
Ransom: Routing Around Nation-States - chmaynard
https://ransom.cs.princeton.edu/
======
bcaa7f3a8bbc
> _In some cases, countries are taking extreme steps, such as building new
> Internet Exchange Points (IXPs), which allow networks to interconnect
> directly, and encouraging local interconnection to keep local traffic local.
> We find that although many of these efforts are extensive, they are often
> futile, due to the inherent lack of hosting and route diversity for many
> popular sites._

Anyone with a background of datacenter, IDC or VPS knows a simple fact: most
of the time, the default routes are often sub-optimal. Even if you are using a
CDN, sometimes the traffic just doesn't terminated at the local/nearest/best-
connected datacenter of your CDN provider, but a remote datacenter, sometimes
in another country. Pretty frustrating.

Because the traffic travels through the cheapest and/or the most convenient
path, not the shortest path, and it also depends on your physical location,
your ISP, the network topology of your local ISP, the national/international
infrastructure, etc.

Finding the optimal path for a specific ISP is a pretty tricky task. My
networking-guru friends have the ability to learn the interconnections of
different datacenter through the BGP looking glass, and identify the fastest
VPS to rent based on their experience in the industry, the knowledge of the
national/international infrastructure (which core router the network is using?
which submarine cable does this ISP use? which national subnet of the ISP is
the server located?, etc).

It is very common that your traffic have to travel around the entire Earth,
and crossing USA in the middle, even if you are just connecting to a nearby
continent.

Sadly, there is almost nothing anyone can do to about it.

~~~
slededit
I wouldn't be surprised if the EU passed a law requiring domestic traffic to
stay domestic. You could even argue existing privacy laws require it already -
it just hasn't been enforced in that way.

It's not a hard problem to work around if ISPs were sufficiently motivated to
deal with it.

~~~
detaro
A few German ISPs/internet companies made noise about keeping traffic locally
during the Snowden leaks, some were slightly miffed when others pointed out
that it would already be the case if they played ball and freely peered with
everyone at the German IXPs. (Although with the biggest one of those being
monitored by German intelligence agencies with whatever filtering rules the
NSA gave them fairly pointless too)

------
dev_dull
Does this really "move the needle" in terms of security? TLS should be
sufficient to allow your traffic to enter and exit hostile territory.

~~~
smokeyj
If you could avoid certain pipes it could only help security. Even with the
security of TLS, that doesn't prevent state-level actors from observing meta
data with the advantage of internet-wide timing data, which could be useful
for say, analyzing TOR traffic.

Not a crypto expert but doesn't trusting TLS imply trusting root certs on your
PC? Regardless, the Snowden leaks showed that internet traffic can be modified
to contain harmful payloads for targeted individuals. Even if only susceptible
over non-TLS it still represents a non-zero percentage of internet traffic.

~~~
dev_dull
Who will you even "avoid"? It's in the interest of every major country to do
surveillance.

~~~
TaylorAlexander
It may seem equally compelling to all countries, but in practice some
countries put huge resources in to gathering everything, and some don’t.
Avoiding the ones that in practice collect everything in favor of ones that in
practice don’t would increase security. Separately, we should stay mindful of
who is doing this collection, and simultaneously take additional measures to
secure our communications.

~~~
semi-extrinsic
I'm trying to come up with a list of countries that don't collect basically
all data, and I'm coming up short. Do you have any suggestions?

------
gcommer
Looks very similar to [http://alibi.cs.umd.edu/](http://alibi.cs.umd.edu/) but
doesn't reference it and doesn't seem to have actually been published (?)

Also, maybe the title should mention this is from 2016.

~~~
chmaynard
See also:

[https://ransom.cs.princeton.edu/pdf/surveillance.pdf](https://ransom.cs.princeton.edu/pdf/surveillance.pdf)

[https://ransom.cs.princeton.edu/system.html](https://ransom.cs.princeton.edu/system.html)

~~~
mirimir
From the PDF:

> There has been research into circumvention systems, particularly for
> censorship circumvention, that is related this work, but not sufficient for
> surveillance circumvention. Tor is an anonymity system that uses three
> relays and layered encryption to allow users to communicate anonymously
> [19]. VPNGate is a public VPN relay system aimed at circumventing national
> firewalls [40]. Unfortunately, VPNGate does not allow a client to choose any
> available VPN, which makes surveillance avoidance harder.

That's _damn_ cursory.

------
jvehent
Maybe don't install random PAC files in your main browser profile, unless you
enjoy surrounding control over your web browsing to a third party.

Instead, install this in a separate profile.

~~~
voltagex_
Where's the PAC? People will often surrender control of their systems for less
(watching Netflix, accessing thepiratebay)

~~~
voltagex_
Found it -
[https://ransom.cs.princeton.edu/pacs/au_uk_pac.pac](https://ransom.cs.princeton.edu/pacs/au_uk_pac.pac),
substitute two letter country codes. Seems oddly specific. In that example,
only Yahoo, BBC and XHamster (nsfw) are re-routed.

------
voltagex_
[https://ransom.cs.princeton.edu/pacs/](https://ransom.cs.princeton.edu/pacs/)
\- seems a bit strange, there's only a few sets of options, each with only a
few sites.

------
devoply
NSA: et tu, Princeton?

~~~
schoen
I doubt NSA is _that_ mad at Princeton overall.

[https://en.wikipedia.org/wiki/Institute_for_Defense_Analyses...](https://en.wikipedia.org/wiki/Institute_for_Defense_Analyses#Center_for_Communications_and_Computing)

