Speaker
Description
Per 2020-01-01 in Switzerland it is mandatory to block CSAM on a DNS level as per instructions from the Swiss Federal Police (Fedpol) supported by the new Telecommunications Act [1][2][3].
This thus involves a list of domain names that should be blocked that can be retrieved from a Fedpol server given proper credentials.
Unfortunately this list is in clear text, and, thus any engineer/administrator that is able to interact with or administer the server thus would normally get access to the list in clear text. Having these domain names on your computer though could already be illegal, if one then accidentally tests the domain, one might be considered to be attempting to access the material...
To avoid any public persecution we thus decided to hash the list so that we can never actually see or have access to the list and our administrators can do maintenance and other routine server maintenance without having to be scared of accidentally getting access to the list.
To solve this we have created Hashed RPZ, a custom hashed variant of the ubiquitous and great RPZ [4] system by Paul Vixie and Vernon Schryver that is already in use around the world for blocking malware and other malicious content.
We will also introduce a new open source DNS recursor system that implements this new scheme along with other needed features to scale the system for a large Swiss ISP, along with the supporting infrastructure, opening the system up for other ISPs to use and protect their employees.
Hashed RPZ can also be used by RPZ list providers to limit exposure of the list as the contents of the list cannot easily be discovered.
[1] https://www.bakom.admin.ch/bakom/de/home/das-bakom/organisation/rechtliche-grundlagen/bundesgesetze/fmg-revision-2017/revision-fmg-verordnungen.html
[2] https://www.fedlex.admin.ch/eli/cc/2007/166/en
[3] https://www.fedlex.admin.ch/eli/cc/1997/2187_2187_2187/de
[4] https://dnsrpz.info
Summary
Securing administrators life by hashing lists that should not be seen.