Virgin and Sky blindly blocking innocent sites

As reported by PC Pro, the systems implemented by both Virgin and Sky to stop access to websites blocked by the courts appear to be blocking innocent third-party sites with apparently little or no human oversight.  For example the website http://radiotimes.com was reported to have been blocked.

In order to understand why this specific issue happened, you need to be familar with a quirk in how DNS is commonly used in third-party load-balanced site deployments.

Many third-party load balanced systems, for example those using Amazon’s AWS infrastructure, are enabled by pointing CNAME records at names controlled by those third-party systems. For example www.example.com may be pointed at loadbalancer.example.net.  However, “example.com” usually cannot be directly given a CNAME record (CNAME records cannot be mixed with the other record types needed such as those pointing to nameservers and mailservers). A common approach is to point “example.com” to a server that merely redirects all requests to “www.example.com”.

From forum posts we can see that it’s this redirection system, in this specific case an A record used for “http-redirection-a.dnsmadeeasy.com”, that has been blocked by the ISPs – probably a court-order-blocked site is also using the service – making numerous sites unavailable for any request made without the “www” prefix.

These incidents strongly suggest that the opaque approach to website blocking by ISPs, and the apparent lack of oversight, has the potential to be hugely damaging to the internet. Open Rights Group calls for greater transparency in this area, beginning with making the court orders available for public inspection.