{"id":19048,"date":"2022-05-02T11:07:39","date_gmt":"2022-05-02T09:07:39","guid":{"rendered":"https:\/\/daniel.haxx.se\/blog\/?p=19048"},"modified":"2024-05-03T10:51:07","modified_gmt":"2024-05-03T08:51:07","slug":"considered-18","status":"publish","type":"post","link":"https:\/\/daniel.haxx.se\/blog\/2022\/05\/02\/considered-18\/","title":{"rendered":"Considered “18+”"},"content":{"rendered":"\n

Vodafone UK<\/strong> has taken it on themselves to make the world better by marking this website (daniel.haxx.se<\/code>) “adult content”. I suppose in order to protect the children.<\/p>\n\n\n\n

It was first reported to me on May 2, with this screenshot from a Vodafone customer<\/a>:<\/p>\n\n\n

\n
\"\"<\/a><\/figure>\n<\/div>\n\n\n

And later followed up with some more details<\/a> from another user in this screenshot<\/p>\n\n\n

\n
\"\"<\/a><\/figure>\n<\/div>\n\n\n

Customers can opt out of this “protection” and then apparently Vodafone will no longer block my site.<\/p>\n\n\n\n

How<\/h2>\n\n\n\n

I was graciously given more logs (my copy<\/a>) showing DNS resolves and curl command line invokes.<\/p>\n\n\n\n

It shows that this filter is for this specific host name only, not for the entire haxx.se<\/strong> domain.<\/p>\n\n\n\n

It also shows that the DNS resolves are unaffected as they returned the expected Fastly IP addresses just fine. I suspect they have equipment that inspects outgoing traffic that catches this TLS connection based on the SNI field.<\/p>\n\n\n\n

As the log shows, they then make their server do a TLS handshake in which they respond with a certificate that has daniel.haxx.se<\/code> in the CN field.<\/p>\n\n\n\n

The curl verbose output shows this:<\/p>\n\n\n\n

* SSL connection using TLSv1.2 \/ ECDHE-ECDSA-CHACHA20-POLY1305\n* ALPN, server did not agree to a protocol\n* Server certificate:\n*  subject: CN=daniel.haxx.se\n*  start date: Dec 16 13:07:49 2016 GMT\n*  expire date: Dec 16 13:07:49 2026 GMT\n*  issuer: C=ES; ST=Madrid; L=Madrid; O=Allot; OU=Allot; CN=allot.com\/emailAddress=info@allot.com\n*  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.\n> HEAD \/ HTTP\/1.1\n> Host: daniel.haxx.se\n> User-Agent: curl\/7.79.1\n> Accept: *\/*\n> <\/code><\/pre>\n\n\n\n
The allot.com clue is the technology they use<\/a> for this filtering. To quote their website, you can “protect citizens” with it.<\/p>\n\n\n
\n
\"\"<\/figure>\n<\/div>\n\n\n
I am not unique, clearly this has also hit other website owners. I have no idea if there is any way to appeal against this classification or something, but if you are a Vodafone UK customer, I would be happy if you did and maybe linked me to a public issue about it.<\/p>\n\n\n\n
Update<\/h2>\n\n\n\n
I was pointed to the page<\/a> where you can request to unblock specific sites so I have done that now (at 12:00 May 2).<\/p>\n\n\n\n
Update on May 3<\/h2>\n\n\n\n
My unblock request for daniel.haxx.se<\/code> is apparently “on hold” according to the web site<\/a>.<\/p>\n\n\n\n
I got an email from an anonymous (self-proclaimed) insider who says he works at Allot, the company doing this filtering for Vodafone. In this email, he says<\/p>\n\n\n\n
Most likely, Vodafone is using their parental control a threat protection module which works based on a DNS resolving.<\/pre>\n\n\n\n
and then<\/p>\n\n\n\n
After the business logic decides to block the website, it tells the DNS server to reply with a custom IP to a server that always shows a block page, because how HTTPS works, there is no way to trick it, either with Self-signed certificate, or using a signed certificate for a different domain, hence the warning.<\/pre>\n\n\n\n
What is weird here is that this explanation does not quite match what I have seen the logs provided to me. They showed this filtering clearly not<\/em> being DNS based – since the DNS resolves got the exact same<\/em> IP address a non-filtered resolver does.<\/p>\n\n\n\n
Someone on Vodafone UK could of course easily test this by simply using a different DNS server, like 1.1.1.1 or 8.8.8.8.<\/p>\n\n\n\n
Discussed on hacker news<\/a>.<\/p>\n\n\n\n
Update May 3, 2024: unblocked<\/h2>\n\n\n\n
Two years later the situation was the same and I wrote about it on Mastodon:<\/p>\n\n\n
\n
\"\"\n\t\t\t\n\t\t\t\t\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n<\/div>\n\n\n
Just hours later I was emailed by a person who explained they are employed by Vodafone and they forwarded my post internally. The blocking should thereby be gone<\/em>. The original block was wrongly applied and then my unblocking request from two years ago “never reached the responsible team”.<\/p>\n\n\n\n
Another win for complaining in the public.<\/p>\n","protected":false},"excerpt":{"rendered":"
Vodafone UK has taken it on themselves to make the world better by marking this website (daniel.haxx.se) “adult content”. I suppose in order to protect the children. It was first reported to me on May 2, with this screenshot from a Vodafone customer: And later followed up with some more details from another user in … Continue reading Considered “18+”<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":5,"featured_media":13350,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[251,13,45],"tags":[219,381],"class_list":["post-19048","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-haxx","category-net","category-web","tag-network","tag-tls"],"_links":{"self":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/19048","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/comments?post=19048"}],"version-history":[{"count":15,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/19048\/revisions"}],"predecessor-version":[{"id":24658,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/19048\/revisions\/24658"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media\/13350"}],"wp:attachment":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media?parent=19048"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/categories?post=19048"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/tags?post=19048"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}