How is the Dutch government censoring rt.com?

1 points by orangepurple ↗ HN
This was not a problem when connecting from the United States a month ago. I cleared HSTS settings for the rt.com domain but when connecting to the HTTP (not the HTTPS) site, I am redirected to an HTTPS version of the page which immediately leads to an HTTPS certificate error.

Interesting, https://sputniknews.com/ is redirected to an ISP hosted web page which reads: Deze website is geblokkeerd Europese sancties De Raad van Europa heeft besloten dat de websites van RT (voorheen Russia Today) en Sputnik News niet meer mogen worden doorgegeven. De website die je probeert te bezoeken, valt onder deze Europese sanctie.

VodafoneZiggo is verplicht de sanctie uit te voeren en heeft de website geblokkeerd.

rt.com is a different story. I truly don't comprehend what is happening here.

Is the Dutch government redirecting HTTP requests to rt.com with a MITM proxy to a virtual site with an invalid HTTPS configuration? The certificate is downright bizzare:

Your connection is not private Attackers might be trying to steal your information from rt.com (for example, passwords, messages, or credit cards). Learn more NET::ERR_CERT_AUTHORITY_INVALID Subject: advice.upc.biz

Issuer: advice.upc.biz

Expires on: Jan 5, 2037

Current date: May 29, 2022

PEM encoded chain: -----BEGIN CERTIFICATE----- MIIDaTCCAlGgAwIBAgIJAPq3QyiRNEsWMA0GCSqGSIb3DQEBCwUAMEsxCzAJBgNV BAYTAk5MMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxDDAKBgNVBAoMA0xHSTEXMBUG A1UEAwwOYWR2aWNlLnVwYy5iaXowHhcNMTcwMTEwMTQxOTUzWhcNMzcwMTA1MTQx OTUzWjBLMQswCQYDVQQGEwJOTDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MQwwCgYD VQQKDANMR0kxFzAVBgNVBAMMDmFkdmljZS51cGMuYml6MIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEAxLufIHhWFmTX8QS3eD5tZ94TidmOvH9JMvTlBWBN UJI6ZmPfo8k8KvgifFyNMtLfIpi3COorcEAhwfp5tVuOsrp5TaLPTZv7ESBgOHbw pfTc4TVeyfRjIC3xeyzGRSONaDbXkckqPwd7dhJPMyX9kGyFv/Vj+corPt2uNwjE pzoZCRqAF9bcxgZ97Ap91pJGZSotWszZliQuxGiaNzdg6nEVC4MuZRYN0SKdT0je oRB5KuJp8qZKa3cSTkdC31Kl9gKAnP9iaSv8AOFzguBiFVZhmBLrQrSnELS6sDJv N+m5UMyURcrrHpK3lr6OMxcOAMOdB3kEWwXqARJ5s0Qu8QIDAQABo1AwTjAdBgNV HQ4EFgQUvKk/V7OvXs4Hn7/s7Uyn0XD6SZgwHwYDVR0jBBgwFoAUvKk/V7OvXs4H n7/s7Uyn0XD6SZgwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAb8BM RyVBHI8Z9T3qUtYbP/rR9SB4bg2vVqV2+dZbVmCNfehaC/6ad0XaOs/48Vy1TWvJ rNF9j2R1HkwKawmvy2bk7lit+0Cg1zIg/40KsoqyEg7v7WIWgm0UUz1JQmOUTn1V HQTmZVq2gLE5mYcQ2BYkGDt479Z/VQqRYOPF8svY3h/uoPQ1vk1Kwk5LQ+HianaB uMiwVmSHDaaUNakwi6Erk/1nV/aSJz8+fXkfslFCHGtKdQUbmBN3zY0BWFSFPCLQ kSEK3Yzg2ZhmSjXLXJW2XNicKL0fpGfa+j1hHzvDjHWYmACl9POIMcocVFAmsBAr 8lyccHaN2KRx2L1JUg== -----END CERTIFICATE-----

9 comments

[ 2.5 ms ] story [ 26.9 ms ] thread
Make sure that you don’t use the default DNS servers of your ISP, but those of Google, OpenDNS or Cloudflare. Most of these redirects are done at the DNS level. This could also explain the certificate error, if the cerificate is for another domain than rt.com.
That makes sense. How are the redirects working so that the final certificate presented to me is from advice.upc.biz? I'm very confused!
If the DNS server of your local ISP maps rt.com into an IP address that it controls but for which the server has a certificate for a different domain, i.e. upc.biz, there is a conflict: your browser still has rt.com in the address bar (it is not a http redirect) but it sees a certificate for upc.biz, so it reports a certificate error.
You didn't tell if, when trying to visit rt.com, you arrive at a page with a message about the blocking, or simply a blank page, or you see the rt.com site. In the latter case, it would indeed be a MITM attack by way of DNS hijacking and a proxy. In the former cases, it's not MITM because you never see the content you wanted to see.
I see the chrome invalid cert page (inline in my original post)

sputnik news does an HTTP redirect to an ISP page about censorship

You should use Tor Browser, it is designed to circumvent censorship for situations exactly like this.
Thank you. I understand that is a workaround. I'm not even interested in the content of the website. I am trying to grasp what is really happening here on a technical (networking) level.
It is most likely DNS. Try comparing the result of:

dig a rt.com

dig a rt.com @8.8.8.8

Yep, you're right!

    $ dig a rt.com                                                                                                                       
    ; <<>> DiG 9.18.3 <<>> a rt.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44201
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 512
    ;; QUESTION SECTION:
    ;rt.com.                                IN      A

    ;; ANSWER SECTION:
    rt.com.                 300     IN      A       213.46.185.10

    ;; Query time: 16 msec
    ;; SERVER: 84.116.46.23#53(84.116.46.23) (UDP)
    ;; WHEN: Sun May 29 12:48:59 EDT 2022
    ;; MSG SIZE  rcvd: 51

    $ dig a rt.com @8.8.8.8

    ; <<>> DiG 9.18.3 <<>> a rt.com @8.8.8.8
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59564
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 512
    ;; QUESTION SECTION:
    ;rt.com.                                IN      A

    ;; ANSWER SECTION:
    rt.com.                 73      IN      A       91.215.41.4

    ;; Query time: 23 msec
    ;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
    ;; WHEN: Sun May 29 12:49:06 EDT 2022
    ;; MSG SIZE  rcvd: 51