
What ISPs can see - schoen
https://www.teamupturn.com/reports/2016/what-isps-can-see
======
mirimir
This is a decent article. However, it's a bit vague on the vulnerabilities of
VPN services. The major risk is probably traffic leakage after uplink
interruptions, or changing WiFi APs. Once the VPN connection has failed,
default routing must be restored in order for reconnection to occur. There
must be firewall rules to prevent other traffic from using the physical NIC
during reconnection. That is, you want the VPN to fail closed.

Another risk, which the article may vaguely allude to, is using ISP-associated
DNS servers. Even if all traffic uses the VPN tunnel, DNS requests reveal
sites being visited, and it's trivial for ISPs to correlate them with traffic.

IPv6 is a huge looming risk. Many VPN services don't route or block IPv6
traffic. As full IPv6 service becomes widespread, there will be major pwnage.
However, this is easy to firewall, and good custom VPN clients do so.

Edit: For suggestions about leak-testing, see [https://www.ivpn.net/privacy-
guides/how-to-perform-a-vpn-lea...](https://www.ivpn.net/privacy-guides/how-
to-perform-a-vpn-leak-test)

Edit: Changed "URLs" to "sites".

~~~
nickspacek
Not to nitpick but DNS requests only reveal hosts being visited, not URLs.
Non-HTTPS requests reveal the URL to the ISP.

~~~
mirimir
Right, thanks for the clarification.

------
pmoriarty
One significant point that this analysis misses is that even when traffic is
encrypted, it can be recorded and later decrypted by the ISP or those they
give/sell/leak the recordings to if the encryption is ever compromised (which
seems to happen on a pretty regular basis with SSL these days).

Never let yourself get lulled in to a false sense of security just because the
information you wish to keep private has been encrypted.

~~~
bendykstra
TLS connections that implement forward secrecy are not vulnerable to this type
of attack. According to SSL Labs, about half of all sites now support forward
secrecy.

[https://www.trustworthyinternet.org/ssl-
pulse/](https://www.trustworthyinternet.org/ssl-pulse/)

~~~
traff
It's possible to decrypt the exact URL you're browsing for a large majority of
websites with very high probability, even with forward secrecy. There is an
undergraduate project that does this for wikipedia pages (it's easy because of
all the unique resources loaded for each page). Search for papers on https
traffic analysis, for example:

[http://arxiv.org/abs/1403.0297](http://arxiv.org/abs/1403.0297)

------
droopybuns
This is a weird article that lacks important context.

When are we going to get an article on "what google can see" from this team?

ISP snooping on network traffic really only happened after Google started
getting into the ISP business.

Monetizing your traffic (beyond transport) only became a thing after Google
Fiber fired a cannon ball across the broadside of carriers. Carriers responded
by offering ad networks around anonymized, aggregated data about customer
behavior. It drives the value of Google Adwards down. It doesn't make carriers
rich.

Maybe someday we'll need to worry about big-I innovation from carriers in this
domain, but I don't see it happening soon.

I'm all in on tearing it all down. But focusing only on the companies that
offer services that huge populations are willing to actually pay for is
extremely dishonest.

~~~
mirimir
> ISP snooping on network traffic really only happened after Google started
> getting into the ISP business.

ISPs have always snooped. Maybe just in limited circumstances, true. But the
key point is that _they can_ , not how prevalent it is.

------
obfusc8
Always assume an ISP and any intermediate party can see traffic. I like the
way this post outlines in simple terms what traffic would look like to an
analyst. In terms of obfuscating oneself from an ISP, I would not recommend
any form of centralized traffic in the first place. As this post makes clear,
even if you're behind seven proxies there are ways to see a traffic's 'shape'
on the wire.

To combat this, you can use compartmented, disposable and anonymous 3G sim
cards for specific purposes. (One for dating sites, one for health records,
etc). Slap them in the microwave after a browsing session. (You can get these
for basically free in places like Thailand or India). Block all HTTP. Use
something like

    
    
        sudo ufw deny out to any port 80
    

Always assume your connection is tapped. Always assume there's somebody
MITM'ing your traffic. (To prove this, download executables several times over
time and diff the hashes. It's clear that MITM happens _all the time_ ).

Always use a hardware version of TOR. That way if a box is compromised, the
naked IP can't be disclosed. The same goes for VPNs, See WebRTC vulns.

Use public Wifi as much as possible (behind a VPN of course). Use your friends
phone for casual surfing. Minimize the reliance on one monolithic connection.
Use 4G, or even WiMax if they have it in your area.

Share your connection with your neighbor and split the bill if you are so
inclined...

~~~
crispyambulance
"always" [assuming the worst case scenario] is more than a little onerous for
the vast, vast majority of internet users. Isn't there a reasonable middle
ground?

Also I don't follow how does one "prove" a MITM attack by downloading the same
executable serveral times and getting different hashes?

~~~
obfusc8
> for the vast, vast majority of internet users.

Well, unless this is baked in, which it is not. It's the old privacy rich vs
privacy poor debate. If I buy black curtains, I cast less of a (nude)
silhouette than my neighbor for all to see, but the tradeoff is, I have to
research black curtains on the internet, where there is no privacy, and so I
have no choice but to build my own private Internet.

If the internet was private, no such measures need to be taken and I have
perfect autonomy. Autonomy being a luxury since the digital space has
effectively perfect memory.

This is why I'm against logs and data retention. It's very un-natural and it's
why the human brain habitually flushes memories. Nature needs to renew itself
and re-invent itself, and in some sense, forget itself (if you believe in a
Gaia mind).

------
pippy
Google could easily take the initiative on the DNS query front and implement
DNSCrypt by default on Chrome. It would booster client privacy and also block
ISP from selling usage data. So it would be a win-win for Google.

~~~
eikenberry
How would this help if they are using the ISP's DNS servers as most people do
by default?

~~~
mirimir
Nobody paying attention uses their ISP's DNS servers. See
[https://www.wikileaks.org/wiki/Alternative_DNS](https://www.wikileaks.org/wiki/Alternative_DNS)

Also, good VPN services run their own DNS servers, which are reachable only
through the VPN tunnel.

See [https://dnsleaktest.com/](https://dnsleaktest.com/) to determine which
DNS server(s) you're using.

~~~
46Bit
> Nobody paying attention uses their ISP's DNS servers.

Very few people, as a proportion of the population, are paying attention.

~~~
mikeash
I must not be paying attention. Is there a quick summary of why I shouldn't
use my ISP's DNS servers?

~~~
mirimir
That's mostly an issue for those using VPN services. I should have made that
clear.

Otherwise, it's mostly about how mistyped URLs get handled. Some DNS servers
point mistyped URLs to neutral "did you mean?" pages. But others redirect to
sites that pay for the service. Even worse, there's the possibility of
outright MitM attacks.

And then there's censorship. Hit
[https://thepiratebay.se/](https://thepiratebay.se/) and see what you get. And
that's just a torrent search site. To reach some sites, it takes some work to
find a DNS server that will give you the IP address.

~~~
mikeash
Oh yes, I see how for VPNs it would be a bad idea to use your ISP's DNS.

I get a database error visiting thepiratebay.se. I can't tell if that means my
ISP is doing something naughty, or if it means they're not!

~~~
mirimir
It probably means that you're using Google DNS ;)

------
sysret
The fastest DNS lookups are ones that do not need to traverse the network.

A zone file of public DNS information can be served by a daemon bound to the
loopback on the user's device, obviating the need for many (but not all)
lookups sent over the network.

These local lookups are also more private than ones sent out over the private
LAN or public internet.

Same goes for any type of data. It's not limited to DNS information.

If a user downloads publicly available data dumps from Wikipedia, and then
serves them from a local database and httpd, the response time will be faster
and the requested URL's more private than accessing the same content over the
public internet. Not to mention the small benefits of reliability and reduced
dependence on the network.

I know a user who does this and has automated the process of setting it up.

To use the examples in the article, the idea is that a user can periodically
download bulk data, e.g., information on medical conditions, in an open
format, load it into her database of choice and query to her heart's content,
without any ISP or website knowing what she has queried.

Same with daily newpaper content, and even a catalog of toys. "Browsing"
through the data remains private.

The alternative is to have this data served from third party computers and
have the user send each and every request for each small item of information
over an untrustworthy, public network (the Internet).

Despite ample, inexpensive local storage space for users to store data of any
kind themselves, let us break up the data into little bits and make users
request each and every bit individually. (Not only that, let's make them
register for the the ability to make numerous queries.) Then we can record all
user requests for every item of data.

Metadata. Sell. Profit.

------
Matt3o12_
It should also be mentioned that VPNs, even if correctly used (e.g. no
dns/IPv6/webrtc leaks), this simply shifts to trust to another provider. Now,
your ISP is not able to see your traffic but your VPN provider is potentially
able to (even if you self host it on aws or digital ocean because they still
have full access to the box), and their ISP. If you trust them more, use them,
but I you don't, I see little reason to utilize a VPN unless you want to
unblock geo-blocked services.

The only advantage is that your VPN provider (or their ISP) might have little
reason to spy on your traffic instead of your regular VPN.

~~~
mirimir
> The only advantage is that your VPN provider (or their ISP) might have
> little reason to spy on your traffic ...

Yes, that's the point. You want to pick VPN providers that can't readily be
forced to spy. See
[https://docs.google.com/spreadsheets/d/1FJTvWT5RHFSYuEoFVpAe...](https://docs.google.com/spreadsheets/d/1FJTvWT5RHFSYuEoFVpAeQjuQPU4BVzbOigT0xebxTOw)

------
q1t
So how do you protect form such things? I mean is there a way to analyze all
you outcoming traffic (from a specific machine for example) and route every
connection(like dns and similar stuff) though desired endpoint?

~~~
bluedino
You can use a VPN or ssh tunnel and send DNS queries through that tunnel or
proxy - however, that just adds another layer for anyone who wants the
information to go through.

~~~
dreamfactory2
Do VPN providers know any less than an ISP?

~~~
mindslight
No, but they're (statistically) less interested, know less about you, and
furthermore you're less beholden to them. Chaining VPNs multiplies the effect,
with the end result looking a lot like TOR.

Centralization is bad precisely because it concentrates the information, adds
context to it (what you're doing relative to others), and amortizes the cost
of building surveillance infrastructure and developing the business
relationships for exploiting it.

~~~
dreamfactory2
So I guess VPNs centralise the traffic of people who care about spoofing
geography and/or keeping their traffic private from their ISP

~~~
mindslight
Yeah, VPNs are certainly not a panacea.

Although last mile wireline providers have surveillance in their genes, having
descended from state surveillance organs (eg Ma Bell). They already make good
money servicing warrant requests for IP address records, and preemptively
keeping a record of customers' communications partners would be extremely
cheap. And such "network intelligence" ties right in to fighting against the
commodification otherwise driving profit margins on transporting bits to zero.

I'd bet on the infrastructure-less provider that starts off only knowing my
rough geographical location and what type of gift card I paid with, and that I
can drop any time.

~~~
mirimir
US gift cards no longer work for non-US purchases. Bitcoins are currently the
best option. At least for anything past the first VPN in a chain.

------
newman314
I guess this is a good time as any to ask what people on HN use for a VPN
provider.

I'll create a Ask HN post if there is interest...

~~~
tomclancy
Someone on Reddit created a thorough breakdown of VPN providers:
[https://docs.google.com/spreadsheets/d/1FJTvWT5RHFSYuEoFVpAe...](https://docs.google.com/spreadsheets/d/1FJTvWT5RHFSYuEoFVpAeQjuQPU4BVzbOigT0xebxTOw/edit?usp=sharing)

~~~
darpa_escapee
See the thread, this list isn't thoroughly accurate at all.

------
snug
SNI header being sent from the client can probably show even better patterns
from the user.

~~~
userbinator
I've always wondered why that's sent in the clear --- the usual justification
is that the hostname needs to be known before the right certificate can be
used, but that can be gotten around by using a certificate named with the IP
address of the server, establishing encryption, and then sending the hostname
to get that certificate.

