discussions icon indicating copy to clipboard operation
discussions copied to clipboard
verified publisher icon StreisandEffect

US-centric use case: evil ISP, high bandwidth, low expectations

Open nopdotcom opened this issue 8 years ago • 1 comments

Warning: contains out-of-scope material

I am writing this down because I don’t want to forget it. The solutions look beyond streisand’s scope, although they may affect how some things are done. This is back-burner.

2017: Everyone won’t outrun the bear

There’s an old joke that if two people are being chased by a bear, the winner doesn’t have to outrun the bear to survive; she just has to outrun the other person.

I’ve had a number of people ask me about things like the EFF’s advice on protecting yourself from your ISP. I think there’s an intermediate use case for people who can’t/won’t run all their traffic through a VPN.

Outrun something

Mitigations in rough priority order:

  1. Stop using your ISP’s DNS resolvers. They are just too easy to log.
  2. HTTPS Everywhere.
  3. Privacy Badger/uBlock Origin

From here, we get into counters for blackhat DPI/M crap:

  1. Encrypt your DNS requests to your private resolver. No sense in making life easy for sniffers.
  2. Force port 80 traffic over the VPN. We know it’s cleartext.
  3. ...to clean up after that, you may need a whitelist for 80. Many services (hi, Netflix!) will pick an edge server close to where “you” are. This especially sucked when my IPv6 address lived elsewhere, and I got a strange geographical mix of edge servers.
  4. ...and after the port 80 whitelist, you want a list of sites never to visit over a non-VPN connection?

What’s not being mitigated:

  1. SSL destination IP/port. Well, you said you didn’t want to run everything over a VPN; this is the price.
  2. Tracking on HTTPS pages via page content. Not as much of a worry with regards to your ISP, and uBlock Origin is the best I can think of.
  3. BitTorrent. Somebody who knows BT hygiene can write that.
  4. Traffic analysis. Your ISP knows when you are sleeping, they know when you’re awake.
  5. Things I can’t come up with in the morning.

Approaches

I speak LEDE, so everything looks like a $20 nail.

Somebody brought up Raspberry Pis--they have bad network performance, but they’re available everywhere, and their entire state is stored on a microSD card. The boot partition is FAT32. Most people could edit a text file on the microSD card on their main computer for initial IP configuration. Something like the RPi0 or related embedded computers may become very popular given the recent news about Apple’s App Store. (Please don’t ask here what I mean.)

nopdotcom avatar Jul 31 '17 16:07 nopdotcom

1) In a practical sense, all U.S. ISP's are "evil" because they could be forced to install surveillance devices on their network. (Remember the case of Lavabit.)

2) Some ISP's (like Comcast) maintain that they have a legal right to sell your traffic to anyone they want.

3) Many regional telecom monopolies will cooperate with political surveillance and industrial espionage in exchange for immunity from regulation that protects the consumer from price gouging and other forms of abuse. In previous incarnations AT&T/Bell have been conducting illegal mass surveillance for 100 years. So everyone should use VPN or Tor and encrypted DNS. You wont always know when you are being chased by a bear. (see: Enemy of the State, Confessions of an Economic Hit Man, etc.)

4) Wireguard is arguably the best choice in terms of speed & security, especially for devices with battery power or weak CPU (e.g. consumer router).

http://utbblogs.com/apple-public-private-position-privacy/

https://arstechnica.com/information-technology/2018/04/how-to-keep-your-isps-nose-out-of-your-browser-history-with-encrypted-dns/

https://blog.cloudflare.com/dns-over-tls-for-openwrt/

https://www.gl-inet.com/products/gl-ar750s/

kekukui avatar Nov 06 '18 23:11 kekukui