Philippine ISPs caught hijacking connections avatar ᜌᜓᜃᜒ (Yuki ・ 雪亮) | 2021-07-25 11:37 PST | 2 minutes read | Update at 2021-10-09 17:53 PST

A friend of mine noticed that Philippine ISPs started to hijack connections to certain websites and they are also using a fake SSL certificate. If a user choose the option to continue despite the warning about an invalid SSL certificate, they will see a Philippine government warning and the related Republic Act explaining why they–our ISPs–are hijacking our connection.

Let’s take a look at an example.

MediaFire is a popular file sharing and cloud storage. A file sharing and/or cloud storage service by itself is not “evil” as most governments, politicians, and the corporate world is painting it to be. Unfortunately, as with all services and technologies, there are people who use it for “evil purposes”. This was the basis for the Philippine government [supposedly] ordering Philippine ISPs to hijack the connection to MediaFire, as shown in the screenshot below.

Hijacked connection

Hijacked connection」 by YourOnly.One is licensed under Creative Commons Attribution-ShareAlike 4.0 International.

Based on the message shown in the screengrab above, MediaFire is a suspected child sexual abuse or exploitation material (CSAEM). They then explained that they will initiate decryption of traffic for possible CSAEM content and block access as mandated by Republic Act No. 9775 or the Anti-Child Pornography Act of 2009. In other words, they admit that your connection to MediaFire was hijacked and their all-seeing eye is watching you closely.

This is a very bad reality. There is now no doubt that all it takes for Philippine ISPs to intercept our Internet connection is an order from the Philippine government suspecting services and websites of CSAEM and/or whatever other laws they can use to justify breaking the privacy and security of the people.

Google Drive, OneDrive, and Dropbox, probably does not have “illegal content” because they can police their users. But you have to ask the question, how? Could it be they can read all the files uploaded to their storage? We will never know but at least one of those mentioned admitted that they do (it’s even in their Terms).

It is understandable why they are doing this, no good person would tolerate child abuse and child pornography, that is a line no sane human being should ever cross. However, the way they are doing this policing is never acceptable, this is a clear violation of the user’s privacy and hijacking connections is a clear act of compromising the user’s security. No one can guarantee what these ISPs will do with the data they can see. They usually can not be held accountable if one of their “trusted” employee leaks confidential information he or she saw while searching for CSAEM materials. It is easy to say they will never do anything else other than to watch out for CSAEM but clearly, all it takes is a government order and we will never know what they are doing with all the other data.

We all know that we can never trust ISPs, government order or not, so let this be a lesson for everyone in the Philippines: encrypt your files before uploading; and use only services which offers end-to-end encryption; and always use Tor (The Onion Router) or better yet a highly reputable VPN. Our privacy and security matters.

Left: Hijacked connection SSL cert; Right: Encrypted connection and correct SSL certificate

Left: Hijacked connection SSL cert; Right: Encrypted connection and correct SSL certificate」 by YourOnly.One is licensed under Creative Commons Attribution-ShareAlike 4.0 International.

It looks like your ISP is using gear from Palo Alto networks to intercept your SSL traffic based on the common name in the SSL certificate.

Re: ISP can still hijack #1790」, dapphp

MediaFire was also informed and they are looking into addressing this.


Did you like it? Do share this post, leave a comment below, and send me a gift! (opens in a new tab/window)

comments powered by Disqus
avatar
The YOOki (柳紀 ・ 유 기) Chronicles

The YOOki (柳紀 ・ 유 기) Chronicles is ᜌᜓᜃᜒ (Yuki ・ 雪亮)’s return into casual and personal blogging. The name “YOOki” is a mash-up of the acronym of YourOnly.One and my nickname ᜌᜓᜃᜒ (Yuki ・ 雪亮).

Interestingly, according to Chinese legend, 「柳」 (YOO) is an ancient Chinese surname. The ancestors of the surname were closely linked with the ancient sage-king named Yu Shun. In Korea, the 「유」 (YOO) lineage traces to the Xia, Han, and Joseon dynasties. Holders of the surname Yu or Yoo had a reputation for charity and diligence.1

It is also the word for “willow” or the “willow tree” which means graceful or slender; and a tree growing near a body of water which provide continuous nourishment and resources for everyone. It can also mean to exist, an oil (anointment(?)), and simply as “U” (you).

The hanzi 「紀」 (ki) character means to record, be disciplined, provide order. While the hangul equivalent, 「기」 (ki; gi), means energy, spirit, a banner, and a period of time; and is also a suffix used to make a gerund or an infinitive.

Can you guess what I mean by 「柳紀」 and 「유 기」 as the Chinese and Korean for “YOOki”?


  1. 「유」 Yoo (Korean surname); CC-BY-SA 3.0 Unported License ↩︎

Now Playing
🎧
📀
🎤