Vodafone blocks websites with user-generated content:: Vodafone:: think Broadband

This week I noticed that most of the pictures on Reddit (the #5 UK website according to Alexa!) and comment sections on several websites stopped loading, but only on Vodafone broadband. On the Vodafone forum people have been reporting this sporadically for several years! I wish I knew before switching to them.

It seems that the reason why sites aren’t loading is Vodafone’s poor implementation of the Internet Watch Foundation web filter. ISPs in the UK are usually required to block or monitor access to specific URLs that someone has reported to the IWF. Any changes that users make to Vodafone’s CCI have no effect on this.

When you access https://disqus.com or https://imgur.com for example, the operating system finds the IP address of the site from the modem and Vodafone’s DNS servers. In this case, Vodafone servers are no longer returning the actual disqus.com IP address, but their IP 90.255.255.1. The browser then connects to that IP, asks for the requested URL, and at the same time, Vodafone has hijacked your connection and fulfilled the duty of the IWF. The only problem is that Vodafone customers who open HTTPS links get an ugly error message instead and can’t open anything on the site at all.

Your connection is not private

Attackers may try to steal your information from disqus.com (for example, passwords, messages or credit cards). NET :: ERR_CERT_COMMON_NAME_INVALID

This server could not prove to be disqus.com; Its security certificate is from contentcontrol.vodafone.co.uk. This could be due to a configuration error or an attacker intercepting your connection.

Thanks to web certificates, the browser stops this interception attempt. Vodafone support suggests ignoring the message and reducing browser security, but this is not possible in all browsers. My daily browsing of Reddit’s nonsense through their mobile app forces the imgur.com content to https, so all the images from there are blank. There goes a portion of the entertainment from home broadband.

Furthermore, if the error is ignored, the site appears to be working, but the response headers contain the following:

Via: 1.0 iwfilter.broadband.vodafone.co.uk (squid)

As the Internet moves more and more to HTTPS, and in many cases redirects any HTTP access to HTTPS, this will become a major problem in the future. What can we do?

after a week:
Sites with the Comments section are loaded from Disqus.com again.
Imgur.com’s HTML now loads over HTTPS, but images are not. They are hosted on i.imgur.com, which is still on the list of domains to hack.

I’m happy to see things getting better, and I hope it’s because someone actively addressed this issue. I just wish the support would acknowledge that the problem is on Vodafone’s end, and not force people to do regular broadband troubleshooting.

Have you tried changing DNS servers at the PC level? I’m on Demon (now owned by Vodafone) and if you’re using Demon DNS servers, you’ll get random errors from the IWF filter about trying to use this website as a proxy. Changing PC DNS servers to Google or Open DNS made them disappear.

Anthony

Try either using googles dns servers, or if you know i.imgur.com is blocked, add an entry to your localhosts file:

c:windowssystem32driversetchosts

In the form of:

151.101.16.193 i.imgur.com

It’s obviously not a perfect solution, but it’s at least a temporary one.

Yes! Both of these solutions work. Maybe I could change the IP address of the DNS server on the modem instead, but I don’t want to mess with it too much because people everywhere are saying Vodafone’s HHG2500 is unreliable. It’s a bit of a pain to set IPs everywhere, especially on Android as it seems to want to be a static IP address of the device before letting me change the DNS addresses.

Alarmingly, Vodafone has allowed people to complain about intermittent domain bans since 2015, and only admitted in February 2017 that their content controls were at fault. Support still hasn’t received news of course… It’s as if Wikipedia was banned almost 10 years ago, and there has been no progress.

Like Satnav refusing to take you to Blackpool, Vodafone’s DNS once again blocks imgur.com, www and i. Why is it constantly changing? Responses are always 5 minutes long so it shouldn’t be about unexpected caching. It doesn’t really bother my personal broadband experience since I no longer use the provided satnav, but the risk of things suddenly breaking with no one stroking their eyes is a huge concern.

The usual problem is that the proxy that handles the blocking is overwhelmed with an amount of checking work to make sure that no specific URL is in the block list, i.e. it’s not usually a block per se, but a side effect of what happens when a popular site ends up with a URL scan.

This was mentioned in another thread so I thought I’d add more details.

Vodafone’s inadvertent blocking of Imgur and other sites is now in its fourth year, and it’s still with the same disabled setup. People unaware of the DNS resolution are still being redirected to a Vodafone proxy turned on and off, and still getting the same error messages, if not worse. I have added some output from openssl tool below as concrete proof.

But don’t worry, Vodafone has made some progress as well. In the name of security, routers now have an option called “Only allow encrypted access to Vodafone Connect via https”. Enabling it does exactly that, and also returns the “Web UI.cer” certificate file, which the user is directed to install. Sounds really good to protect you from all the bad guys in the house, right? What they didn’t mention is that it’s a root certificate, and anyone with their private key can issue certificates to other sites, which browsers will trust with the router’s certificate installed. Backdoor to Certificate Spoofing Without Error Messages, Disguised as a Security Improvement, A*! But we all trust that our ISPs are qualified enough to choose reliable solutions, keep our traffic uncompromised, store private keys securely and not embed them in all customer devices, right?

Here are the certification details:

openssl x509 -in “WEB UI.cer” -text -purpose
certificate:
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = GB, O = Vodafone Broadband, CN = vodafone
Subject: C = GB, O = Vodafone Broadband, CN = vodafone
X509v3 Extensions:
X509v3 theme alternative name:
DNS: Vodafone, DNS: vodafone.connect, IP address: 192.168.1.1
Basic X509v3 Limitations:
Chris: Right
Purposes of the certificate:
SSL Client: Yes
SSL Client Certification Authority: Yes
SSL Server: Yes
SSL CA server: Yes
Netscape SSL Server: Yes
Netscape SSL CA Server: Yes
S/MIME signature: Yes
S / MIME CA signature: Yes
S/MIME Encryption: Yes
S/MIME CA encryption: Yes
CRL Signature: Yes
CRL Signature: Yes
Any purpose: Yes
CA for any purpose: Yes
OCSP Assistant: Yes
OCSP plugin CA: Yes
timestamp signature: no
CA timestamp signature: Yes

Moving on to the Imgur connection attempts, fortunately Vodafone hasn’t triggered spoofed testimonials yet.

Google’s DNS for comparison:

nslookup imgur.com 8.8.8.8
Name: imgur.com
Address: 151.101.16.193

HTTPS request to the real Imgur IP address:

openssl s_client -connect 151.101.16.193:443 -server name imgur.com
Depth = 2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
Depth = 1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
Depth = 0 ° C = US, ST = California, L = San Francisco, O = “Imgur, Inc.” , CN = *.imgur.com
–
get / http / 1.1
Host: imgur.com

HTTP / 1.1 200 OK
Content length: 4287
Server: Cat Factory 1.0
[…etc what you’d expect in a genuine response…]

DNS for Vodafone router:

nslookup imgur.com 192.168.1.1
Name: imgur.com
Address: 90.255.255.1

HTTPS request to Vodafone IP address:

openssl s_client -connect 90.255.255.1:443 -server name imgur.com
Depth = 2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
Depth = 1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
Depth = 0 C = GB, ST = Berkshire, L = Newbury, O = Vodafone Group Services Limited, CN = contentcontrol.vodafone.co.uk
–
get / http / 1.1
Host: imgur.com

HTTP / 1.0 301 moved permanently
Retry after: 0
Website: https://imgur.com/
Content length: 0
Server: Cat Factory 1.0
X-Cache: Miss from iwffilter.broadband.vodafone.co.uk
X-Cache-Lookup: Miss from iwffilter.broadband.vodafone.co.uk:3128
Via: 1.0 iwffilter.broadband.vodafone.co.uk (squid)

Cue redirect loop where the browser requesting https://imgur.com/ is asked to go to https://imgur.com/ instead (like reported here and here). If the browser does not surrender first with ERR_TOO_MANY_REDIRECTS, then the proxy will after a few more loops:

HTTP/1.0 500 Internal Server Error
Server: squid
X- Squid-Error: ERR_ICAP_FAILURE 0
X-Cache: Miss from iwffilter.broadband.vodafone.co.uk
X-Cache-Lookup: None from iwffilter.broadband.vodafone.co.uk:3128
Via: 1.0 iwffilter.broadband.vodafone.co.uk (squid)

[…cruft removed…]

The following error was encountered while trying to retrieve the URL: http://imgur.com/

ICAP protocol error.

Reorder: [No Error]

This means that some aspect of the ICAP connection has failed.

Some of the potential problems are:

• The ICAP server could not be reached.

• An illegal response was received from the ICAP server.

---

Created Monday, 07 January 2019 21:40:38 GMT by iwffilter.broadband.vodafone.co.uk (squid)

See how the error message for http despite of https Requested (port 443). This explains the redirect loop, since Imgur usually responds to http requests with a redirect to https.

Therefore, Vodafone recommends that customers not only ignore browser security warnings and play with fire, they send customer data unencrypted. I haven’t seen any ISP go this far with misleading filter attempts yet, but it will be interesting to see if Vodafone’s model will be seen as positive or negative by less tech-savvy customers.

This is really interesting. Thank you for posting.

Just out of curiosity, does Vodafone Proxy support TLSv1.3 yet?

I’ve noticed that the standard www.vodafone.co.uk doesn’t redirect from HTTP to HTTPS – which is pretty bad these days.

If you understand this right, they are essentially performing MiTM on all traffic to certain sites, thus requiring users to install their certificate to facilitate this which is 1) encouraging users to believe that it is normal and acceptable to use untrusted certificates in this way and 2) dismantling the trust relationship Certifications are primarily intended.

In an effort to filter traffic they eroded basic security, and what worries me the most is whenever I look into this issue (albeit for a year + now), Vodafone always discusses working with the ‘seller’ to fix this. So we have users that install this VF certificate, and they are likely to pass this data to a random VF vendor, where the data can be clearly displayed.

It’s almost in your face spying… If this data is compromised, there will be an overarching question “Why was the data transmission split to facilitate processing/transmission of clearly encrypted traffic in the first place?”