[Bloat] Bufferbloat: GoGo blocking YouTube

[Bloat] Bufferbloat: GoGo blocking YouTube

[Hal Murray]

David P. Reed:
  GoGo does not need to run "Man in the Middle Attacks" on YouTube
  http://www.reed.com/blog-dpr/?p=174

Whick summary:
  GoGo provides internet access on airplanes.  They want to block YouTube 
(and similar) to avoid overloading their thin pipes.  They are doing that by 
intercepting https connections and presenting bogus certificates.

Details here:
  Gogo issues fake HTTPS certificate to users visiting YouTube
  Inflight service promises no data is collected, but practice sets a bad 
precedent
http://arstechnica.com/security/2015/01/gogo-issues-fake-https-certificate-to-
users-visiting-youtube/



-- 
These are my opinions.  I hate spam.

Re: [Bloat] Bufferbloat: GoGo blocking YouTube

[Jonathan Morton]

> On 6 Jan, 2015, at 22:45, Hal Murray <hmurray@megapathdsl.net> wrote:
> 
> GoGo provides internet access on airplanes.  They want to block YouTube 
> (and similar) to avoid overloading their thin pipes.  They are doing that by 
> intercepting https connections and presenting bogus certificates.

…WTF?

Look - if you *want* to block YouTube, then you block YouTube.  People might get a little annoyed about that, but it’ll probably be limited to minor grumbling.  You *don’t* fiddle with traffic to it.  There is something *seriously* wrong if that’s the first or best solution that came to mind.

I agree with the conclusion of the article, though.  There’s a straightforward, network-neutral, technological solution which actually solves the original problem.  Shame almost nobody’s heard of it.

Incidentally, I finally got my test setup running properly.  It now has cake running on each of two Fast Ethernet interfaces in the Pentium-MMX, which are bridged.  It is able to comfortably pass 50Mbps through that before it runs out of CPU grunt - but that’s 50Mbps total.  It doesn’t matter whether it’s all one way, all the other way, or half each.  I then set it up to simulate a 24/3 Mbps ADSL, and it did that with about 50% CPU time in soft-interrupt mode.

I haven’t tried cake2 yet.

The limiting factor may well be context switching, or at least interrupt handling overhead.  That’s quite expensive on x86 and on a full OS like Linux; far more so than on, say, an ARM running in a dedicated embedded configuration.  (ARM has banks of registers which are switched in, replacing the originals, for interrupt handlers, so it doesn’t have to hurriedly save all those registers before it can do anything useful.)  Bridging, and running *both* the traffic endpoints on other machines, rather than keeping one endpoint on the Pentium-MMX, improves the throughput markedly.

 - Jonathan Morton

Re: [Bloat] Bufferbloat: GoGo blocking YouTube

[Wes Felter]

Unfortunately that's the new "user friendly" Web. Want to authenticate 
to a Wi-Fi network? MITM captive portal. Site intentionally blocked by 
policy? MITM. Didn't pay your ISP bill on time? They'll notify you via 
MITM. When the transparent proxy at work gets a timeout, it MITMs to 
give a friendly error message (which ironically creates a very 
unfriendly cert mismatch error).

-- 
Wes Felter