Green Screen of Death?
(Standard Disclaimer: As always, views, opinions, and actions expressed in this post are solely mine and in no way reflect that of my employer. Additionally, in no way is this meant to reflect negatively on Thailand, its people, or its government.)
Thailand's Internet Filtering Gone Awry
For instance, the following HTTP request:
GET http://www.revolutionhealth.com/stylesheets/65919/common.css HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:188.8.131.52) Gecko/20070725 Firefox/184.108.40.206 Paros/3.2.13
Cookie: (Cookies Removed!)
Returns the following 302 HTTP Redirect:
HTTP/1.0 302 Moved Temporarily
Date: Wed, 29 Aug 2007 10:27:00 GMT
Expires: Wed, 29 Aug 2007 10:27:00 GMT
X-Squid-Error: 403 Access Denied
X-Cache: MISS from proxy
X-Cache: MISS from 192.168.0.1
This of course redirects us to what is apparently locally known as "The Green Screen of Death". It seems that the local ISP used by my hotel, PROEN Internet (while a mistake, is ironically enough is listed as one of Google Badware Sites!), is filtering all web traffic through a caching/ filtering Squid proxy server.
So all requests which pass through this service appear as:
GET / HTTP/1.0
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:220.127.116.11) Gecko/20070725 Firefox/18.104.22.168
Via: 1.1 192.168.0.1:8080 (squid/2.5.STABLE1), 1.0 proxy:8080 (squid/2.5.STABLE11)
X-Forwarded-For: 192.168.0.198, 22.214.171.124
And in my case are coming from 126.96.36.199 as seen by:
Aug 30 04:03:22 10.54.54.254 Aug 30 2007 04:03:30: %PIX-5-304001: 188.8.131.52 Accessed URL (Removed):/
Squid is running on port 8080 of this machine, but use is limited by source IP address.
However, when the proxy server sees something that it does not like, it redirects to the http://w3.mict.go.th/ci/blocked.html site. An IIS 6 webserver hosted by Thailand's Ministry of Information and Communication Technology (ICT).
So, the obvious questions become:
- How are the block lists generated and maintained?
- Is it controlled by a central authority or is supplied as part of a commercial product?
- What is the process to report and remove false positives?
- Is any dynamic and/or keyword filtering being utilized, or is it solely based on a list of URLs?
- Is participation mandatory for all ISPs or is it elective?
**I know there are several ways to bypass this including Tor (which is also blocked in Thailand), various anonymous proxies, tunneling web traffic over SSH to a remote machine, etc. This post is not about that, so please don't post circumvention methods. I am much more interested in sharing knowledge of the system's design and operations.