Sponsored

RT news inaccessible on Three UK

uknowiama

Pro Member
Keep wearing your blinkers mate Lol !
Not knowing people that well. So please excuse me - but some of these responses smack of looking for a conspiracies where none exist.

It works through a VPN, but not through 3 without VPN - may I ask where your VPN exits? Is it still in the UK or another nation?

I enjoy discussion and debate - trying to understand other people’s points of view - especially those that differ to my own and passing on what I know / understanding given the nature of my career.

However, I would say this forum is not the place to try to push your own views on others.
 

clivejo

Top Member
It works through a VPN, but not through 3 without VPN - may I ask where your VPN exits? Is it still in the UK or another nation?
I tested it yesterday again and it was accessible via both US(03) and NL(01) ProtonVPN servers.


The VPN is from my computer which is running Linux with Firefox browser via the Network Manager.

But as I said above, Three have swapped back to blocking it via HTML error code 403 from yesterday afternoon some time.
 

uknowiama

Pro Member
I tested it yesterday again and it was accessible via both US(03) and NL(01) ProtonVPN servers.


The VPN is from my computer which is running Linux with Firefox browser via the Network Manager.

But as I said above, Three have swapped back to blocking it via HTML error code 403 from yesterday afternoon some time.
Error 403 is a reply from the web server you are trying to connect to. Usually.
Seems you are not the only person and has been seen before.


Maybe related to sanctions directly - i.e EU blocking something or indirectly - for instance RT is having to change it hosting infrastructure to stay online.

The odd bit is the VPN seems to fix this for you. I'm still not convinced it's three that is blocking you.
Although it might be DNS now? If I try from plusnet (FIrefox and Edge) unable to connect. Nslookup it can't resolve the website address to a public IP address. So might be different DNS on VPN? 3 DNS not allowing lookups on RT.
Maybe different errors, because as soon RT works out another way to be online, that way gets found out and blocked again?
 

clivejo

Top Member
Error 403 is a reply from the web server you are trying to connect to. Usually.
Seems you are not the only person and has been seen before.


Maybe related to sanctions directly - i.e EU blocking something or indirectly - for instance RT is having to change it hosting infrastructure to stay online.

The odd bit is the VPN seems to fix this for you. I'm still not convinced it's three that is blocking you.
Although it might be DNS now? If I try from plusnet (FIrefox and Edge) unable to connect. Nslookup it can't resolve the website address to a public IP address. So might be different DNS on VPN? 3 DNS not allowing lookups on RT.
Maybe different errors, because as soon RT works out another way to be online, that way gets found out and blocked again?
Three are injecting that error into my traffic between my browser and rt web server. They are also doing it to the the 1.1.1.1 website as discussed in my other thread.

Do you understand what intercepting and interfering means?!? Three are actively monitoring my traffic for certain criteria, when it finds something it is then modifying the reply to me (pretending to be the server in question) in order to block my access to that particular site.

Code:
$ openssl s_client -connect www.rt.com:443 
CONNECTED(00000003)
140545071789888:error:14094419:SSL routines:ssl3_read_bytes:tlsv1 alert access denied:ssl/record/rec_layer_s3.c:1543:SSL alert number 49
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 312 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Compared to the following via a VPN

Code:
$ openssl s_client -connect www.rt.com:443
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = rt.com
verify return:1
---
Certificate chain
 0 s:CN = rt.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFHDCCBASgAwIBAgISBHo8wDnlGb4naOPDAWz38xCUMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjA1MTExMDM1MDRaFw0yMjA4MDkxMDM1MDNaMBExDzANBgNVBAMT
BnJ0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMvt2KGzgU+i
axICqp4LdFWiyTlEqNIqHMD1iY2A+icXJZr7YjX3xprGaMtEzwbb7JKjfTkujRwj
cIyOmItRvRZ7kzd599Lq/FLjVjVpmPnW7q2+vQO57YUfWsvPZLRc0YrknQG/hPpp
Be0+TvY1ExctVXhIZW0zUOdU1mSU2oDVZFWZ+oLdzUPquEvctUQbQrPBq1gkjY76
kyUPPZx6M/aDAlXbiVTfEbwbYps8tLJVpgfBM0F9xxndaWBVDPf06/qyF5lPlOs6
bNsYikI4H6HcCZDWjkui2+UypJ7K5l6Doq3hbrim1xP4z32vjrXsvjWpDTQN8IJW
O0yxxpZsm20CAwEAAaOCAkswggJHMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUFFNh
KalYXabQYrZuX2waQCnTwbcwHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsU
wsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5j
ci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8wGwYDVR0R
BBQwEoIIKi5ydC5jb22CBnJ0LmNvbTBMBgNVHSAERTBDMAgGBmeBDAECATA3Bgsr
BgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0
Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2ACl5vvCeOTkh8FZzn2Old+W+
V32cYAr4+U1dJlwlXceEAAABgLLmsrQAAAQDAEcwRQIhAJcdQv6Jz1+RStnEo5Jo
EHbna+0Hk7SKz08q/nw+RCzpAiByLPP92Io/6VGxNA/OfrQujlGMQUZjkUOwe60k
CmJVQgB2AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABgLLmsw8A
AAQDAEcwRQIhAKIk0QUvY0OXYXdMp0YMqN3KquDuGvgcHOHJ3trDqfoLAiAbASdl
IvinFKJ96VRmYBc3KudU3mrcMb6J4FsFb3ptWzANBgkqhkiG9w0BAQsFAAOCAQEA
jv6DBGbdjSstAaUGqgItq7PUomFozma2is5I+J7ZeMrO+YAGxHDbDq2qm92ftK+5
B460ehPuz9fi3zrhlXy2Pwys+78O4dWT+XJE7W3/38w4XpMzE/fnI44AJ52/s5WA
UjnTW/Qr0OtNAhAuC4QbcXtK/I9UFXEbFhlPlTD3A4abd5rk1Kwcxnt5ZAdHmsRk
Fh7IFF0wLzZgSVQAhTDnVWCWz9qc2ZVhCyR5+GWTzDaf5KhFy2KDnariwIxN+7cu
snM7ty2vtT5lOk5mhErAITj0qzA14N3xRhVBWUB5Nev+1c6HbwnfVZ/P5bdmkF+b
IBLrifpISMY/yWxq+13rsg==
-----END CERTIFICATE-----
subject=CN = rt.com

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4568 bytes and written 392 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: F36DD53EE40EE549F553169F0DA4A3A526CD5C8DDEB08D06A169A4CE1C3D36FE
    Session-ID-ctx: 
    Resumption PSK: 1A7FF3D2F28D2F0C485F80541CC52663D0232BAE9D3A06CFB08B673178BE1326CD0A0A4A168B701E08ED61CB01064A76
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 7f b4 29 df 64 3b b0 4e-04 b4 eb 7c c7 89 15 99   ..).d;.N...|....
    0010 - 86 29 62 29 fe a4 d0 2f-bd 00 05 84 84 b0 d6 f4   .)b).../........
    0020 - 2a 36 8c 92 3b 2c 95 8c-de 20 ee 30 da 27 b3 ae   *6..;,... .0.'..
    0030 - 67 8a 30 1c 13 b4 19 b0-5e e3 41 21 d3 0d dc 49   g.0.....^.A!...I
    0040 - 63 f5 db 04 0a 63 99 20-3f e6 3a 29 a5 2a f4 c3   c....c. ?.:).*..
    0050 - 64 1a 49 ff 2c 3d 5f 57-74 f4 1b 2d 39 49 cb 6b   d.I.,=_Wt..-9I.k
    0060 - 38 c5 93 7a 33 42 ca 92-a8 b6 65 66 bd cc 41 0d   8..z3B....ef..A.
    0070 - 8f c5 5e 7c e5 86 1f 4d-af e4 c4 a4 60 21 9d 72   ..^|...M....`!.r
    0080 - c4 f5 c4 11 59 03 15 73-a1 dd d9 2a 66 ea cf e3   ....Y..s...*f...
    0090 - b8 03 08 97 87 47 71 36-88 1d d9 dc 3b 78 36 0e   .....Gq6....;x6.
    00a0 - 7e 34 2e f0 7b 9a c4 8a-0e 17 c9 bc cc 45 59 f9   ~4..{........EY.
    00b0 - fb ac 80 59 5e f5 8f 93-04 e3 f7 2b a5 09 53 f8   ...Y^......+..S.
    00c0 - 0b 96 20 b1 21 bd 53 7d-1b 66 61 1e 76 da b9 cb   .. .!.S}.fa.v...
    00d0 - 55 f9 06 e1 74 df 46 9e-55 3e 4d 8e 6a b5 cf 82   U...t.F.U>M.j...

    Start Time: 1652810194
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 34A7F02E754673D2DDEC6F5779288E6ACB53E91E15913E4F90C0AE94D7B6F911
    Session-ID-ctx: 
    Resumption PSK: 9799C7676C7A164C4E7720BA3A6F41DA68F2E4D50F5831C7C8B21678DE11BC20F59B02B92F5BBFB658550E7B5C08ACD7
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 7f b4 29 df 64 3b b0 4e-04 b4 eb 7c c7 89 15 99   ..).d;.N...|....
    0010 - e6 40 ca 72 40 d0 a1 d3-00 a1 5e 82 b8 50 8a cb   .@.r@.....^..P..
    0020 - af 00 90 26 b0 df 44 da-c3 bc f8 94 c9 00 97 6f   ...&..D........o
    0030 - d7 54 0e 30 9b 19 7a ba-66 38 76 7f 1a e4 ef 37   .T.0..z.f8v....7
    0040 - be 8c 05 32 1e 5f 53 bf-e1 c6 f1 f6 19 e4 f3 16   ...2._S.........
    0050 - f1 36 d3 f7 a2 9e a9 5f-91 f1 af 96 71 da 48 d7   .6....._....q.H.
    0060 - 86 a4 d2 1d 87 5f 97 7c-ba 4f 1c 3b 96 1c cd e0   ....._.|.O.;....
    0070 - 28 af 50 ae dc 2c ae ef-27 6d 48 e0 e7 c2 67 27   (.P..,..'mH...g'
    0080 - 1d aa 67 fe dd ba ef 5e-47 e1 bd 25 7f 1c a3 17   ..g....^G..%....
    0090 - f0 34 b7 71 cc 7c 0f e7-2e 9a 25 5f fa 34 e7 53   .4.q.|....%_.4.S
    00a0 - 03 57 bc fd e9 33 c6 ea-a6 a7 28 a8 d5 8b 78 04   .W...3....(...x.
    00b0 - eb 95 83 f3 ba 66 57 e7-d6 2d 3c 94 2f 2a 08 86   .....fW..-<./*..
    00c0 - 07 c3 43 d2 fd 59 0e 9a-74 3f 92 7f d1 84 e3 a6   ..C..Y..t?......
    00d0 - 6b 2c a8 82 df de 50 53-a8 74 dd 39 8b 7e d0 b0   k,....PS.t.9.~..

    Start Time: 1652810194
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
closed

As you can see, the Let's Encrypt cert they are using is fine and valid until Tue, 09 Aug 2022 10:35:03 GMT the problem here is that Three are actively monitoring traffic between my browser and RT.com and changing / modifying it so it breaks the encryption or replies back with a 403 error code.
 

uknowiama

Pro Member
Do you understand what intercepting and interfering means?!? Three are actively monitoring my traffic for certain criteria, when it finds something it is then modifying the reply to me (pretending to be the server in question) in order to block my access to that particular site.
Yes. I deal with certs and websites day in day out. I am a network engineer, but wouldn't consider myself an expert in this field and always willing to learn more or conceed that I may not have understood something correctly.

So you run a tool to test the SSL connectivity and the output show the SSL works via the VPN, but not without it. I did a quick search of the error in the output which points to access denied and an issue on the client - your PC.

The problem I have with your claim that 3 is intercepting or interferring with your traffic is this. They might be blocking you accessing the required public IP. The DNS service might be stopping you performing lookups on the required domain. But decrypting your traffic - injecting it with an high order (layer 7 protocol message) then re-encrypting the traffic I find hard to believe. The https/SSL/TLS encryption is end to end. Between browser and website. To break that encryption you would need a Man In The Middle. So in your case. Your browser thinks it is talking to RT, but is infact talking to 3. Likewise the RT website thinks it's talking to your browser, but is talking to 3. To do that you would need to of accepted 3's certificate, if I understand these things correctly. Unless of course that is how 3s web filtering works. I have employed this for genuine reasons before on a perimeter firewall, but the company PCs all had to accept my cert to access the Internet.
I enjoy discussing a talking things through logically, so appreciate the replies and helping me understand things better.
 

clivejo

Top Member
So you run a tool to test the SSL connectivity and the output show the SSL works via the VPN, but not without it. I did a quick search of the error in the output which points to access denied and an issue on the client - your PC.
If it is my PC, how and why can I connect and use the site perfectly well when routing my traffic via VPN, that is the ONLY thing that changes?!? All the information says that the client (my side) interrupted the handshake and establishment of a secure connection, but how it that? It's the same browser, tab I am using, all I do is route the traffic over a VPN or not. Three handling my traffic is the ONLY difference in these tests.

I don't understand HOW they are doing it, but they ARE doing it! They are either tampering with the packets of data my computer is sending to RT or are tampering with the packets sent from the server to me. This is the case in how they are redirecting my page away from 1.1.1.1 and to https://www.three.co.uk/static/html/iwf/block.html I didn't request this site, the server didn't send me to this site, Three did it by tampering with the returned communications from the server.
 

clivejo

Top Member
This entire situation just stinks of the Phorm trails which were illegally intercepting user data disguised as protecting them from malware.
 

SinCity

Member
Use lantern free VPN on a mobile phone to access RT.
Use Hoxx VPN add-on to Firefox browser to access RT.
Or use the Tor browser...
 
Top
Promotion
Cheapest Superfast ISPs
  • Hyperoptic £17.99
    Speed 33Mbps, Unlimited
    Gift: Promo code: HYPERSALE
  • NOW £20.00
    Speed 36Mbps, Unlimited
    Gift: None
  • Shell Energy £21.99
    Speed 35Mbps, Unlimited
    Gift: None
  • Vodafone £22.00
    Speed 38Mbps, Unlimited
    Gift: None
  • Vispa £23.00
    Speed 36Mbps, Unlimited
    Gift: None
Large Availability | View All
Cheapest Ultrafast ISPs
  • Gigaclear £17.00
    Speed: 200Mbps, Unlimited
    Gift: None
  • Community Fibre £20.00
    Speed: 150Mbps, Unlimited
    Gift: None
  • Hyperoptic £20.00
    Speed: 158Mbps, Unlimited
    Gift: Promo code: HYPERSALE
  • Virgin Media £25.00
    Speed: 108Mbps, Unlimited
    Gift: None
  • Vodafone £25.00
    Speed: 100Mbps, Unlimited
    Gift: None
Large Availability | View All
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Promotion
The Top 20 Category Tags
  1. FTTP (4128)
  2. BT (3154)
  3. Politics (2123)
  4. Building Digital UK (2028)
  5. Openreach (1970)
  6. FTTC (1923)
  7. Business (1836)
  8. Mobile Broadband (1608)
  9. Statistics (1513)
  10. 4G (1380)
  11. FTTH (1371)
  12. Virgin Media (1277)
  13. Ofcom Regulation (1242)
  14. Fibre Optic (1235)
  15. Wireless Internet (1234)
  16. Vodafone (928)
  17. EE (907)
  18. 5G (900)
  19. TalkTalk (821)
  20. Sky Broadband (787)
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms  ,  Privacy and Cookie Policy  ,  Links  ,  Website Rules