[rmc]

They can't and don't do it with just a DNS, it'll have to be DNS + HTTP URL. Otherwise porn hosted on one large shared hosting would block everything. (e.g. imagine if the Amazon EC2 DNS got blocked).

The current UK ISP filter (the one that already filtered Wikipedia), used DNS & HTTP. IP addresses that needed filtering were redirected to their HTTP server by sending back their IP address, and then a HTTP proxy was used to filter specific URLs. This allowed them to block certain URLs. It was initally detected because lots of wikipedians noticed a lot of edits (basically lots of the UK) coming from a small amount of IP addresses (the IP addresses of the proxies)

[cmircea]

They CANNOT use HTTP filtering as that would break on HTTPS.

[icebraining]

Nope, the domain is always visible on HTTPS, due to SNI. They can just block it.

[mrweasel]

Older Win XP machines doesn't support SNI, so you could get around it with an older machine. Of cause that's a problem that will go away over time.

[icebraining]

To connect to an HTTPS site without SNI, the IP can only host a single domain, so they can just block the whole (IP:443) combination without affecting any other site.

[cmircea]

What if the IP is dynamic? Say an Azure Cloud Service.

[mpyne]

I think the problem is that you'd need a different X.509 certificate for TLS, for each and every single IP.

[rmc]

I think Cleanfeed didn't block HTTPS. When have you ever heard of a public, governmental programme that didn't have a stupid flaw? :P

[bigiain]

Yeah, and he government would never make that mistake…

http://www.smh.com.au/technology/technology-news/how-asics-a...