Computer Security: WWW censorship? Not at CERN
Whoops! We received a number of critical responses to our previous article on the upcoming DNS firewall (“DNS to the rescue!” - see here). While they were mostly constructive, the main question was “How dare we censor Internet access?” Let us clarify this.
Computer security at CERN must always find the right balance between CERN’s academic environment, its operations and security itself. Of course we can easily overdo it one way or another, but that would kill our academic freedom and bring the Organization to a halt. That certainly isn’t in our interest. On the other hand, CERN is permanently under attack and we have to do everything possible to ensure that those attacks are kept at bay. Otherwise they could impact CERN’s operations… So, have we found the right balance?
Concerning access to the Internet and in particular to the web, we have not and will not block random websites because of their content unless – and this is crucial – unless the website hosts malicious content that could impact the operation of CERN’s computers or accounts. Malware hosting sites are a good example, as browsing onto such a website might infect a large number of CERN Windows or Mac computers. This is why we blocked the website “20min.ch” a while ago (see our Bulletin article “Drive-bye” on this subject). Sites resembling the CERN Single Sign-On webpage and deliberately created for phishing attacks against CERN are also blocked as a protective measure. And we block Doppelgänger domains, i.e. domain names which resemble those of CERN (like “cem.ch”) or are just one typo away from CERN’s (like “cern.cg”, etc.), in order to protect you against typo-squatting.
But that’s it. We do not block webpages because of other, arguably undesirable content, whatever “undesirable” might mean. For example, we do not filter pornographic sites. Of course, the consultation of pornographic content violates the CERN Computing Rules and CERN’s Code of Conduct and I doubt there is anyone at CERN with a professional need to consult such material, but we do not block them (just monitor their illicit usage). Hence, in response to the question: “How dare we censor Internet access?” the answer is: “We don’t dare: we do not censor at all. We believe in and value academic freedom at CERN and aim to balance our computer security measures accordingly.”
For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report.
Access the entire collection of Computer Security articles here.
by Stefan Lueders, Computer Security Team