Vodafone (UK) Home Broadband

This case was verified by the management team Nobody has yet confirmed the case. Feel free to do it 0 |
Affected resource
Blocking https urls blocks the domain
Contract excerpt
not mentioned


Many UK ISPs block access to illegal content, which most people see as a positive thing. With encrypted HTTPS connections it's technically impossible for ISPs to see what's being accessed. This has led to them implementing solutions that impersonate websites, which breaks modern security checks in browsers. The end user can no longer be sure that their communication actually goes to the intended site at all. In many cases this in effect blocks access to entire websites, which in most cases are completely innocent apart from that single piece of content someone has uploaded. The popular image hosting site Imgur for example has been blocked for months on end, and intermittently for several years already. The UK government is actively looking for ways to work through any encryption, with a Technical Working Group for instance noting that they want to "address the interference of https encryption with Parental Controls and how this trend could be reversed". https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/555146/September2016Newsletter__1_.pdf Security advisors everywhere are telling people to pay attention to the information on the browser's address bar, and not to use websites that show security warnings. Vodafone support are actively telling users to ignore these warnings, while other ISPs have chosen not to try implementing the impossible filtering of https connections. Example 1: Browsing Reddit on the Reddit app doesn't show any images hosted on Imgur, because the app won't allow users to bypass the failed certificate check of i.imgur.com content unexpectedly being signed and served by contentcontrol.vodafone.co.uk. A technical diagram of what's happening is at https://i.imgpile.com/nusuYL.png Example 2: Many news sites and blogs have implemented their Comments section with help from a service called Disqus. Disqus uses an HTTPS feature called HSTS, where their servers say that from here on, the browser should access their servers only securely. When a post on Disqus gets added to Vodafone's blocklist, and on accessing any post the certificate check fails as it did with imgur, the browser doesn't offer any way for the user to bypass the check. This breaks all comments sections on all websites using Disqus services. Fortunately it's not very common for the ISP to add Disqus to their blocklist, but it does happen from time to time.
Marc - 06/21/2017