Kazakh Government Takes Down 93k Websites To Site-Block A Single Massage Parlour
from the got-'em-though dept
Site blocking. When it comes to law enforcement and IP enforcement efforts, site blocking is the simple man’s solution to a very complicated problem. The claim that floats out there in the ether is something like: hey, if we discover sites are breaking the law in some way, we can just order ISPs to block access to the site and the problem’s solved. Despite that simplistic send up, the practice of blocking sites in this way inevitably leads to massive collateral damage and flat out abuse. And, yet, those that advocate for site blocking shrug their shoulders at this. After all, if you want to make an IP omelette, you have to break some percentage of the internet, right?
But the award for fucking this all up at scale must certainly go to the government of Kazakhstan, which wanted to take a massage parlor’s website off of the internet for engaging in some very massage-parlor-y behavior, and managed to pull down 93,000 other websites along with it.
State censors trying to erase the web presence of an erotic massage emporium called Rainbow Spa back in late July did so by ordering the blocking of the site’s IP address instead of its domain name. The ban-happy block was targeted at two IP addresses, reported by local outlet Hola News as 220.127.116.11 and 18.104.22.168. The first of these hosts around 9,500 domains, while the second keeps just over 84,000 websites online.
Unfortunately for the bungling censors, these two IPs resolve to shared infrastructure in Russia – including a large number of websites hosted on the Tilda Publishing platform, a sort of WordPress-style CMS-plus-prebuilt-skins intended for rapid deployment by the unskilled.
First, blocking a website by its IP address in 2019 is hilariously inept. Sites these days routinely share cloud infrastructure through providers. This isn’t strictly some cost-cutting measure by web providers, but necessary to secure sites at scale against attack by filtering against malicious traffic. This is how hosts protect against DDoS attacks. To be handing the keys to blocking websites to people that very clearly haven’t the slightest clue what they’re doing is the kind of thing only national governments can do.
Tilda Publishing itself pointed this out.
Blocking a resource by IP address is an outdated and barbaric practice that has long been inconsistent with modern cloud-based IT technologies and access restriction mechanics.
And it’s not just that there was so much collateral damage that makes all of this so damning for the Kazakh government. The massage parlor, as I type this, still has one of its websites up and live.
It’s hard to imagine a better example of why we shouldn’t allow government the power to block websites than this.