
Ask HN: What are good ways to hide metadata from your ISP? - jacobwilliamroy
Even with HTTPS, my ISP can still:<p>A) see the domain names of sites to which I connect<p>B)the time at which a connection was made<p>C) the volume of data moving over a connection<p>So even if I use a VPN, my ISP can still see that I connected to https:&#x2F;&#x2F;vpn.com around the same time https:&#x2F;&#x2F;vpn.com connected to https:&#x2F;&#x2F;embarrasingNSFWsite.ru. They can also see that the data from https:&#x2F;&#x2F;embarassingNSFWsite.ru is pretty similar in size to the data I recieved from my vpn.<p>So, are there any tools or techniques that can eliminate these inferences, or at least reduce their accuracy?
======
matthewmacleod
_So even if I use a VPN, my ISP can still see that I connected
to[https://vpn.com](https://vpn.com) around the same time
[https://vpn.com](https://vpn.com) connected to
[https://embarrasingNSFWsite.ru](https://embarrasingNSFWsite.ru). _

Your ISP is very unlikely to have access to any traffic logging from your VPN
endpoint, unless you are using the same ISP for both.

My solution to this has been to spin up a VPN server on Digital Ocean and just
route all traffic through that. Bonus: native IPv6 over the VPN.

~~~
folli
What's the easiest way to set up a VPN on DO? Is there an image available?

~~~
tyoma
You can use Algo [1]. It packages everything you need to create a VPN on DO
droplets and many other cloud platforms.

[1] [https://github.com/trailofbits/algo](https://github.com/trailofbits/algo)

~~~
throwanem
OpenVPN is a "risky server"? I'd like to see a cite for that.

------
iDemonix
That isn't how VPNs work. Your ISP can see that you connected or browsed to
your VPN provider, but once you establish a connection, your ISP can not see
traffic that moves over the VPN. Of course they can monitor the size of your
bandwidth, but they can't see where you connect or similar - that is the point
of a VPN.

The logging you have to worry about is the VPN endpoint, hopefully your VPN
provider does not keep logs of your activity.

------
fosco
The EFF has a nice brief description [0] on what can be observed and by who.
Keep in mind that I believe the meta data of the timestamp of a request and
when a server received it was used to put someone in jail -- I am having
difficulty finding the article that the moment

The EFF also has na article on fingerprinting [1] which I believe makes using
a vpn moot. if you want anonymity I believe the use of tools like Qubes and
Whonix would be good place to start.

[0] [https://www.eff.org/pages/tor-and-https](https://www.eff.org/pages/tor-
and-https) [1] [https://panopticlick.eff.org/](https://panopticlick.eff.org/)

------
falcolas
A VPN is the easiest, TOR the next easiest (though with both you have to be
careful of revealing yourself accidentally). The only method I haven't seen
discussed so far is to create a haystack in which to hide:

\- Create a program to crawl and store every link provided by some link
aggregator (such as HN or Reddit, or both). wget's mirroring and link
rewriting is remarkably good at this.

\- Create a secondary program to do Google searches on a set of arbitrary
phrases (I'm thinking "go through Wikipedia & pick random phrases) and locally
store those results as well. You could (carefully) include phrases you're
actually interested in.

\- Browse the stored data with your internet disconnected.

Of course, this limits your browsing breadth significantly, creates a delay
between knowing what you want to view and being able to securely view it, and
will frequently eliminate Javascript App style websites; but it's the one way
I know which will make snooping on what you are actually viewing much harder.

------
evgen
You are mistaken about the risks of using a VPN. Your ISP is never going to
see that a connection was made from VPN endpoint X and embarassing_site.com. A
VPN, preferably one that does no logging, is the solution you are looking for.

~~~
filleokus
Well... I think OP is misstaken also. But if the ISP of your VPN provider (at
the endpoint) and your ISP (at home / where you connect to the VPN) is the
same, I guess that the ISP theoretically could match metadata as OP suggests?

~~~
jmnicolas
Usually you choose a VPN in another country than yours.

~~~
icebraining
That's no guarantee. Just from the top of my head: Vodafone exists in many
countries. Deutsche Telekom owns T-Mobile (which itself exists in multiple
countries) and a few others.

Also, they may be the ISP of the site, in which case they can see your
connection to the VPN and a connection _from_ the same VPN.

------
dreamcompiler
What you're describing is not a vpn. A real vpn establishes an encrypted
tunnel that obscures all IP metadata except the connection to the vpn provider
itself.

You may be describing a reverse proxy, which is not the same thing as a vpn
but if it's set up properly it still should mask the metadata of what _it_
connects to.

~~~
isseu
I think he is talking in case the VPN ISP is the same as yours

------
djhworld
I'm wondering what % of an ISPS traffic is going over VPNs.

If it's a very tiny percentage, wouldn't your average VPN user stick out like
a sore thumb? I mean if say, authorities were monitoring what was going on,
surely a VPN is a strong signal for "extra scrutiny"?

~~~
richem
As a % sure, it's going to be small, but I use VPNs all the time to connect to
corporate networks and I know I'm not the only one who does so when working
from home. So while it may be a % of total traffic, it doesn't mean there is
anything nefarious going on with it.

------
Ttlequals0
Shameless plug but it will allow you to create on demand OpenVPN Endpoints on
AWS. However you will be shifting trust to AWS.
[https://github.com/ttlequals0/autovpn](https://github.com/ttlequals0/autovpn)

------
jmnicolas
If you really need to be stealthy, connect to a public wifi network and do
your browsing from there.

If you're really paranoid, buy a dedicated laptop (with cash, preferably in
another town and leave your cellphone at home).

~~~
falcolas
Bonus points for using some form of "cantenna" to extend your laptop's wifi
range so you don't have to be physically close to the actual wifi access
point. Also, use a random algorithm for determining where to connect to wifi
from - people are bad at creating random patterns and can actually identify
their location by the "hole" in a ring of used locations (see: serial
killers).

It's worth remembering; 87% of people can be uniquely identified with a zip
code, gender, and their birthdate.

Operational security - remaining consistently anonymous - is _hard_.

~~~
brad0
Do you have a paper or article showing the unique identification stats?

~~~
falcolas
Here's when it hit HN:

[https://news.ycombinator.com/item?id=2942967](https://news.ycombinator.com/item?id=2942967)

There are a number of good hits on google on the search "uniquely identify
person zip code birthdate"

------
reacweb
Configure your box as an onion output node. Your own traffic will be masked by
the traffic of all others. This may not be very safe legally. Can we have
privacy and legal safety at the same time ?

------
nlightcho
I would say Tor but rumor is the US gov have ways to break it.

~~~
doktrin
I don't think that's some big secret or rumor. Tor has vulnerabilities, namely
that it can effectively be de-anonymized by controlling n or n% exit nodes.

------
ksherlock
tor (and run a tor relay to increase the volume of data). Or pilfer your
neighbor's wifi.

~~~
jacquesm
In some places that's a crime.

[https://en.wikipedia.org/wiki/Legality_of_piggybacking](https://en.wikipedia.org/wiki/Legality_of_piggybacking)

~~~
mulletbum
Reading the USA section of that article is saddening. It just sounds like
Police trying to bully the citizens they are protecting. What kind of
community police goes around trying to find laws to charge people with when no
one is complaining.

------
jvarg
you also get a shared ip-adress on most vpn services.

------
unstatusthequo
Look into DNSCrypt

------
duxet
DNSSEC - your isp will still have ip adresses, but won't know exact domain
names

~~~
dannypgh
That's not what DNSSEC is. DNSSEC is about signing the data in DNS, not
encrypting it in transit. The same metadata analysis is possible.

~~~
icebraining
Also, if they can see your DNS, chances are they can see the TLS handshake, so
SNI would leak the domain anyway. But a VPN should encrypt both.

