Slashdot Mirror

← Back to Stories (view on slashdot.org)

ISPs Violating Net Neutrality To Block Encryption

Posted by timothy on from the connecting-pipe-a-to-tab-q dept.

Dupple writes One of the most frequent refrains from the big broadband players and their friends who are fighting against net neutrality rules is that there's no evidence that ISPs have been abusing a lack of net neutrality rules in the past, so why would they start now? That does ignore multiple instances of violations in the past, but in combing through the comments submitted to the FCC concerning net neutrality, we came across one very interesting one that actually makes some rather stunning revelations about the ways in which ISPs are currently violating net neutrality/open internet principles in a way designed to block encryption and thus make everyone a lot less secure.

10 of 149 comments (clear)

  1. Competition urgently needed by mi · · Score: 5, Informative

    As long as the ISPs retain monopoly positions, they will be able to do as they please (or as the NSA pleases to make them do).

    And once there is healthy competition among them, there will be no need for the rest of us to legislate every minutiae of their behavior.

    --
    In Soviet Washington the swamp drains you.
    1. Re:Competition urgently needed by atfrase · · Score: 5, Insightful

      I think this hints at the fundamental disagreement between people's thoughts on "net neutrality."

      Some folks think business is business and should be able to do whatever it wants, probably because they have money or some other vested interest in the current telecommunications behemoths, so they want the maximum return on that investment no matter who gets screwed in the process.

      Other folks (like you) see a problem with the current arrangement, and believe that the solution is to create more competition so that the telecom industry "regulates itself." In principle I agree, but I think that's just not possible in this case.

      The rest of us believe that telecom is, was, and (for the foreseeable future) always will be a *natural* monopoly. You can't have meaningful competition for building roads and sewers and power grids, in part because those things cost so much money that it is effectively impossible for a new player to enter the market, and in part because our cities would be a mess if we had to deal with multiple parallel networks of these kinds of infrastructural utilities. Telecom has exactly the same issues; no matter how data transmission technology evolves (in the foreseeable future), be it telephone wires, coaxial cables, fiber optics, or whatever is next, it will always be vastly more efficient for a single entity to install and manage that physical data network, at least at the local level. There just can not be meaningful local competition in data transmission services (which includes telephone, television, internet, etc). So the solution for telecom is exactly the same as it is for water, sewer, roads, etc: allow one entity to run it, but regulate them heavily as a public utility.

      The problem we're facing now is "how to get there from here." We should have made this transition decades ago, but for a variety of reasons didn't, and so now those telecom monopolies have been allowed to remain private for too long and grow to enormous size. Wrangling them back into a public utility arrangement is the only sustainable path forward, but it will also be extremely politically difficult.

  2. The "It's not working" attack by TechyImmigrant · · Score: 5, Interesting

    This was discussed when we were writing the 802.11i security specs. If an attacker can selectively DoS the link/network/whatever when security is enabled, you can fool the user to conclude the security is the problem and turn it off, whereupon everything starts to work.

    There is a collision of two principles
    1) Silently drop bad packets.
    2) Let the user know something bad is happening.

    These are opposing goals. In the case of this attack, we want #2, because we know they have evil intent and plaintext is not ok and we need the user to not turn off TLS.
    In other cases, like front door attacks (as opposed to MITM), #1 is the way.

    This is why designing a good security protocol is hard and TLS still does the wrong thing at the wrong time.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  3. Re:No Carriers by TechyImmigrant · · Score: 5, Insightful

    Isn't the end result the same?
    If a transparent proxy changes the TLS messages, it's filtering encrypted traffic so it's a MITM attack.

    Still evil.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  4. Re:No Carriers by TheCarp · · Score: 5, Interesting

    > The whole article is written by folks who clearly have no idea about how the internet works.

    No. It is written by someone who thinks he knows how it is supposed to work and not how it actually is setup. I had the same thought about transparent proxy however... his final assessment is SPOT ON.

    The user, who is paying for internet access, is attempting to connect to a remote machine and, having that connection HIJACKED by a transparent proxy.

    If I send a TCP SYN to w.x.y.z, then, as a paying fucking customer, I want that SYN packet to be delivered to w.x.y.z and responded to by the same. There is absolutely no scenario where I want someone else intercepting the traffic and doing something else instead.

    In short, the author of the article shouldn't need to know those details because they are all the same to him. End result is, his connection is being tampered with, and he is not recieving the service he paid for.

    --
    "I opened my eyes, and everything went dark again"
  5. not surprising, Time Warner has similar chicanery by nimbius · · Score: 5, Interesting

    Time Warner is just as predatory and absurd. When you subscribe to their service, you'll receive almost weekly reminders to "bundle" your service together with cable TV and phone. Opting out from this advertising is almost impossible As a cable internet user, when you set up your open source router to block ICMP traffic and recurse your own DNS, you'll be instantly branded as abberant. IRC and VPN traffic ive found also trigger this reaction. Time Warner DNS servers will then redirect to a page accusing you of sending unwanted traffic. If you want to continue using Time Warner DNS you'll need to complete the electronic equivalent of an apology and sign up for an email address. You'll then be presented with their software and the DHCP assigned DNS servers will begin responding normally again. I returned to my own setup almost immediately after being forced into this.

    Eventually my DNS recursor and irc client stopped functioning entirely, so i was forced to tunnel this traffic over to my VPS and the phonecalls started about my "unwanted" traffic. Explaining why you're doing this is pointless, but the calls are harmless so long as you pay the bills on time. In the age of cutthroat capitalism you're supposed to subscribe, bundle, consume, and repeat. My experience with Verizon was just as draconian with the exception that they also block all SMTP traffic and, should you null-route their advertising CDN used to inject targeted content, they become very interactive. Customer service will call you within a day asking to set up a service appointment for a connectivity problem theyve "detected."

    --
    Good people go to bed earlier.
  6. Re:this could be solved by defining "internet acce by Dega704 · · Score: 5, Interesting

    This is why I think that the Netflix debacle amounts to a bait-and-switch on the part of the ISPs. If they advertise a connection to the 'Internet' at a given speed, then fail to deliver on that speed when the party on the other end has provided the necessary capacity, they are committing straight-up false advertising.

  7. Cisco ASA by backtick · · Score: 5, Informative

    Google "250-XXXXXXXA asa cisco starttls" and you'll find this is almost certainly an ASA preventing TLS as configured on the device. Since it doesn't want TLS traffic, the config is to just mangle the packets. Well known effect, been around for years (5+). The FW admin needs to correctly deploy fixup, allow TLS or simply not inspect esmtp. Simple fix, documented in Cisco doc 118550, among many other places.

    1. Re:Cisco ASA by segedunum · · Score: 5, Insightful

      I can't mod you up any further, but yer, you're spot on. This is actually the default behaviour of a lot of routers. It might look like malice but in this case it could very well be complete laziness and a lack of awareness. Typical ISP in other words.

  8. Re:No Carriers by DamnOregonian · · Score: 5, Informative

    Disclaimer: I am a senior network engineer at a large regional ISP.

    Transparent proxying, particularly on smtp is unfortunately commonly applied to residential connectivity, and there's little that can be done about it (short of blocking it entirely, which is what a lot of ISPs do).

    When Joe User's windows machine gets infected and starts launching spam at the universe, if we don't catch it quick enough, it results in blocks. Sometimes if the infection is big, the blocks can happen to entire /24 subnets. In egregious cases, entire netblock allocations.

    Usually, the transparent proxy is employed to limit the damage (number of IPs) that may be blocked in the event of a compromise. In this case, the proxy *should* support encryption, that part is inexcusable, however, we have to do something to protect our network from you guys.