Hacker News new | past | comments | ask | show | jobs | submit login
Indian ISPs: We already give govt full access to web traffic (entrackr.com)
302 points by instagraham 83 days ago | hide | past | favorite | 107 comments

People really underestimate the full scale of this, specially today with so many sites using cloudflare without strict ssl reverse proxy connection, Cloudflare Endpoints in India are INSIDE ISP networks [1], what this means is the ISP (and therefore by extension the government) sees EVERYTHING going out of cloudflare servers over http in plaintext. Worse ISP will also modify that content so you get the "This site has been blocked in India under diretions from [...]" over https! cause that's what cloudflare saw when it did it's (insecure) http request

1. https://github.com/captn3m0/hello-cloudflare

If I'm understanding you correctly, you are saying that the origin servers only listen on HTTP and that is where the ISP intercepts. Is it not common practice for the origin servers to also being using HTTPS? Afaik there's no simple way for the end user to know this though.

People who run the origin servers often use a CDN to do TLS termination because they are too incompetent to do it themselves. Not having to enable TLS is a major value-add for certain types and you'll see this advertised prominently by every CDN

There is another value add - being able to use self-signed certs and therefore not have to worry about renewals. Last I checked (~12 months ago), there still isn't a good story for doing automated SSL renewals if your application is completely containerized.

Terminating TLS for an HTTP app running on localhost is trivial. Something like this:

echo "example.com \n reverse_proxy localhost:8000" > Caddyfile; docker run caddy --net host -v $PWD:/config caddy run

It's slightly more complicated if you need redundancy, but not by much.

It’s unethical of CloudFlare et al to offer such a feature.

Why are we even blaming Cloudflare? Aren't web developers the ones who haven't enabled strict SSL? Cloudflare should recommend the user use stick SSL but calling it unethical is quite a bit of a stretch... Sometimes it is useful like hosting node js app or docker container app without using a reverse proxy like Nginx.

Do you honestly believe the US government doesn't have the same access to cloudflare data within the states?

> the US government doesn't have the same access to cloudflare data within the states?

Yes. There is almost certainly access. But it’s partial and adversarial, not automatic as in India.

PRISM [1] didn't end when the media stopped reporting on it. If anything it's likely only become more emboldened given people's tepid response. This [2] is one of my favorite documents that was leaked. It's a user manual, "User's Guide For PRISM Skype Collection", for NSA agents spying on Skype "peer to peer" connections in real time.

It even includes a helpful FAQ like agents wondering why they might receive copies of the same message multiple times. What happens there is when somebody they're spying on logs in via another device, their resync process involves everything being sent right on over directly, automatically, and in real time to the NSA again. They can even spy on video/audio in real time, with some promises to agents frustrated about audio falling out of sync with video - that they were working on a technical solution.

The companies at the time participating in PRISM were Apple, Google, Microsoft, Facebook, and others. That's undoubtedly been long since expanded.

[1] - https://en.wikipedia.org/wiki/PRISM

[2] - https://www.aclu.org/sites/default/files/field_document/Guid...

PRISM is a good example of the difference between America and India. One, there's vocal and empowered opposition, opposition granted relief by the courts from time to time. Two, there was opposition–MUSCULAR involved hacking Google and Yahoo's clouds. Three, there is a warrant process. It's broken. It needs reform. But it exists.

What empowered opposition or successes? Many seem to have confused the highly publicized 'telephone metadata collection is unconstitutional' ruling with PRISM. That was related to other domestic spying bills - section 215 of the Patriot Act and its subsequent renewal under another spying act, the "USA Freedom Act." These cases/acts had nothing to do with PRISM.

Numerous cases have been filed against the NSA in regards to PRISM, with nothing even remotely close to success. They are invariably thrown out because the NSA acting illegally or unconstitutionally can only be challenged by somebody with standing. You only have standing if you can prove you have been surveilled and affected because of such. Nobody can prove standing, so it's impossible to legally challenge a likely illegal program. Great system we have.

A reminder that whatever else we might want to say about the comparative safeguards of the US and Indian "lawful intercept" systems, access to Indian servers for the US IC is fully automatic. You can't improve your resilience against the NSA by offshoring your data; offshore is where the NSA's authority is at its zenith.

No where in the parent's comment did they mention the US. What's the point of your comment?

It's like if we were discussing a serial killer and you were like "don't you think other people have killed?"

The second reply to this post and someone is already redirecting the conversation to a country not mention in the story. Are you upset because you think India is being singled out? No where on the article or the comment does it imply that.

On HN there are a massive amount of discussion about US government spying already, it's not something that people aren't aware of.

The parent comment is valid. The GP comment specially highlighted the Indian networks as different so that factoid being challenged (in efficacy rather than implementation) is a pretty valid stance.

Do you see a green lock with message saying "your access is restricted" in the US?

Do you see any TLS connection resets based on SNI? If not, most(all?) indian ISPs already visibly do far more than average American ISP.

Does cloudflare mention this anywhere?

pfft it's India. Ppl with access to sensitive data get paid peanuts. So you too can see "everything" by giving the right person a bag of nice mangoes.

The real canary in the coalmine was actually a movie from 1999 called "Enemy of the State."

The plot for the movie was actually based on an account from an NSA employee who tipped one of the producers or director (I forget which) of the mass surveillance the agency was involved in.

To me this movie is iconic just because it predicted events so vividly almost a quarter of a century ago.

I remember watching Enemy of the State in theaters with my dad. I remember thinking it was a cool movie, but sort of unrealistic and over-the-top, like James Bond.

Now I think it's unrealistic because Will Smith and Gene Hackman survived the first 25 minutes of the film.


If you like "Enemy of the State," you absolutely must watch "The Conversation"[1] if you haven't already. You may decide, as many have before you, that it exists in the same universe as "Enemy of the State," and that Gene Hackman's character in "Enemy of the State" is an older, even more cynical Harry Caul from "The Conversation."

[1]: https://en.wikipedia.org/wiki/The_Conversation

Even before that, Sneakers “predicted” the NSA spying on its own citizens. I use quotes because it happens too often to be happen stance IMHO.

Predicted or inspired... Imagine a young, going to be politician, kind of person watched it and thought "Hmm, this is not a bad idea at all!" and then climbing the political ladder lobbying for these kind of measures.

Yes they do, mainly because it’s the law.

That it’s a misguided law is open for debate, but I don’t believe there is any state in the world that doesn’t monitor and control tele-communications (internet is regulated as tele-communications WW).

The level of surprise does seem overblown. This bit stuck out to me:

> ... access to this data is so accessible remotely that physically visiting an internet provider’s premises is no longer required for government agencies.

They were expecting government agents to have to physically visit the ISP's offices? Were they perhaps going to get their data on a floppy disk?

The model where law enforcement officers have to visit ISP facilities reduces the duration and scope of surveillance. Throw in a process where you need to get court approval into the mix, and this provides some level of oversight into the surveillance machinery. (Though abuses are certainly possible with this model, see [1]).

[1] https://www.eff.org/deeplinks/2021/05/foriegn-intelligence-s...

Just because data can be made accessible remotely doesn’t mean it should be.

Airgapped systems are also still a thing.

On-site access would also make it harder to abuse the data at scale.

I’m not surprised that the data is accessed remotely. But I can also understand scenarios where it makes sense to require physical access, and not because of long gone floppy disk drives or other ancient hardware.

Data diods are also a thing (physical oneway traffic) but that so many are unaware of it is mindblowing.


On the other hand, if your purpose is automated analysis of data, you will probably create an automated update of the records - a direct connection.

They weren't asking for floppy disks, they were sending their people to connect directly to infrastructure.

One of examples: https://en.wikipedia.org/wiki/Room_641A

Ah ok that does make a bit more sense.

Yet there was a time, not long ago, when many countries had written in their constitutions, among the fundamental rights of their citizens, the rights of secrecy for both their written correspondence and their telephone conversations.

Such rights were included even in the constitutions of many communist countries, despite the fact that there it was a routine activity for the secret police to open all suspect private correspondence and listen to many telephone calls. Nonetheless, they had to be careful to not get caught, because the official version was that their activities were illegal and even anti-constitutional.

Unfortunately, now almost everywhere such rights have been weakened or completely eliminated, without any good justification and without the opposition that such changes deserved.

> Unfortunately, now almost everywhere such rights have been weakened or completely eliminated, without any good justification and without the opposition that such changes deserved.

What do you mean "without any good justification" ? It is for your own good to protect you from terrorists (the bad ones specifically), hate speech (anything which is against the official narative) and child porn. /s

Why would change deserve opposition when it is for your own good and the change is in better [1] ? /s

[1] See Monty Python's Life of Brian - Ex-lepper scene.

I’ve wondered about this for a while now with all the social media banning. The FCC requires one to have a license to broadcast over the airwaves and from what I understand these regulations stem from a limited number of frequencies. But I wonder if the FCC would have been created if that physical constraint did not exist. Was the FCC more about the constrained physics or controlled information?

Constrained physics.

The FCC doesn't regulate content on cable TV. Technologically, there's no reason cable radio couldn't have existed.

But I was talking about airwaves, and they do regulate what's on those. It's not just physics.


I have no idea what you're trying to say. Yes it's not "just physics" that causes the FCC to regulate the content of broadcasts on radio and TV airwaves. I thought that was obvious.

Even if the FCC chose not to regulate broadcast programming, they or some other body, would still need to enforce rights to frequencies. That's their raison d'etre. Content policing is an added function, which the law has found valid in the past precisely because frequencies are limited. I can't see such public interest legal opinions being newly formed today.

It is the details of the law that count here.

"Rights of investigation" and "capillary monitoring" are poles.

An important point is whether legislation exists which allows such "monitoring".


I would also like to add, one of the latest news was about malicious access of administrative data in Australia - which surely has in general more funds to invest in security than others. I would be concerned about personal data being copied in more repositories (multiplying chances of malicious access).

Isn't that why countries passed non-specific laws? E.g. in the UK we have the Snoopers' Charter: https://en.wikipedia.org/wiki/Investigatory_Powers_Act_2016, I believe in the US the Patriot Act did something similar.

That's an important thing to note, so you can recognize it where you live i.e. under what obscure interpretation, of what strangely written law, passed under what conditions, enabled unlimited network surveillance in the countries that have it? Who in your country supports similar legislation?

>An important point is whether legislation exists which allows such "monitoring".

One thing that people from the "global north" need to remember is that in most of the world, laws are just loose guidelines.

It is the same in the "global north". See Assange Swedish cases.

Ok so how is it different from what the USA does?

Probably not at all. Still worth reporting and talking about. It's not okay if the US or India or any other country does it. I'm not happy that most comments here are so resigned, "well, yeah, everybody does it".

India is neither a 'Nation of creed' like US or a National-Security state like Russia or Pakistan. It is a nation of insurgencies though, so look elsewhere if Privacy to holy to you, cause it ain't going to be India's forte.

Worth talking because there are still people who argue that TLS and HTTPS is hassle that is not needed.

You do realize that they are talking about "https" and "tls" trafic , do you ? The only use i see for those protocols is to identify you.

It's probably not as bad as what the USA is doing today...

As many have mentioned, this is probably very common in every country.

But there is always the next target(s) to go after, to keep in check, in a pop culture sense. So one way is to see this (article and this HN post) as a hit piece.

Many, if not most, nations have similar provisions to this. I think it's wrong and just over the top. However, encrypting everything and using multi-hop routing wherever possible at least will add noise to this sort of dragnet surveillance. Personally, I've taken steps to obsfucate my traffic since similar legislation was introduced in the UK.

Snowden released his trove back in 2013. At that point it became obvious that anyone with power to surveil would use it.

I suppose the news here is that the response was so relaxed that governments started doing it publicly and explaining the tech.

It was obvious before Snowden.



This started in the 60s! I remember hearing about it in the mid 90s on random internet forums.

Could you possibly share the tools you use to obfuscate your traffic?

I did start with Yacy. First I would bould something thet search a list on Google or so and the just follow links forever. Finally I just found Yacy a P2P search. I did run it for a couple of years.


I would guess Tor, I2P, Freenet, GNUNet.

But also configuring or avoiding certain other software: https://spyware.neocities.org/articles/index.html

It is most often old people scraming at the cloud/internet. I hope the next generation is more aware about the severely negative foundations the current generation gifts to us in their cynicism shortly before their end of life.

But seriously, to me this is a sign that a state is never the friend of its people. There are no sensible security arguments without also looking at the dangers of dragnet surveillance. The US isn't different, the EU isn't different.

But how... I mean presumably they don't install a root cert on every client device?

They can intercept the unencrypted section of encrypted connections, such as TLS ServerName, and the source and destination of every IP datagram which already provides a lot of information to profile individual citizens.

QUIC moves to a model where everything except the Connection ID is encrypted[1], but it is also apparently being blocked in India[2]. The mandated transition to IPv6 in India[3] would also take away the need to track 5-tuples to identify individual customers, easing the scaling of monitoring.

[1] https://datatracker.ietf.org/doc/html/rfc8999

[2] https://github.com/kelmenhorst/quic-censorship/issues/2

[3] https://dot.gov.in/ipv6-transition

The blocking being observed might be one off issues. I can use QUIC just fine on Reliance Jio's network.

This page [1] shows I am using HTTP/3 which unless I am mistaken requires QUIC to work.

[1] https://cloudflare-quic.com

How would ipv6 "take away the need to track 5-tuples" and what does that even mean? That sentence doesn't make sense

NATing IPv4 traffic requires maintaining a 5-tuple of connection state[1], which means the ISP must log these 5-tuples to be able to track citizens individually. Further, if there's another layer of NAT (such as a free WiFi service in an airport or a WiFi router in a citizen's home), cooperation is needed at that NAT layer too.

IPv6 obviates the need to maintain these 5-tuples since it has a larger IP address space. Each citizen can then be assigned an unique IP address which makes it easier to distinguish traffic without the cooperation of each NATing layer.

[1] https://support.huawei.com/enterprise/en/doc/EDOC1100055044/...

Wouldn't people just continue using consumer-grade routers which operate their own nat anyway? Even with ipv6, the traffic generated by all hosts behind a single isp subscription would appear to originate from a single ipv6 host, no?

I highly doubt any consumer grade router is using NAT66. You shouldn't use NAT whatsoever with IPv6 and doing so is just asking for client's network functionality to break.

People who live in developing country like India may use internet connection with CGNAT even for residential connection.

> Each citizen can then be assigned an unique IP address

You don't understand how IPv6 works.

The feedback is fair enough given my phrasing. Of course, IPv6 can't give you a fixed IP address everywhere you go; because that's determined by network topology and IP assignment.

All I'm saying is that there's better segregation of the traffic from each IP resulting in easier analysis without the cooperation of NATing layers.

You would want to use NAT with ipv6 if you want to hide somewhat your traffic— say at university as one example.

Couldn’t reply to other comment

No you wouldn't. You would use temporary privacy addresses in your SLAAC prefix (this is the default for a few operating systems)

IPv6 prefix is enough for tracking

IPv6 prefix is assigned on a per router basis, you know, like how IPv4 and NAT already works.

like the other commenter said, they have IP address information which they "can" corelate from say logs from reddit and pin point which anonymous user posted something. or where a particular email was sent from, they find the email, they can trace it back to the sender and looking at logs, can find where and which device that was from.... ipv6 is very prevalent in india and you don't need a wifi AP level monitoring as you can do on a per-device basis

The internet doesn't run on pre-shared keys. Asymmetric encryption is weak against wiretapping.

Otherwise there wouldn't be illegal dragnets (Room 641A, DITU, PRISM).

Curious how this works technically, does the Indian government have control over ca certs and every ISP uses them to MiTM it?

I'm confused, are they actually getting the plaintext content of HTTPS traffic, or are they just harvesting connection metadata? Not that bulk metadata collection isn't bad, but getting access to unencrypted data would be much worse.

This came as a surprise to me considering when the Indian court orders to take down particular content of particular site, ISPs still uses dns blocking instead of more granular blocking which resulted in blanket site blockings of popular sites

Most Indian ISPs employ Deep-packet Inspection to block websites

Not all of them have the capabilities of course

What is India turning into China lite?

Well if you look at the Snowden/Five Eyes/9 Eyes etc by that logic USA/Aus/France etc are already "turning" into China (except, of course that this has been going on forever and no one really paid too much attention to Snowden). Not blaming you as mainstream media also often paints Snowden negatively but something to be aware of.

Don't all ISPs do this? They can be stubborn and lose connecting with the rest of the net.

5 days ago i wrote about UK govt doing scans of all websites hosted in UK for "security" reasons and i was downvoted for " Stop lying and not relevant, you clearly came here with an agenda"... i guess we really do have an agenda when the government has access to full internet web traffic and they can pick and choose their targets with impunity


Looking at that, I'd suggest the downvotes are from being technically wrong (the “Scanning for vulnerabilities won't help you find critics. If you wanted to look for critics, you would scan for critics.” argument – there are better/easier ways to achieve what you are talking about a government trying to achieve so why would they go to that effort?). Maybe some considered the comment concerning India on a thread about the UK was pulling things off-topic, though as not all voters replied with clarifying comments we'll never know.

The lying/agenda thing seems to just be one comment. Try not to assume that one angry reply represents a larger chunk of HN's readership. The Internet is full of bus-stop boxers, it is best to not let them wind you up overly.

oh no, not that. >Try not to assume that one angry reply represents a larger chunk of HN's readership.

you get to have a thick skin when you are on an anonymous public platform. i accept that....

i live in a place where i have to actually assume malice on part of the government because the government "is" hostile against me. Again, this isn't some tin-foil conspiracy but as you might've guessed from my handle, its yeah...

So that comment earlier and the current article about ISPs tracking users, this is primarily to catch critics and dissenters.

> So that comment earlier [was that] this is primarily to catch critics and dissenters.

I was suggesting that the downvotes there, complained about above, where people disagreeing with this possibility, on the basis that it would not offer a practical amount of extra information (considering the effort involved) than already being gleaned with other methods they are already using. Not generally how downvotes should be used IMO, but it happens.

And in some countries we are starting to see "Adopt electronic payment: simple and safe" - which implies, "create tracks" -, as generic anonymous advertisement... Even on the electronic billboards of motorways!!!

And US and UK and Australian and basically all countries at this point.

Use VPNs. Most are quire expensive from Indian standards.

we need a decentralized list for holding key pair signatures.

it could something like adblocker list, No more central CA.

GNU Net [0] seems more relevant than ever:

"The Internet is broken."

"The conventional Internet is currently like a system of roads with deep potholes and highwaymen all over the place. Even if you still can use the roads (e.g. send emails, or browse websites) your vehicle might get hijacked, damaged, or long arms might reach into its back and steal your items (data) to use it against you and sell it to others - while you can't even notice the thievery nor accuse and hold the scroungers accountable. The Internet was not designed with security in mind: protecting against address forgery, routers learning metadata, or choosing trustworthy third parties is nontrivial and sometimes impossible."

[0] https://www.gnunet.org/en/

Thanks. Great bib!


this is just a bad analogy. the internet is not transporting anything like a road would. the whole system works by copying “your data” every step along the way.

they are not thieving your precious bits, they are copying them as they are transmitting them. this s also why you cannot even notice the “thievery”.

furthermore, this analogy is mangling together data legitimacy, security, and property rights all into one big ball of “be worried, the internet is stealing you because it wasn’t designed with safety in mind”

> the internet is not transporting anything like a road would.

Comparing the internet to a highway system is a common and useful thing to do. Your objections are strange.

> they are not thieving your precious bits,

If I look over your shoulder at the ATM and learn your PIN, is it not clear what I mean when I say that "I've stolen your PIN?"

> mangling together data legitimacy, security, and property rights all into one big ball

Is entirely intentional, because these are things to be worried about on the internet.

Sending postcards could be a more apt analogy. Even if a bit outdated, still a widely familiar activity, and postcards can be copied. And they are just as open to people in between as HTTP packets are.

If you happen to come up with a better analogy, I'm sure the GNU Net development team will appreciate your input: gnunet-developers@gnu.org

GNU Project is community-driven, after all.

How does it differ from tor browser?

This happens because the Indian government does not yet have the infrastructure of NSA and or GCHQ :) They have to demand for the information instead :)

I think we must all agree that national governments have a duty of care towards their citizens.

From the Indian govt perspective, the dominance of the Internet by foreign owned businesses means that the country is vulnerable to malfeasance should those foreign governments mean India harm or come to decide - over the head of the government - what the Indian people want or need.

This is about national sovereignty and national security. We have seen how those values trump privacy concerns for individuals in any country, including the US, so must accord the same understanding for other nations also.

This government's police agencies have used Israeli spyware to plant incriminating evidence on journalists and activists. "National security" has come to mean "anything critical of the government".

Loose terms like "national security" are like good times that breed weak leaders. I think we must all agree that citizens have a right against persecution.

What track record does this government have that suggests they will do no wrong with their internet history logs?

"National security" has come to mean "anything critical of the government".

Yes this is true!

Hence government needs to invest in indoctrination in order to better convince the people of the justness of their actions. Singing the national anthem, waving the flag, inventing enemies without and within - it's pretty easy to build the 'cognitive infrastructure' required to carry the day

I agree that most western democratic nations are a very bad example when it comes to defending their own values. But government should simply not have the ability to monitor citizen communication. It was a problem in the past and it should not be a problem in the future.

> But government should simply not have the ability to monitor citizen communication.

What if the citizens were agents of the enemy?

How is violating someone's privacy caring for them? "Forfeit your rights so your rights can be protected"

the use case most commonly cited by government(s) is national security.

for example, the government might suspect a citizen to be an agent of the CCP. Would you defend that individuals right to privacy, vs the nations right to security?

So rather than blanket surveillance, wouldn't it make more sense for the government to build a case against a suspect, and then issue a warrant to track their behaviour etc?

Unless the assumption is that all citizens of a country are potentially enemies of the state and we are all highly trained spies operating under deep cover for years...

the question would be 'building a case' - how would do you this if you didn't conduct some sort of profiling? The entire purpose of national security apparatus is to identify enemies of the state before they are able to act. Do you think this is always unjustified? Genuine question, don't know the answer myself!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact