Thread on the Kashmir Whitelist.

Earlier this week @aldebaran14 and I analysed the 153 websites on the whitelist as per the 18th Jan Order and found that ~80 were not 'practically usable'. We wanted to understand how these websites will work/look under this whitelist regime(1/n)

So we setup Chrome with an extension to allow access only to the hostnames listed in the order. Now, there are limitations with this method. We did not test on a 2G network. We could not carry out actual transactions and the assessment of usability is a bit subjective (2/n)

We looked for whether the website was visually affected, if the images loaded, if the login section was accessible and the main function(s) of the website still worked along with some general navigation to see what was affected (3/n)

In perusing the list we found typos, duplicate entries, entries without actual hostnames and some that were indeterminate. After removing these, we were left with 134. Of these we found ~80 websites were not practically usable. Why? (4/n)

Well, the way most websites are designed, a lot of content comes from subdomains, CDNs. They also have 3rd party content like analytics services, ads, various libraries that manage the UI etc. None of this worked because there were not on the whitelist (5/n)

So most of the websites were broken. Here is an example of amazon.in. We also pulled a request map to highlight how much content comes from other domains. Different websites were affected to varying degrees depending on how they were designed (6/n)

In case of irctc.co.in, we found that though the page was still (sort of) readable, the search feature was unresponsive. The train status feature took us to another link, which of course, was not the on the whitelist. (7/n)

For the ones classified as banking websites, we found that only 2 of the 15 on the list had accessible login pages (eg. For SBI bank, the whitelisted domain was onlinesbi.com, but to login you need to go to retail.onlinesbi.com which was not on the list) 8/n

The inclusion of streaming services seems absurd because:
1) 2G
2) Most of them use CDNs for delivering video content (as I said earlier, these are not on list).
3) No actual hostnames were given - how does the ISP know what to allow? Are they expected to analyse the apps? (9/n)

We excluded these and 'Jio Chat', so in reality (esp. over 2G) the number of unusable websites maybe higher than what I said earlier in thread.
Of the ones that worked, 25 were minimally impacted (mainly had textual information). 30 were 'partially usable' (10/n)

We ended the exercise with more questions than answers. Some of them are:
1) On what basis are these (and future) domains selected?
2) Why are some some sites on the list while others in the same category are not?
3) How will ISPs actually implement this? (11/n)

I know the list was updated to approx 300.Haven’t read through it in detail,but a cursory glance was enough to spot duplicates and strange entries (trying hard not to judge).I would love to test the new ones, sadly, we’re caught up with other stuff over the next few days. (12/n)

We’ve also done a detailed write-up that we're hoping to publish soon. Both @aldebaran14 (credit to her for kicking this off) and I are also happy to release the spreadsheet that we recorded our analysis on, in case anyone wants to build off it. (13/n)

I’ve tried very hard not to offer any value judgement on this whitelisting approach on this thread. The intent was to (attempt to) understand and draw attention to what some one in Jammu and Kashmir might experience due to this exercise. (14/14)

Correction for #8. The whitelisted domain for SBI is www_onlinesbi_com (I’ve replaced the . with _ because twitter drops the www automatically)

Some updates from @aldebaran14

https://twitter.com/aldebaran14/status/1221343616620040192?s=21

https://twitter.com/aldebaran14/status/1221343616620040192

https://twitter.com/aldebaran14/status/1221344574913691649?s=21

https://twitter.com/aldebaran14/status/1221344574913691649