specific purpose, you shouldn't use it for personal stuff. I don't think it compares to an app that shadily installs its own root cert on an end user's device to spy on them.

[RowanH]

It's not corporate level it was/is religious group level (of which this particular org I'm guessing largely employed staff from that religion). They are well known within our country to be quite insular.

It certainly seemed for all intents and purposes if you were a member of _____ group (wider than the company) you had the vpn on your device, and it was filtering content. I've found other reports in other countries of that happening with the same group.

So it's not corporate content filtering, it's personal content filtering and our app got caught up in it (and approved).

It certainly made my skin crawl for anyone in that religion. That means the central filtering service could be reading messages. Not sure if they're that sophisticated but certainly they didn't want people to see random images/videos.

[leononame]

Is it like required from their religious leadership to install this? That is incredible, and I only now understand your comment to its full extent. That is brutal.

[ndriscoll]

This is one reason I think ECH is probably on net a bad idea. Content filtering is a legitimate use-case for lots of users/networks, and if traffic is completely opaque to all networks, you end up needing things like root level processes or full MITM or laws requiring ID for websites instead of more privacy-preserving inspection of basic metadata (like SNI) at the network level.

You could imagine a standard for a network to signal to a client that it does not allow certain privacy features like ECH, and then clients can accept that or not. Instead I expect browsers will eventually mandate ECH, so people will have to MITM instead.

[FergusArgyll]

Yes, this exists. There's more than one company you can choose. It's not 'forced' but strongly recommended. Also, my love for hacking started with getting around it...

[felsokning]

From the inference of the commenter, I think they were referring to an app on a mobile device and not the device itself.

It also sounds like their issue was at the ISP provider level, as well, which takes the business out of the loop of being the data controller/owner (of the collected data) at that point.

Note: I'm not saying that your comment doesn't have merit, I just don't think that the points that you made apply - specifically - in this case?

[leononame]

After re-reasing the comment I think you're right. I had a hard time grokking it it seems. But since the issue was apparently a VPN app installed on the phone, I don't know whether this was the ISP or maybe their IT service provider that did content filtering on behalf of the company (like an outsourced IT department?)

[RowanH]

The VPN (much like Meta's) is doing some root cert trickery to filter content that is deemed inappropriate or potentially inappropriate. This appeared to be controlled by a Company A in another country that undoubtedly contracted to Y religion to be their central point of content filtering globally.

So, member of the church? you get this VPN on your phone, (not sure whether phone was supplied by the church, but certainly this VPN was on it) VPN is effectively content filtering and blocking content.

I had our app whitelisted by that central company (literally raised a ticket with them, next day magically fixed).

[Tijdreiziger]

There are even ‘safe’ (filtered) ISPs aimed at religious communities.

[bratwurst3000]

Holy shit they can brainwash their peers even better. Those are evil geniuses….

Sorry I meant the optimize the content for their peers and shield them from harmful content for the better of humanity // irony