Device discrimination on the internet

The protocol used to enable secure shopping and banking on the internet can also be used to restrict your freedom to choose the hardware and software you use to connect. In fact, it’s already happening.

TLS allows a client (i.e. a web browser) to identify a server and to protect data in transit between the two ends of the connection. Most people are familiar with this in the form of HTTPS web sites; if the server isn’t what it purports to be—or even if it’s just poorly configured—you’ll see an error message.

What fewer people know is that TLS also works the other way round: it can identify the client to the server by means of a certificate installed on the client. This is mainly used by large organisations to reduce the risk of unauthorised computers connecting to their back-end systems.

And that’s all fine. Everyone is safe and secure, right? Unfortunately, there’s a dark side to TLS as well, but it’s one that I hadn’t realised until now.

I won’t go into great details about how public key certificates work. All you need to know is that it’s possible to identify the issuer of a certificate, and it’s effectively impossible to fake a certificate.

So here’s the problem: if a manufacturer supplies a device with their own client certificate already installed, it’s possible for a server to practice selective discrimination based on the manufacturer of the device. It might, for example, decide only to serve devices manufactured by Sony or Apple.

Far fetched?

Alas not. This is, in fact, used by the BBC today to implement the version of the iPlayer used by the Sony PS3 and the Apple iPad. The BBC server at accepts only the following certificate authorities:

  • Oregan BBC CA
  • BBC Greenhouse Development Staff CA
  • BBC Greenhouse Production Servers and Services CA
  • Apple iPhone Device CA
  • ADB Root CA – DTT
  • BBC Greenhouse Production Operations CA
  • Sony LFX Project BIVL – Root CA

Don’t believe me? Try it in your browser. (You’ll need a protocol analyser to find the list above.)

This won’t necessarily bother you unless you’re trying to reverse-engineer the iPlayer. However, as a proof of concept of something much more sinister, it’s alarming. We’ve already seen the obsequious level of favouritism given to Apple by the BBC, and they’re not even a commercial organisation.

I imagined that it would be governments that would take away internet freedoms. Between IP geolocation restricted services (taking the world out of world-wide web) and device-locked services, however, I wonder if corporations will get there first.

I don’t know what we can do about it. It’s particularly galling that the BBC is working to destroy the notion of a device-agnostic, protocol-based internet, and using free software to do so.

Anyway, there’s a prize for the first person to extract a working client certificate from an iPad.


  1. chuckmo

    Wrote at 2010-06-08 03:13 UTC using Firefox 3.6.3 on Windows XP:

    We cannot download movies, even with rtmpdump, anymore.
  2. Alex

    Wrote at 2010-06-08 03:54 UTC using Chrome 5.0.375.55 on Mac OS X:

    If you look at the BBC news website it looks like they’re Apple evangelists. They’ve got the whole iPhone launch plastered over their website – I doubt they’d give other technology companies the same coverage.

    Isn’t it just a case of extracting the certificate from a hacked iPad? Presumably you can get root access. I don’t know anybody with a jail broken one though.
  3. Dave Cridland

    Wrote at 2010-06-08 09:30 UTC using Firefox 3.6.3 on Linux:

    A private key can be stored on a device like a smartcard, and if it is, you simply cannot extract it. It’s secure, by design. It’d surprise me deeply if Apple hadn’t done this.

    So what you can do is extract out the data post-TLS on the device, or else you could devise a PKCS#11 gateway to an Apple device – making this publically accessible might cause the certificate to be revoked, which’d be painful, though.

    Or, of course, you could accept that the BBC has a bunch of requirements laid onto it by its content providers, and tries to work within these frameworks as best as it can, with the hope of keeping the quality.
  4. Jason

    Wrote at 2010-06-08 10:26 UTC using Safari 531.22.7 on Mac OS X:

    It is not a question of acceptance. Which content provider could force the BBC to unashamedly favour Apple products over other devices?

    It is long overdue that the BBC become accountable, in a tangible way, to the people who are effectively forced to fund them.
  5. cannontrodder

    Wrote at 2010-06-08 12:35 UTC using Firefox 3.5.9 on Windows 7:

    Companies are desperate to get into bed with Apple. The sentence “Then we could do an iPhone app” has been said too much around here with scant regard to the actual market share of smartphones out there. Seems to be a recurring theme that once someone gets an iPhone, knowledge of all other devices is erased from their memory. I imagine the execs at the Beeb all worship their iPhones just a little too much!
  6. Julian Burgess

    Wrote at 2010-06-17 13:19 UTC using Chrome 5.0.375.70 on Mac OS X:

    Lawrence Lessig writes brilliantly about this problem in Code and Other Laws of Cyberspace, well worth a read.
  7. Mo

    Wrote at 2010-06-23 17:49 UTC using Chrome 5.0.375.55 on Mac OS X:

    I wonder what actually does. I mean, if it’s just an access check, then you can do some internal DNS magic to fool the client-side stuff.

    Or does it issue a token? And how are these related to the auth tokens passed to the CDN for other types of stream?

    Clearly, attacking SSL/TLS itself isn’t going to result in much mileage — having a real certificate will help, but that’s only going to be useful for a marginal number of users. So the alternative is to look for weak spots elsewhere, of which there will undoubtedly be many…
  8. Paul Battley

    Wrote at 2010-06-23 23:53 UTC using Chrome 6.0.433.0 on Linux:

    Mo, securegate is (or appears to be) used to serve a mediaselector XML document that points to the content, like this:

    Interestingly, the iPod Touch doesn’t have the requisite certificate, which suggests that the BBC won’t be able to lock down the iPhone version in the same way.
  9. Don

    Wrote at 2010-07-01 22:05 UTC using Chrome 5.0.375.86 on Windows XP:

    Thanks for closing that circle, I’d already reached the conclusion that iPhone, iPad Touch and iPad are simply a means to channel the vain and impressionable masses to Stevie J’s iWhateveruwant store. Your explanation of this use of certificates takes iToys beyond the level of neat, easy to use integration with the source of your media, to something way more sinister, and potentially monopolistic, in a way far greater than anything MSFT ever have managed.
    Back to the BBC and iPlayer, they should not be doing this, no restriction should constrain availability of BBC output for UK citizens. Can’t think of anything other than a license payer campaign, the premise of which would be very simple: remember when you could buy any TV (incl VCR) and watch the BBC – not anymore peeps unless you make yourself heard.
    The potential is that the BBC becomes another Sky.
    iplayer-dl and get_iplayer increased my viewing of BBC output, it was “free” as in unencumbered, since they’ve been rendered obsolete I simply can’t be bothered. If the BBC internet output was free and unencumbered then Sky would have a problem, that’s probably the crux of the issue.
    My interim solution, Ubuntu + DVB-S2 receiver card.