Slashdot Mirror
Encrypted Torrents Growing Fast In the UK
angryphase writes "The British Phonographic Institute (the UK's RIAA) has noticed a significant increase in the amount of encrypted torrents — from 4% of torrent traffic a year ago to 40% today. Whether it follows a trend for hiding suspicious activities or an increased awareness of personal privacy is up for (weak) debate. Either way, this change of attitude is catching the eye of ISPs, music industry officials, and enforcement agencies. Matt Phillips, spokesman for the UK record industry trade association explains, 'Our internet investigations team, internet service providers and the police are well aware of encryption technology: it's been around for a long time and is commonplace in other areas of internet crime. It should come as no surprise that if people think they can hide illegal activity they will attempt to.'"
Maybe it's because all the more recent clients are supporting encryption by default?
Life, the Universe, and Everything... in my image.
They'll demand the right to see what's being encrypted.
Guy Fawkes masks all around
A feeling of having made the same mistake before: Deja Foobar
Maybe its because they aren't doing anything illegal yet they are being prosecuted?
Memo
To: All Revolution Participants
From: Agent 1011128
Encrypt all communications because Mr. Evil is listening.
Regards,
Kilgore Trout, ACTIVIST
why anyone thinks the encryption will be effective? Since the RIAA (for example) catches torrenters by downloading the file from them in order to prove that they were 'making copyrighted content available', it doesn't really seem to matter whether or not it's encrypted. You're sending the RIAA a file that won't be encrypted on their end....
I'm curious. Do we all have a right (by DMCA in US) or otherwise to the encryption we put on our data? Does it take a court order or other legal instrument to lawfully break encryption? IANAL, but I would think that decrypting the traffic would be unreasonable search and invasion of privacy myself.
... or is this yet another hit on the use of privacy-protecting encryption?
I use encryption all day long in a very legal, legitimate form. (ssl/ssh/mcrypt) It's a core part of my operating principles - I don't even allow unencrypted connections to my production systems - EVERYTHING IS SSL ENCRYPTED.
So it really annoys me when the case is made that (encryption == criminal). Yes it can be used for illegal purposes. So can cars, guns, and tennis rackets. It's not the tool that identifies the crime, it's the crime that identifies the crime.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
If Comcast is going to disrupt Bittorrent traffic, all users will see benefit from using encrypted Bittorrent, just to keep Comcast's systems from sending the RSTs to them. Even a UK user, talking to an American system. Legitimate traffic or otherwise.
Doing the Right Thing should not be preempted by making a buck.
Why why why why is it automatically assumed that encryption by non-government entities is in actual fact an attempt to cover up illegal activity?
I believe that in general, western societies have set up laws that generally respect the rights of an individual to whisper a secret in the ear of a friend and not be forced to reveal the message to anyone else. If I choose to encrypt email and torrent files, there is no reason that I should be thought guilty of some crime... fscking idiots.
It would entertain me greatly for them to find out that these illegal encrypted downloads were in fact, a Linux distribution.
Support NYCountryLawyer RIAA vs People
They are trying to avoid packet-shaping?
If the encryption really works, then I might distribute a lot of my own personal storage to torrent networks, and just cache locally only copies of what I need to access fast and often. Not only would I have a much larger storage capacity, but I could replace or upgrade (or enlarge) my local storage only whenever I liked the price point, or after something actually failed, without worrying about losing any data. And I could get all of my data from anywhere I connect to the torrent network.
Now what would really kick this system to the Moon would be a new Linux filesystem that did all that automatically. Hide the torrent logins and protocols, giving me just the same view of my personal index, caching stuff and managing storage/retrieval invisibly. Then I could take a 4GB thumbdrive with my Desktop and that torrent filesystem wherever I want, safely and securely.
--
make install -not war
you know how antibiotics have a huge downside, in that the infection can evolve and become resistant? There's a similar downside to the RIAA's tactics with regard to torrents- now that everything is heading towards being encrypted, it's going to create a (somewhat) safe haven for child pornography to skip through undetected. If the traffic can't be monitored at all, then people you really are trafficking something terrible are going to be able to do it more easily.
Live today, because you never know what tomorrow brings
From my research into the daily actions of differing people I meet and know, I would say that legal actions are hidden more closely than illegal ones. I grew up in a "mob town" of Rosemont, Illinois, and saw that most illegal activity was out in the open, relatively known by common citizens and the police department (both corrupt and straight). In the town I live in today, the drug dealers, prostitutes and other "criminals" are relatively out in the open also. Sure, there are a lot of criminals who attempt to obfuscate their identity or actions to try to get ahead of the law, but in reality, the best way to perform a crime profitablly is to just pay off the overseers of the law. Problem solved, and you can expand your market because you can be more open about it.
Yes it is the LEGAL activities that surprise me at how much people try to hide. Look at slashdot. My name, my real name, is right here. You can look me up and call me or visit my home. I hide nothing, why should I? Yet most of you are hiding your identities for whatever reason -- and how many of you are doing something illegal by posting here? Browse the blogs, too, and see how many people use their real names.
We hide more than that -- I brought up the question of sex (marital) with a friend, and he freaked when I asked him about his sex life. As if sex when you're married is immoral or illegal, but still people hide behind the idea that we need privacy about such matters.
Most of what the law officers do is hidden, with even FOIA acts not bringing much information to light. This is supposedly legal operations of people who serve me, and yet I have no ability to discern what they're doing, and if they're doing their jobs right. Again, hidden yet probably legal actions.
The more I look around my life, the more I am amazed at how private people are, because they're afraid that some of their actions may be construed as immoral, or immature -- yet most of the people in my life are doing the exact same thing as others, and just hiding it. We post on forums and blogs, but we feel we must keep our names private because others might see what we write, even if others are thinking the same thoughts, or if those same others pretend to believe in freedom of expression but may secretly use it against you.
In terms of encrypting torrents, I do. I run a video sharing site for church videos, and all our torrents are legal and public domain. Yet we encrypt it because unencrypted torrents seem to run slower (I'm sure there is a reason for this, but I never really inspected the protocol specs). Therefore, we encrypt not to obfuscate the legality of what we're sharing, but because the market's limitations on torrent sharing give us a need to encrypt so we can provide a higher bandwidth for the sharing of legal, public domain content.
Are most torrents legal? I have no idea, but I do use torrents to send large files to multiple people every day in a variety of markets I do business in. For me, the torrent is an awesome solution to a problem I've had for years dealing with large files.
doesn't azureus support a type of encryption to aid in getting around traffic shaping?
http://www.azureuswiki.com/index.php/Avoid_traffic_shaping
Perhaps if they quit nuking our connections we'd stop trying to stop them from nuking our connections.
Live according to the Categorical Imperative. If the Categorical Imperative tells you not to live by it... ignore it
This just sounds like encryption is something only the mob uses and needs to be banned. If they want to know what happens in encrypted stream they need to find a way how to do so, until then, encryption is here to stay. In this day, there is no reason to send unencrypted data from point to point, it does not matter if my streams contain legal or illegal content.
Load New Commander (Y/N)?
...and I'd like to find out a summary of implementation details that answers that question.
If the scheme does not use a crypto-based trust mechanism, then there may be ways to decrypt and find out who is downloading what. OTOH if its really clever, then a snoop might be able to see what's being downloaded without seeing who.
"Our internet investigations team, internet service providers and the police are well aware of encryption technology: it's been around for a long time and is commonplace in other areas of internet crime."
This statement infers that all encrypted traffic is somehow related to internet crime. If I encrypt my credit card number before sending it to Amazon.com or newegg.com or where ever, would the insinuation carry on to say that I am conducting internet crime by conducting a legitimate commercial transaction, or that the online store is engaged in criminal activity?
Passwords? Point-of-sale credit card and debit card readers? VPNs for those telecommuting to work, or just connecting multiple office buildings?
There's a LOT of encrypted traffic out there, and most of it because we don't trust the other people on the internet to responsibly use the information if they gained access to it.
Not just that... you realize this is a piece... of a much bigger puzzle.
:) And I accept no actual private email without it either...
They have to get the regular sheeple to clamor for back doors to be put into all encryption software.
It has little to do with "stolen moozak" or whatever crap they're claiming. That's just to make a legit story.
"We want to know what you ate for breakfast" is not going to sit so well with the common sheep as "moozak is being stolen, save us, those illegal encryptors are stealing our muzak!!"
And it will be the MASSES that vote themselves out of this freedom, also... it will not be the few, the intelligent, the strong, the resilient or the self sufficient, to whom these tools are useful.
PS - I agree on the encryption. My servers accept nothing without it
" What luck for rulers that men do not think" - Adolf Hitler
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
The worst thing that will happen as a result of this is encryption in general becomes the equivalent of criminal intent.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Comcast may be falsifying/ending recognizable bittorrent traffic... but my experience shows that they severely throttle any upstream traffic that's encrypted. Try a large-ish upload with scp sometime and you'll see what I mean... your throughput will be greatly reduced within 20-30 seconds.
I'd just like to point out that "if you've done nothing wrong, you have nothing to hide" does not hold up. Apart from the myriad of things which, while not wrong, any sane person would want to hide, we need to keep it clear in judges minds that hiding something does not mean one was performing illegal activities. The comment by Matt Phillips hints at a worrying application of just that principle, and I can quite easily imagine the BPI or RIAA suing someone who they think was sharing copyrighted material, and using an encrypted torrent (which could contain anything) as evidence of that activity.
Nobody has enough resources to monitor everyone, all the time. Cracking down on public P2P networks resulted in encrypted, invitation-only networks. If the pressure is still on, pretty soon we'll have office "potlucks" where everyone brings their music and movies to swap. Once people get completely pissed off about DRM, they will not mind analog copying with microphones and camcorders to get around it. If nothing else, it is possible to simply exchange movie discs or even portable players without even necessarily breaking the law. The end result is the same though - only one person in 10 will actually pay for the content they are viewing.
The solution? Unencumbered, reasonably priced, possibly watermarked legal product. Even Radiohead strategy yields 1/3 of the downloaders paying.
...for providing a perfect reason for encrypting that will even satisfy some small fraction of the "if you have nothing to hide..." crowd.
This reminds me of an old quote,
"The internet interprets censorship as damage and routes around it."
Recording Industry associations: You are now being routed around. Congratulations.
Paul Anderson
"I drank WHAT?!" -- Socrates
When people can communicate without government or big business listening, it must be illegal and it emboldens the terrorists!! It has to be stopped!!
"It should come as no surprise that if people think they can hide illegal activity they will attempt to."
And it should be remembered that the best way to live outside the law, is to live within it..."
"it's been around for a long time and is commonplace in other areas of internet crime".
Like DRM.
I have a link to the IFPIs website if anyone wants to take a look. http://www.ifpi.com/ i didn't see it in TFA. :)
http://greenobyl.com/ please.... think of the children!!
But those who do not encrypt, or hide their villaionus activities, and conduct them openly getting backed by dubious laws that are passed through bribery of elected representatives.
That, sir, are YOU.
Read radical news here
I had a talk about P2P networks recently with someone who is very non-tech (his son has a computer, and he won't go near it without a good reason and maybe some holy water to dispell the bane that resides within, despite being anything but a religious person). We had a talk about illegal filesharing and lawsuits, and it culmunated in his question "why don't they just outlaw that crap?"
I was kinda taken aback by that and had quite some trouble retaining my calmness at the question alone. But he was dead serious. Outlaw that crap and the problem is gone.
His train of reason was that he can't check what his kid does on the computer, whether he engages in the sharing of copyrighted files and thus it's easier for him if it was just outlawed. What doesn't exist can't be a problem.
That was quite an eye opener for me, especially why crap like our current legislations can happen without any kind of resistance. Actually, there are people supporting it. Mostly because they don't know jack about the situation at all. My question why he would like to incriminate his son automatically when he uses the program was answered with "If it is illegal to have it, he can't get it". It took quite a while to explain to him that the internet is international and that it's no problem to get it from abroad.
I received a horrified blank stare at this revelation. And the quite insecure question "He can get it from abroad? He doesn't have a credit card, he can't get stuff from there."
I'm not kidding you, this is not made up, this is real. Those people do exist. They don't realize that borders are meaningless on the internet, that national laws prohibiting the possession of software don't affect a thing, except to criminalize people who did nothing wrong. I had a very hard time convincing him that a law against P2P would only harm his son, not solve the problem.
I think this was the moment when I learned that I have to reconsider my strategy for getting support against such BS laws. First of all you have to explain to people that laws like this only criminalize the ones they want to protect, their kids, but laws like this don't protect their kids from breaking the law, intentionally or unintentionally. They want to protect their kids by eliminating the problem rather than trying to solve the problem. They do not want to deal with it.
And that's the underlying problem.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
This caught my eye...
"It should come as no surprise that if people think they can hide illegal activity they will attempt to."
'People' also means groups of people, which can also include Microsoft, who has long since denied any wrongdoing of growing their collection of software and inventions since their inception. Yet... they insist that they are protecting their Intellectual Property by hiding the source code to Windows and other Microsoft softwares. How can we know for sure (in the public eye) that they themselves have not stolen software from others over the years. Law is about absolutes. It is enforced with absolute counter-measures, unless a payoff can lessen a punishment and the bribe can be hidden from others eyes that care about such matters.
So this goes for corporations as well as common citizens, no?
And another thought....
And I always thought the death of Gary Kindall, was a bit fishy.
http://www.ipopisp.com/marksofesteem18.asp
Perhaps he could have shut down the operations of a particular large monopolistic software company with some carefully placed testimony that closed source software could not conceal?
Maybe he got hit with a thrown chair at the bar and died?
I certainly hope this did not happen. But mafia-types tend to protect their profits in unlawful and immoral ways. (Did you ever see the Godfather movie series? If my comments are considered slander, I blame it on watching the Godfather as a kid and seeing "the Pirates of Silicon Valley." )
---
The power of an open internet... showing mankind itself for all it is...
Like a certain Canadian ISP is doing now.
Bob: Hey Alice, I have something to tell you about Eve:
-----BEGIN PGP MESSAGE-----
Charset: ISO-8859-1
hQIOA6e9pDxxT8ONEAf6AkNjTmxD1y2o6zh+pZFJLmDuPlGlpLmA9/HkdZdwLupr
plCtjp4TJtq48o7zeQzdO7mhQxLiq8GyeKgIYqAzx0C+R2MevcJGqErDzFqElcyk
lLnfBRg60MYKJ0yZlhWhf3spZmWvP2Im0Qg+e4n4bStO4nk0VsHD+amJk5ZZeprS
H3SE7U2GGGHmMUjbjlcQn9wDhK1vmgUXMzT+zE/EZLCD6v0eXxA=
=uc53
-----END PGP MESSAGE-----
Alice: OMFG Bob, at least I don't have to worry about green fur in my bar of bath soap anymore! How on earth did she do that with mashed potatoes?
I thought it said "The British Pornographic Institute" until I saw RIAA.
This is easily detectable and rejectable.. Unless they are going to have different certificates for each site they are intercepting, and are willing to forge (and the CA is willing to forge) the certificate info to mask what is really happening.
It's also probably illegal, and definitely unethical, to circumvent the network security this way.
You misunderstand how HTTPS works.
When I connect to a https site, during the handshake the remote site gives me a copy of its certificate. I (my browser) do two things with that certificate: I validate that the domain name embedded in the certificate matches the name of the website I was asking to connect to, and I verify the signature on the certificate using the public key of the signing authority.
Unless the ISP has private key of the signer, there is no way that they could possibly generate a false certificate on the fly - so I *know* I am talking to the server I wanted to connect to, not to an intermediate proxy server.
once that handshake is complete, I and the remote site have a private encryption key which we both use to encrypt/decrypt traffic between us. The ISP can't do anything with that traffic but pass it through (or block it).
The *only* way that an ISP could get in the middle would be for them to block ports 80 and 443 and insist that you configure your browser to use *their* proxy server. If you ever come across an ISP that does this, don't walk, run, to another ISP.
Other replies cover why, but I wanted to get a comment in with an obvious subject line.
Let's go, encryption + napster = encrapster!
stuff |
Encrypting the peer connections is fine, but it does nothing to hider Comcast-style traffic disruption. Almost all public trackers use plaintext for tracker communications, and it is trivial to intercept this. With this information, traffic analysis isn't even necessary, the tracker gives them everything they need to discover and block peer connections.
:)
.torrent files and downloads should also be done over SSL.
This is almost certainly what Comcast is doing. After setting up Azureus to use only DHT and Peer Exchange for peer sources, it is once again possible to seed torrents, in spite of Comcast's evil doings. It is still not at all great, but much improved. Not nearly as good as my new ISP though.
If you run a tracker, please consider using SSL in the future. Ideally, requests for
You understand how HTTPS works, but not how a proxy works for HTTPS.
When your browser connects to a proxy for an HTTPS method, it makes a CONNECT request. The proxy makes a TCP connection to the IP address and port requested and passes the traffic both ways unchanged and uncached. The browser then performs the usual certificate validation on the contents received from the remote web site.
An ISP could force the use of a proxy. An ISP could disable HTTPS through their proxy. An ISP could slow down HTTPS through their proxy. An ISP could monitor your traffic volume through their proxy (or their routers). An ISP could record every encrypted bit going both ways. An ISP could also corrupt the encrypted traffic bits. But an ISP cannot interpret the bits in your encrypted traffic, nor modify them, in any meaningful way, without cracking the encryption.
now we need to go OSS in diesel cars
> The real world security breaches have shown the need.
I don't know if it's "security breaches" per se. After all, encrypting the torrent does NOTHING to prevent anyone who knows that that torrent contains copyrighted material from finding your IP from the tracker and going after you legally.
The ONLY thing it does is bypass some ISP-level throttling aimed at BitTorrent traffic. In other words, the ONLY reason people use it is because it makes the torrents go faster, rather than being stuck at low speeds.
That said, more people are probably doing it because it's on by default. And the reason it's on by default in more clients is because it's faster.
So yeah, the spokesman here is an idiot. Encrypted torrents will NOT help you evade responsibility for sharing copyrighted materials. Not even a little bit. This guy is a dumbass.
In the end, it's the government's responsibility (for spying too much) if the people in general (and pedophiles) end up using more powerful encryption for their activities, but that's not the point.
By applying the Sony Betamax decision to encryption, can we say that encryption has substantial non-evil (evil as child molesters and such) uses to support it?
Privacy at home? Check.
Preventing competitors from playing dirty? Check.
Help fight for human rights in totalitarian countries? Check.
Let's compare encryption to the subway. With enough justifiable legitimate use (transportation), does it matter if criminals use it for evil stuff (i.e. molesting women at peak hours)? It's not the population that's helping the criminals, it's the criminals that use a relatively-neutral medium to commit outright evil acts.
It may be that most people use it for file sharing or even unnamed acts of cruelty against children, but if encrypting your information helps you to support human rights against Orwellian nightmares like the Bush administration, then you shouldn't worry about your conscience for "supporting evil". I know, it's sad, I wish there weren't any pedophiles on the internet, but what if this "encryption helps pedophiles" statement is just a lame excuse from the government to control their people? Encryption is a medium to achieve privacy, and privacy is a constitutional right (at least for now). It's wrong and manipulative to label people as "pedophile supporters" just because they promote privacy and encryption.
Think of encryption as the Guy Fawkes mask in V for Vendetta. Yes, some anarchists used it to rob convenience stores, but the rest of the citizens used it to protect themselves - AND their families - from government abuse, and to safely protest against human rights violations.
I think there's a typeo in the tagging on this article :)
Slashdotters do not understand encryption, that much has become clear.
Encryption won't give you anonymity. RIAA only has to connect to the encrypted torrent themselves to get the manifest with your IP address on it.
"Our internet investigations team, internet service providers and the police are well aware of encryption technology: it's been around for a long time and is commonplace in other areas of internet crime. It should come as no surprise that if people think they can hide illegal activity they will attempt to.'"
Note his subtly planted associations of the words encryption, investigations, police, crime, illegal activity. Amazing how this guy works. He's a pro.
Clearly because the RIAA can't crack encrypted streams, their only avenue now is to try and form a factually incorrect correlation in the minds of the uneducated masses to deduce something is a criminal activity merely because it is encrpyted.
Its amazing how he manages to get that message over so strongly without ever actually coming out and stating such a ridiculous premise that would undermine his credability and be so easily blasted apart by the informed.
no, they cant see the URL because that isnt exchanged until after the connection is encrypted. they can, however, see what server you're connecting to. so a google search would be meaningless, but going to www.howtomakeabomb.com could still be incriminating.
Illegal might stop them.
Unethical most certainly won't.
The only way the BPI could analyse the traffic from torrents without actually joining them would be to be to sniff traffic directly on the ISPs network - which is what encrypted bittorrent is designed to protect.
But my understanding was that they had developed custom torrent software which joins the swarm and logs a fair bit of detail about every IP address it downloads from. There's absolutely no reason why they couldn't implement encryption in that software and away they go - gather all the data they like on encrypted traffic because as far as bittorrent is concerned, they're connected just like any other user.
No, I do understand how https works...
Here is how the interception works... (I haven't tried this out, yet).
You use your ISP, and request https://just_a_site.com./ The ISP intercepts this, and returns a redirect response. This sends you to https://the_isp.com/proxy?just_a_site.com. This succeeds, and your browser does a key exchange with the ISP. The ISP key exchanges with the remote site, and proxies all traffic.
I think this can be ameliorated by exchanging cookies before https, and demanding the cookie when encrypted, with the client IP encoded into the cookies.
Just another "Cubible(sic) Joe" 2 17 3061
It will come as part of the Global War on Terrorism and File-Sharing (GWOTAFS). For all of you who think it could never happen, I suggest that a decade ago we would have said that the US would never do away with habeas corpus and that something like all these "national security letters" giving the government the power to look at your library records, financial and medical and telephone records, as well as such wide-spread electronic surveillance of American citizens would also never happen.
Ultimately, a combine of the "national security apparatus" and the "intellectual property rackets" (R1AA) will be the complete undoing of all of our civil rights and privacy. The unthinkable has arrived, and it's only the beginning unless we become very organized and very willing to fight back.
You are welcome on my lawn.
Nope, don't think this would work. The ISP can't return a redirect response because certificates have not been exchanged and validated, so the browser / client will flash a warning and not redirect. The browser insists the certificates are exchanged and validated via the correct domain - else a warning about the domain not matching is popped up. In other clients - such as a java web service proxy - the connection is simply droipped with an exception thrown.
And even if it did succeed (which it won't) the URL in the browser changes. An obvious effect even for mindless technophobic newbies.
This scenario is exactly the reason why SSL certificates are validated against the domain. To stop man-in-the-middle attacks.
We do not inherit the Earth from our parents. We borrow it from our children.
That is the correct answer.
The encryption in torrent is not a big privacy enhancer since anyone can join such a tracker. (well, most of the times) The option was invented against isp's who eant to meddle with traffic.
By the way, since eMule has also gained encryption (it is called obfuscation there) it is hard to tell if it is eMule(bigger in europe) or torrent (bigger in US) traffic
It took some looking. The article has a link to the extortion letter. The letter has the URL for the settlement support center. The URL in the PDF is not clickable.
The page with the link to the letter is here; http://consumerist.com/consumer/riaa/the-riaa-p2plawsuit-letter-sent-to-college-students-241054.php
The Settlement demand letter is here; http://consumerist.com/assets/resources/2007/03/riaaletter.pdf
https://www.p2plawsuits.com/ Settlement support center link is here.
The truth shall set you free!
All the ISP has to do is force a malicious update to the browser's list of trusted CAs. How many people would understand this or care? Even if you pay attention to updates, Microsoft updates this list in IE frequently, so you'd have to understand security to think this was odd.
Windows update is not https, which I've always felt was the biggest security hole in Windows (but maybe there's better security behind the scenes?).
Socialism: a lie told by totalitarians and believed by fools.
How about talking about clear vs opaque 'tubes'?
I am a leaf on the wind. Watch how I soar.
http://azureus.sourceforge.net/doc/AnonBT/i2p/I2P_howto.htm
Let's all switch now and incorporate this by default in any clients...
Well, let's run down the "Four Horsemen of the Internet Apocalypse" checklist:
Encryption benefits Terrorists: check.
Encryption benefits Pedophiles: check.
Encryption benefits Drug Dealers: check.
Encryption benefits Hackers (music thieves!): check.
Yup, we're doomed. Sadly, it seems that most voters will respond irrationally to having one of those four buttons pushed.
Socialism: a lie told by totalitarians and believed by fools.
By spying on the certificate exchange, I think they can see what the site you connected to claims to be (unless it does a D-H exchange first). They can make a 2nd connection to the same site and carry out their own TLS protocol to get a certificate exchange if spying on your connection doesn't do it. They certainly have the IP address and can look that up in various ways, such as reverse DNS, WHOIS, Google, and see what might be there. Combine that with a lot of access patterns and there is a lot that can be figured out about what you are doing.
If you are worried they can figure out this is a torrent connection ... they will pretty much figure out which IPs are most popular about the heaviest users that are not popular among the non-heavy users and could play shoot-the-packet on those, even if also encrypted with IPsec (bypassing the proxy). With HTTPS alone (no proxy) they can still do the RST thing. With IPsec they can't do RST, but they can still throw some away (harder that RST, but still possible). The fact that Comcast is doing RST suggests they are trying to keep the costs of their efforts low and not encumber the routers to make them drop select packets. More likely they might try deliberate route flapping next if IPsec gets popular.
now we need to go OSS in diesel cars
Err, not really.
You guys keep forgetting that a typical ISP also contols the caching DNS servers the sheeple connected are using. All they have to do is to respond with the IP address of their fancy proxy to all HTTPS URL lookup requests, following which the normal HTTPS exchange occurs, proxied by their man-in-the-middle proxy (i.e their proxy pretends to be www.foo.com, complete with spoofed IP address for that domain and initiates HTTPS setup sequence with the browser, while on the other side it pretends to be the user and initiates the setup sequence with www.foo.com). That is one weakness in the HTTPS scheme: it depends on non-hijackable DNS servers since it uses domain names instead of IP addresses for verification of your packets' destination.
That assumes that the ISP is not monkeying with the DNS lookups (most sheeple connected use the ISPs DNS servers) and does not return their proxy's address to all HTTPS lookups, following which your browser would simply initiate HTTPS setup sequence with their proxy instead of the www.foo.com you were aiming at. This scheme only depends on the ISP being able to sign their own certs for any fake site they choose to mimick a real one with and that can be easily accomplished by inserting their own CA cert into the browser via "must do ISP update" or the abovementioned stupid "install teh Intertubes" software.
We need more Freenet clients/easier to use Freenet clients. Then an ISP could run a Freenet node and not worry about the liability.
They ARE out to get you simply because They are in it for themselves and they don't care about you.
Well, I'm not too up on how this sort of thing works, however, couldn't the ISP conduct a "certificate in the middle" attack, analogous to man-in-the-middle? The ISP proxy makes the https connection for you, and receives the decrypted data. In turn, the data is re-encrypted for your HTTPS session. The certificates are handled in exactly the same way - the proxy just sends you *any* valid certificate (it's their own certificate), and interupts the request for a certificate from the signing authority.
Why wouldn't that work?
Like all pain, suffering is a signal that something isn't right
DNS lookup is independent of protocol. A DNS client asks for an IP address for domain without specifying the protocol. So
I think 2) would get noticed rather quickly and really would be worth the effort...
We do not inherit the Earth from our parents. We borrow it from our children.
I would also note that SSL is all but mandatory to conduct business transactions over the internet. I don't see it being abandoned in the face of massive identity theft and financial fraud.
Yes it would, based on a domain name. The purpose of this is supposedly to repalce ads, therefore the ISP would be targetting specific high-volume sites only, not the whole Internet. They can simply sniff HTTPS traffic and shape their proxy accordingly and then transparently spoof the IP addresses of the sites which look profitable.
No, only for the spoofed domains and which is trivial, you simply NAT all non-HTTPS packets and pass them otherwise unaltered to these select domains, which would normally not communicate with users via any other protocol anyway.
Only by a select group of users who for some reason have a need to connect to these sites via non-HTTPS means and only if they look at their packet's source addresses. Note that the ISP would not actually block these, merely NAT them.
So can you tell me what protocol I am using if I DNS foobar.dnsalias.org ?? No, wait how about www.foobar.org ?? Is that using http or https?
So let me get this straight. Sniff for HTTPS packets to determine which IP addresses people are using HTTPS on, then reverse lookup that IP address to find the domain, then change your DNS server to spoof the IP address of that domain and route all calls to that IP through your proxy? That it?
Like I said, you'd end up trying to spoof all www domains which would then lead to a lot of ftp, ssh, smtp and other traffic having to be handled (since many, many people use the public one IP address for all protocols and redirect internally to private boxes behind the load balancers / firewalls) and you'd end up proxying half the Internet.
We do not inherit the Earth from our parents. We borrow it from our children.
Yes, it was informative. What's clear is you didn't understand the post (or read it, which is by far more common on /.) He/she wasn't saying anything about anonymity, you are correct on that part; he was saying that the Comcast automated customer-reamer can use the tracker info that is flying into their network to directly identify peers for traffic disruption if that is unencrypted.
The current Sandvine device hasn't reached the level of sophistication to scope torrents on Piratebay, connect to them, collect the peer info, and use that to block traffic, which would work, and probably will happen at some point.
So then everyone just starts using google cache and avoid the original website?
Nah; probably not. Well, OK; you'll see it, but it'll fail. It would outlaw https:/// URLs, which would shut down all internet commerce and banking. The big companies funding the re-election campaigns wouldn't tolerate that. Even the dumbest corporate manager or politician understands why you don't want your credit-card data going through the internet's tubes in the clear.
The first piece of advice from every network security analyst from the start has been: The only security is end-to-end encryption of everything. Anything other than this is BS, and doomed to failure for the reasons others have explained here.
And even the people who think that their government is run by angels who should have full access to everyone's secrets still agree that it'd be stupid to let your credit-card and banking info go out unencrypted. They understand that there are people much more evil than government spooks on the Internet. There are corporate marketers. They want your credit-card and banking data. Some of them work for the telecom companies. If your credit-card and banking info is readable by your ISP, then it will be sold commercially to anyone with the right amount of money. Joe Sixpack understands that. Even a Congressman can understand that.
Sorry; the encryption genie is out of the bottle, and can't be stuffed back in.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
No, but as I explained, you can tell that www.foobar.org is being accessed via HTTPS by a lot of people from you network. Then if you go and check it out with your own browser then you will know that www.foobar.org has a lot of ads and these two facts combined tell you that www.foobar.com is something worth spoofing.
No, you pick high traffic sites with a lot of ads on them straring with traffic logs and combined with other factors such as ease of substitution of ads, manually. You keep missing the whole point of the excercise. It is quite likely that your proxy has to be taught how to handle each such site properly, so that the substitutions do not disrupt the user experience.
For some reason you assume that everyone but you is stupid and cannot discern good target sites from bad ones.
Before you become too vaginally flatulent, you should have comprehended that we were simply discusing domains which are known to have large amounts of https traffic heading to them, based simply on analysing the volume and destinations of https packets travelling via the ISPs network. The "https lookup" was a shorthand to "a forward DNS lookup for a host (or a domain) known to have a busy HTTPS site with a lot of juicy ads to substitute on it". Clearer now?
Note that once such domain is identified by packet sniffing and other means, all lookups of its name will return the adress of the ISP proxy, irrespective of protocol, since as you farted out correctly, DNS lookups are performed irrespective of protocols later used to make connections. Which of course was clear from the rest of my message.
So keep your vagina tight and do not fart when it makes you look like a ... well ... a twat.
Almost. The weakness in the HTTPS scheme is the chain of trust, not DNS. The SSL certificate contains a domain name, e.g. "secure.mybank.com". If the domain name contained in the certificate does not match the hostname requested by the browser (http://secure.mybank.com), then it will warn the user about the mismatch. This doesn't offer much protection in itself.
However, if the certificate offered by the web server is not authenticated by a certificate authority already trusted by the browser, then it will warn the user that it has no way of verifying the identity of the website. It is generally difficult to get a certificate for a domain which you don't actually control which is signed by a CA trusted by enough users to be useful.
If the ISP intercepts your traffic, they have to a) offer a certificate with the hostname your browser believes it is connecting to, which is b) signed by a trusted authority.
They can do a) with just an IP address, by connecting to the same IP and see what certificate the site offers, or by forcing you to use their proxy. b) is more difficult; the only way to do that is to get a trusted certificate installed in all of their customer's browsers, which they can use to sign the certificates they generate for the site they're spoofing. This could potentially be done as part of an ISP setup package, but they will probably lose a lot of customers when word gets out that they're spoofing secure sites. It may also be illegal to do this.
Cops use this one to dragnet for all sorts of crap they can nail you for. They aren't there to help you, even when they proclaim they are. They are there to beef up their "busts" quota.
:)
If you consent, any "illegal search" premise is lost, and anything they plant or actually find will then be usable. It is a dirty trick and cops in the USA have been using it for a long time. They have to get you to consent to a search, even if they trick you into it. Otherwise the court system is still relatively usable to put that cop out on the street, if you're clever.
Surprised? You shouldn't be. They govern by consent, here, there, everywhere, so stop consenting if you don't wish to get trampled along with your rights. You don't have to overthrow them, you merely have to avoid giving in to their tricks. If you consent you have NO excuse for bitching about being abused. You will have given them permission. If you refuse and they assault you, there are plenty of options available to you as you were not the initiator of the aggression and can therefore have a clean conscience, and if you are willing and intelligent enough you can put the individuals in question in the poor house with a well placed lawsuit. And then you can retire
" What luck for rulers that men do not think" - Adolf Hitler
And give the information to Google instead... Great, they never collect and keep data about you. Right?
I'm not a gamer, so I keep an old ThinkNIC around specifically for this purpose. On those rare couple of occasions when my ISP has insisted that someone must visit my house, the only computer they saw or touched was that ThinkNIC.
Aside: I know the reasons that crippled web terminals tend to fail in the marketplace. I'm obviously out of step with the norms of the computer-using public, though. I think the ThinkNIC was a great idea. I'd install one for my mom today if she had any desire to use a computer. I'm sure glad I got one before they went belly-up.
Well, we were simply having a theoretical discussion about the technical feasibility of the scheme. Its legal and marketing implications are another matter. I was suggesting precisely what you mentioned, that they insert their own CA cert into the browser via the "install teh Intertubes" package and then use it to sigh the certs of their proxied, spoofed sites. This would of course affect only the dumb users who actually use the silly disk, precisely the kind of crowd who will not notice that they are being shafted, and if they do, they probably would not do anything about it. As to illegality ... who knows. Uncharted territory.
You would have easilly know that from the other posts I made, all very near each other in this thread, should you actually bother to read anything instead of flatulating unduly and prematurely.
Not tight enough apparently, given all the misdirected gas.
OK.
Unencrypted packets are like.....er....ummm.....untinted windows!
Encryption is after-market window tinting!
Google is much less dangerous to your privacy than, say, your employer, the local sheriff or local mobsters that somehow bribed they way to access your ISP. (Or simply hacked into something)
Comparing all network-monitoring, head-cutting dicatorial evil in the world, I think Google is the least concern for the time being.
You are right that this scheme can be defeated via the client authentication process, but remember that we were discussing a particular cross-section of web traffic, namely hypothetical HTTPS sites open to the general public which contain ads, not sites like banking or P2P applictions. Unless you somehow manage to issue verifiable certificates to all your potential random web site passers by, or somehow demand that everyone has them and setup a whole infrastructure for it, free of charge (since average Joe will not pay for it), this defense is impractical. That is the main reason why most sites do not use it.
In other words, people who already understand how to defend themselves and who participate in closed, registration based sites can do so, but they were never the target audience for this since they are rather unlikely to install the ISP's funky software with their malicious CA cert in the first place.
You're probably right, jc42. Efforts to wipe out personal use of encryption will fail, but I'm confident that outside of consumer transactions, the use of encryption in personal communications and file transfers will be heavily regulated or even outlawed. You don't think that the authoritarian minds that have decided they need to listen in to our phone conversations, read our email and view our library records are going to go to all the effort of putting in a system of mass surveillance and then allow us to circumvent it with some uber-pgp, do you?
Most likely we'll have access to some corporate-approved encryption that has a big fat back door and key escrows for the government. After all, "as long as we're not doing anything wrong, we have nothing to hide", right?
You are welcome on my lawn.
Actually, an ISP could use an SSL proxy to act as a man in the middle and have access to all of your traffic unencrypted. It would require them to install a certificate on your machine that tells your browser to trust the ISP's CA. See the following episode of Security Now, I think Steve Gibson explains how this works fairly well. http://www.grc.com/sn/SN-112.htm I don't know how legal it is for ISPs to do this, but I know some schools and corporations do.