Slashdot Mirror
Deep Packet Inspection and Net Neutrality
EncryptKeeper writes "Ars Technica has an in-depth feature on deep packet inspection, and it's a disturbing read. ISPs are starting to turn to DPI to monitor their networks, and, more troubling, to look at how they can use it to shape, block, monitor, and prioritize traffic. 'The "deep" in deep packet inspection refers to the fact that these boxes don't simply look at the header information as packets pass through them. Rather, they move beyond the IP and TCP header information to look at the payload of the packet. The goal is to identify the applications being used on the network, but some of these devices can go much further; those from a company like Narus, for instance, can look inside all traffic from a specific IP address, pick out the HTTP traffic, then drill even further down to capture only traffic headed to and from Gmail, and can even reassemble emails as they are typed out by the user.'"
If you use Firefox and Gmail's web UI, use this extension to make sure your Gmail session is encrypted:
... and check the box labeled "Secure (switch to https)" in the Gmail section.
CustomizeGoogle: Improve Your Google Experience -- Firefox Extension
If you are using POP3 access to Gmail, you are already using SSL.
If I understand packet sniffing correctly (I'm no programmer), that just shows the source and destination but the contents are encrypted. Please let me know if I'm incorrect.
i am a soviet space shuttle
It's a snowballing system. The new tech companies want to come up with new technology. The government wants to make use of new technology. The new tech companies want to come up with new technology to appease the government regulations which make use of the new (-1) technology. The government wants to make use of the new technology. The new tech companies want to come up with new technology to appease the government regulations which make use of the new (-1) and new (-2) technology. Repeat.
I, as a private system admin, would simplify the entire problem and choose not to engage in packet inspection unless there were absolutely blatant abuses--like setting a threshold. There are ethical reasons why I wouldn't feel that it's proper to go delving through each and every packet. Once government becomes involved, though, then there's no way to turn it off. In order to receive the money for an ISP start-up, for example, one must demonstrate that they can play within the ever shrinking boundaries defined by the laws.
The article (and summary) mentions reassembling e-mails as their being typed. Is this accurate? I have, for some time, wondered if some text entry forms in web pages are "active" in that they exchange keystrokes with the remote end at real-time intervals. Again, from an ethical point of view, I would never make use of anything but passive entry boxes where none of the user's text is transferred across the network until they actually deliberately send it. What possible reason, as an admin, could I have in wanting to watch a user as they type text into an entry form?
I guess the argument can be made for automatically modifying forms. Pfizer uses this for their online resume submission. For example, the available options in the various locations (country, state, county, city, zip, etc.) are pared down as soon as one makes a selection in the heirarchical predecessor. While I appreciate the "wow! neat!" factor I just don't see how it's really necessary and, although I don't see that Pfizer would be using it for some uber-nefarious conspiracy scheme, I can liken it to the desensitization similar to "Click OK if you wish to allow this action" and EULAs.
the NPG electrode was replaced with carbon blac
Only Gmail's login process is https, once you get to the mail page it's standard http. However you can change the URL to https and it seems to stick.
If you use their pop/smtp access, that access is fully encrypted.
Slay a dragon... over lunch!
ISPs don't have common carrier status. They're "information services." They've historically fought getting common carrier status, because they believe it would subject them to a different set of rules; the ones pertaining to telecommunications common carriers (as distinct from seaway common carriers, railway common carriers, etc).
This is a questionable belief, since there isn't necessarily any equality between "common carrier" and "telecom provider," but it's the reasoning, anyway.
Basically, AT&T (the phone company) is a common carrier. AT&T (the ISP) is not.
Reality has a conservative bias: it conserves mass, energy, momentum...
unfortunately, ISPs dont appear to fall under common carrier status. or at least, they try not to. (according to wiki)
Using a VPN doesn't exactly protect you from this type of thing. A VPN sets up a point to point encrypted tunnel to send your traffic over. Your network traffic is sent to the other end of the tunnel, and then transmitted plaintext from there.
So if you use a VPN tunnel to visit gmail your network traffic is safe from snooping by your ISP, but may be intercepted anywhere between the other end of the tunnel and the gmail servers themselves.
What you really need is to encrypt all traffic between your system and your destination system. This can be done with VPN technologies if all servers you want to talk to support those technologies, but more commonly this is done with SSL.
A) There probably isn't any way for you to see if your ISP is doing this.
B) Even if you could, it doesn't matter. You may be able to switch your last-mile provider, but you probably can't switch their upstream provider. It's the upstream/backbone providers who will be racing to do this.
Basically, if providers are doing this, you're hosed. It's going to be real, real difficult for you to somehow make sure your traffic doesn't route across Level3's (or Cogent's, or whomever's) network at any point.
Reality has a conservative bias: it conserves mass, energy, momentum...
It's part of the implementation of https to maintain connection status as long as you're not redirected to another site, so if you log in to gmail using a secure connection, it will maintain as long as you're on the site, unless your session expires or something...It'd be a pretty big security problem otherwise, because every time you used a relative link (e.g metamod.pl, instead of http://slashdot.org/metamod.pl), it would redirect you to an unencrypted connection.
The only times you'll ever get booted from a secure session on a website is when you're redirected to another site, another part of the site that uses a different certificate, or when the code on that site specifically redirects you to an unsecured connection.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
It's more like gmail keeps track...If you go to http://gmail.com/ it will redirect you to https to log in, and then back to http for your mail. However, if you go to https://gmail.com/ then you will stay in https the whole time. This is exactly the way it's supposed to work, where your status is maintained, though it can be argued that they should default you to https for security.
If you use the "Gmail notifier" plug in for Firefox, it defaults to https. There is also a "gmail customizer" app that will let you specify HTTPS as the default, but I've never used it.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
They no longer have to differentiate their product offerings based only on speed.
It's called market segmentation
You see the business case yet?
[Fuck Beta]
o0t!
Right. But it doesn't have anything to do with relative URLs. Relative URLs are relative to everything that comes before, including the protocol (http vs https). It's not the https protocol remembering that everything you're doing should be secure.
Best way to do it is just to create a bookmark to https://mail.google.com/mail/ and then ALWAYS use that link to get your mail (don't click on any of Google's Gmail links from your homepage, etc.).
If you use POP access, you can enable SSL both for incoming and outgoing mail, I believe.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Gmail by default only uses https for your login, not actually reading/sending mail. To get a full session via https you need to login to this URL: https://mail.google.com/ Note: https://gmail.com/ will NOT encrypt the session further than the login screen (see for yourself, look for the https connection).
Having said all of that: Email is not an encrypted protocol by default! The method above is a good method for preventing sniffing on the last hop between you and Gmail (which is why I use it when I'm on an unsecured wifi connection to prevent easy eavesdropping). However, once the mail server sends the message on the open network... it is 100% cleartext. If you want real encryption, get PGP, this advice was true long before Slashdot got its panties in a bind over ISP's 'snooping' on your traffic.
Oh and one more thing: I love the Slashdot doublethink: Having a large evil corporation (the ISP) possibly being able to sniff traffic to read some of my emails is a terrible invasion of my privacy!! Simultaneously: Having a large non-evil (because they said so) corporation (Google) actually store all my emails (much easier to get at them then trying to wire-sniff) and index them and use them to generate ads: SUPER!
AntiFA: An abbreviation for Anti First Amendment.
See http://en.wikipedia.org/wiki/Diffie-Hellman_key_ex change
A passive attacker (Eve) can witness the entire key exchange and be unable to work out the key.
-----------
100% pure freak
The best way to ensure the that the US government do not govern your life is to seriously check at Ron Paul for next US President.
Nate at Ars Technica is being either an ignoramus or an arse, let's be blunt. He doesn't know jack about DPI. I can tell, because I do know... What Nate did is talk to two vendors who sell sort-of-deep packet inspection. Basically, they sell traffic shaping. While that's a function that DPI can be used for, it's only the easy tip of the DPI iceberg. Traffic shaping can be done with much less "deep" inspection than many boxes can perform, and really is adequate with lower-level shaping. I don't mind selling different qualities of service, for an open fee; I object to reading the payload of packets and doing something with my private data, be it assigning bandwidth, blocking it, or saving it for their commercial or other use.
p . Randall's portfolio includes Bytemobile, which acquired Proquent's DPI box. It does a lot more than Nate talked about. It can go deep inside the payload of the layer 7 protocol and figure out what's going on. In 2002, when I got the Pitch from them (my NDA is up), it ran at 600 Mbps. The key market was mobile players -- they were already allowed to sell "walled garden" data services, and this was a very big wall.
Nate did not, for instance, watch Rod Randall's 2005 IEC presentation, which featured the tag line http://www.iec.org/online/iforums/iec_3/choose.as
For instance, one application is to monitor for email traffic (POP and SMTP). It can then log and create charging records for every email message that passes on the wire. Not that uses the ISP's server, but that goes on the wire. The pitch -- Randall makes this in his show -- is that wireless providers sell SMS for about a dime a message, and email by kilobyte is tons cheaper, so they should charge a dime for each email. VoIP competes with their phone calls, so it should be blocked or at least billed by the call.
But it gets worse. AT&T has made noise about charging for the value of ecommerce transactions. So if you make an online purchase, they'd get a fee for using their wire. Hell, Visa already does, for using their card, so AT&T wants to get their cut too, just for using their wire.
And it gets worse. They can decide what web sites are okay and which ones aren't. Others have already mentioned the Great Firewall of China. DPI lets its user tilt performance, so, for instance, Fox News gets better results than CNN, or Hollywood Fred's web site gets better performance than Barack's, John's, or Hillary's. This is all legal today for ISPs to do.
And it gets worse. Since DPI detects applications, it can block any new application -- leaving innovation in the hands of the phone companies who control the wire. After all, if it doesn't recognize the application, it must go to the lowest category, either blocked or relegated to what Randall calls "hobo class". Think modem speed, on a noisy line.
I do suggest reading Data Foundry's comments; author Scott McCollough is one of the best communications lawyers out there. He notes that the Ts and Cs of many "broadband" services give the wire owner the ownership rights on packets passing over their wire. No privacy -- so if you're a lawyer, you technically have waived your lawyer-client privilege by using their network! DPI makes this practical -- they can monitor emails for certain keywords, addresses, etc., even if it's not using their servers.
DPI is the tool for replacing Internet access with a "broadband" data service that is more like 1982's Compuserve, which charged by the hour and surcharged by the minute based on what application you ran (CB Simulator, email, etc.). It will happen if current (as of 2006) US rules, which kick independent ISPs off of ILEC DSL networks, are retained. It cannot happen if open competition for ISP services is restored, because the public wouldn't buy such a service if there were a choice. That's why the Bells got their buddies at the FCC to remove common carrier status from the telephone company networks.