We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Who sees what?
Options
kwikbreaks
Posts: 9,187 Forumite
in Techie Stuff
I must admit I was amazed at the Snowden revelations in regard to the extent of government snooping on its citizens and what the costs of that might be. In personal terms I'm not overly worried as I doubt they'd be especially interested in me. That said having just come across a free VPN service that seems to run at a reasonable speed I'll probably continue to use it and wonder now how much of my online activities will remain easily visible without recourse to accessing server logs of non-UK companies.
So here's the setup...
Using non-ISP DNS
Using Spotflux Chrome plugin as VPN
So who of these sees what (encrypted and plain text for both HTTPS and HTTP sessions)
DNS provider
VPN provider
ISP
GCHQ
I can make intelligent guesses but if somebody knows for sure I'd be interested.
Plus why don't MSE use HTTPS for their login?
So here's the setup...
Using non-ISP DNS
Using Spotflux Chrome plugin as VPN
So who of these sees what (encrypted and plain text for both HTTPS and HTTP sessions)
DNS provider
VPN provider
ISP
GCHQ
I can make intelligent guesses but if somebody knows for sure I'd be interested.
Plus why don't MSE use HTTPS for their login?
0
Comments
-
DNS provider: will see all domain lookups you make, (ie they will know what websites you visit, but not the individual pages your looking at in the websitre)
VPN : will see all unencrypted traffic and the header portion of encrypted traffic, if the VPN is badly setup it can potentially leak your traffic to other users of the VPN and or expose your local level resources on your computer if you don't have a machine firewall.
ISP: will see all unencrypted traffic and the header portion of encrypted traffic, note that you pretty much have no choice but to trust your ISP so assume they have near total
GCHQ : best assume they see everything but otherwise same as ISP.
I would say your more likely to get spied on through the companies you use rather than a direct interception of your traffic however.0 -
Only thing I'd question there is what the ISP sees. If it were a proxy server I agree they'd see all unencrypted but surely if it's VPN traffic it is all encrypted?0
-
VPN traffic is not always encrypted it depends on the protocol. either way my assumption is the only outgoing traffic at that point is the VPN connection.
Additionally if I was a malicious ISP, I'm the position to redirect your initial connection and man in the middle your VPN connection. While this may not always work I reckon it would have a good shot at consumer VPN providers where we wont apply a high level of hardening of our computers or take a high level of care.
Ultimately the VPN will need an ISP of some sort as well, which will exit unencrypted if the underlying is not secure. You HAVE to implicitly trust an ISP you don't have any choice in the matter.0 -
Paranoid addition: Unless you installed the VPN server and physically secured it somewhere yourself, I would assume all VPN providers are non-secure. Chances are you will not carry out enough due diligence into the people who run the VPN, the security of the datacentres they are running in, the provenance of the kit and software they are running.
I would not be surprised if a good few of the VPN providers are run by governments, why bother scanning tons from millions of people when you can monitor a natural funnel points which is more likely to be used by much smaller set of people who are much more likely to have something to hide.0 -
VPN traffic is not always encrypted it depends on the protocol. either way my assumption is the only outgoing traffic at that point is the VPN connection.
Additionally if I was a malicious ISP, I'm the position to redirect your initial connection and man in the middle your VPN connection. While this may not always work I reckon it would have a good shot at consumer VPN providers where we wont apply a high level of hardening of our computers or take a high level of care.
Ultimately the VPN will need an ISP of some sort as well, which will exit unencrypted if the underlying is not secure. You HAVE to implicitly trust an ISP you don't have any choice in the matter.
this, I do some minor security testing at the place I work, and all it takes is the right CA certificate and the average user has no idea that a man in the middle has taken place.0 -
If someone is determined enough, and has enough time - there isnt anything totally secure on the web. it's not always about tech, social engineering also takes play in this. Take an ethical hacking course and it will change your view on anything you do on the t'internet!
0 -
Paranoid addition: Unless you installed the VPN server and physically secured it somewhere yourself, I would assume all VPN providers are non-secure. Chances are you will not carry out enough due diligence into the people who run the VPN, the security of the datacentres they are running in, the provenance of the kit and software they are running.
I would not be surprised if a good few of the VPN providers are run by governments, why bother scanning tons from millions of people when you can monitor a natural funnel points which is more likely to be used by much smaller set of people who are much more likely to have something to hide.
Which is where the social engineering comes into this - you presume it must be safe, therefore it must be... :rotfl:0 -
Is TOR onion router secure in terms of stopping ISPs, governments, etc seeing which web pages you visit? The blurb on it seems to think so.0
-
Are you talking about installing your own CA as a trusted root on workstations and then generating certificates on the fly at your intermediate server which acts as the CA, so the user establishes an https connection, but your intermediate server is what the connection is to, which then decrypts the data and establishes a new secure connection to the remote site the user requested?this, I do some minor security testing at the place I work, and all it takes is the right CA certificate and the average user has no idea that a man in the middle has taken place.Proud member of the wokerati, though I don't eat tofu.Home is where my books are.Solar PV 5.2kWp system, SE facing, >1% shading, installed March 2019.Mortgage free July 20230 -
If someone is determined enough, and has enough time - there isnt anything totally secure on the web.
Decrypting an intercepted stream of data without the private key in a timely fashion is pretty difficult, given a decent key length. Even if you have all the computing power in the world at your disposal.Proud member of the wokerati, though I don't eat tofu.Home is where my books are.Solar PV 5.2kWp system, SE facing, >1% shading, installed March 2019.Mortgage free July 20230
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350.9K Banking & Borrowing
- 253.1K Reduce Debt & Boost Income
- 453.5K Spending & Discounts
- 243.9K Work, Benefits & Business
- 598.7K Mortgages, Homes & Bills
- 176.9K Life & Family
- 257.2K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards