Deep Packet Inspection and Net Neutrality

EncryptKeeper writes "Ars Technica has an in-depth feature on deep packet inspection, and it's a disturbing read. ISPs are starting to turn to DPI to monitor their networks, and, more troubling, to look at how they can use it to shape, block, monitor, and prioritize traffic. 'The "deep" in deep packet inspection refers to the fact that these boxes don't simply look at the header information as packets pass through them. Rather, they move beyond the IP and TCP header information to look at the payload of the packet. The goal is to identify the applications being used on the network, but some of these devices can go much further; those from a company like Narus, for instance, can look inside all traffic from a specific IP address, pick out the HTTP traffic, then drill even further down to capture only traffic headed to and from Gmail, and can even reassemble emails as they are typed out by the user.'"

To Avoid Gmail Reassembly...

[Buran]

If you use Firefox and Gmail's web UI, use this extension to make sure your Gmail session is encrypted:

CustomizeGoogle: Improve Your Google Experience -- Firefox Extension ... and check the box labeled "Secure (switch to https)" in the Gmail section.

If you are using POP3 access to Gmail, you are already using SSL.

If I understand packet sniffing correctly (I'm no programmer), that just shows the source and destination but the contents are encrypted. Please let me know if I'm incorrect.

Re:To Avoid Gmail Reassembly...

[interiot]

It doesn't matter if ISPs record the entire conversation. The initial key exchange is done under asymmetric encryption, so it's not possible for an outside sniffer to get the symmetric key (without brute-forcing or otherwise taking a long long time to break the asymmetric keys).

I wouldn't do it

[HomelessInLaJolla]

It's a snowballing system. The new tech companies want to come up with new technology. The government wants to make use of new technology. The new tech companies want to come up with new technology to appease the government regulations which make use of the new (-1) technology. The government wants to make use of the new technology. The new tech companies want to come up with new technology to appease the government regulations which make use of the new (-1) and new (-2) technology. Repeat.

I, as a private system admin, would simplify the entire problem and choose not to engage in packet inspection unless there were absolutely blatant abuses--like setting a threshold. There are ethical reasons why I wouldn't feel that it's proper to go delving through each and every packet. Once government becomes involved, though, then there's no way to turn it off. In order to receive the money for an ISP start-up, for example, one must demonstrate that they can play within the ever shrinking boundaries defined by the laws.

The article (and summary) mentions reassembling e-mails as their being typed. Is this accurate? I have, for some time, wondered if some text entry forms in web pages are "active" in that they exchange keystrokes with the remote end at real-time intervals. Again, from an ethical point of view, I would never make use of anything but passive entry boxes where none of the user's text is transferred across the network until they actually deliberately send it. What possible reason, as an admin, could I have in wanting to watch a user as they type text into an entry form?

I guess the argument can be made for automatically modifying forms. Pfizer uses this for their online resume submission. For example, the available options in the various locations (country, state, county, city, zip, etc.) are pared down as soon as one makes a selection in the heirarchical predecessor. While I appreciate the "wow! neat!" factor I just don't see how it's really necessary and, although I don't see that Pfizer would be using it for some uber-nefarious conspiracy scheme, I can liken it to the desensitization similar to "Click OK if you wish to allow this action" and EULAs.

Re:Encryption

[nahdude812]

Only Gmail's login process is https, once you get to the mail page it's standard http. However you can change the URL to https and it seems to stick.

If you use their pop/smtp access, that access is fully encrypted.

Re:Then they should lose common carrier status

[Control+Group]

ISPs don't have common carrier status. They're "information services." They've historically fought getting common carrier status, because they believe it would subject them to a different set of rules; the ones pertaining to telecommunications common carriers (as distinct from seaway common carriers, railway common carriers, etc).

This is a questionable belief, since there isn't necessarily any equality between "common carrier" and "telecom provider," but it's the reasoning, anyway.

Basically, AT&T (the phone company) is a common carrier. AT&T (the ISP) is not.

Re:common carrier == net neutral

[brunascle]

unfortunately, ISPs dont appear to fall under common carrier status. or at least, they try not to. (according to wiki)

Re:Okay...

[SatanicPuppy]

It's more like gmail keeps track...If you go to http://gmail.com/ it will redirect you to https to log in, and then back to http for your mail. However, if you go to https://gmail.com/ then you will stay in https the whole time. This is exactly the way it's supposed to work, where your status is maintained, though it can be argued that they should default you to https for security.

If you use the "Gmail notifier" plug in for Firefox, it defaults to https. There is also a "gmail customizer" app that will let you specify HTTPS as the default, but I've never used it.

Re:Encryption

[TubeSteak]

E. There isn't a business case for it that I can find. FTFA: Imagine a device that allows one user access only to e-mail and the Web while allowing a higher-paying user to use VoIP and BitTorrent.

They no longer have to differentiate their product offerings based only on speed.
It's called market segmentation
You see the business case yet?

Gmail

[Kadin2048]

Best way to do it is just to create a bookmark to https://mail.google.com/mail/ and then ALWAYS use that link to get your mail (don't click on any of Google's Gmail links from your homepage, etc.).

If you use POP access, you can enable SSL both for incoming and outgoing mail, I believe.

Re:Gmail

[hotdiggitydawg]

There should be a firefox plug-in that will automatically redirect you to the https url whenever you try to go through the http url. There is - it's called Greasemonkey with the GMailSecure script.

Re:Encryption

[CajunArson]

Gmail by default only uses https for your login, not actually reading/sending mail. To get a full session via https you need to login to this URL: https://mail.google.com/ Note: https://gmail.com/ will NOT encrypt the session further than the login screen (see for yourself, look for the https connection).

    Having said all of that: Email is not an encrypted protocol by default! The method above is a good method for preventing sniffing on the last hop between you and Gmail (which is why I use it when I'm on an unsecured wifi connection to prevent easy eavesdropping). However, once the mail server sends the message on the open network... it is 100% cleartext. If you want real encryption, get PGP, this advice was true long before Slashdot got its panties in a bind over ISP's 'snooping' on your traffic.

    Oh and one more thing: I love the Slashdot doublethink: Having a large evil corporation (the ISP) possibly being able to sniff traffic to read some of my emails is a terrible invasion of my privacy!! Simultaneously: Having a large non-evil (because they said so) corporation (Google) actually store all my emails (much easier to get at them then trying to wire-sniff) and index them and use them to generate ads: SUPER!

Re:Chinese (Invisible) Export

[JcMorin]

The best way to ensure the that the US government do not govern your life is to seriously check at Ron Paul for next US President.