What the Investigatory Powers Bill will mean for your internet use Through pressure from Google, Facebook, and other major providers such as Yahoo and Apple, the world wide web is slowing becoming more secure, with web services using HTTPS to encrypt web traffic by default. However, the arrival of the draft Investigatory Powers Bill raises questions about who can potentially get access to what …
Big tech create virtual profiles even for non-users. G+ and Facebook like bugs, Recaptcha, Google analytics. Since ADSL IPs tend to be pseudo-static these days this can be pretty accurate.
Google is a bit of a bastard when it comes to cross-domain cookies. I'll log in to Chrome dev forums, but forget to logout, then visit youtube. Bam, still logged in. More data added to that profile.
>"Since ADSL IPs tend to be pseudo-static these days this can be pretty accurate."
Don't forget what the Google Streetview rumpus, back in circa 2010, was all about, namely the collection of wireless data such as router MAC address, SSID's etc. Given all this information is also readily available to your browser, these could be used to further refine data and identify individual devices and their user(s).
Quite. I just clicked on the Google link, to "Visit my Web & App Activity Page", and it asked me to log in. So I'm thinking it doesn't know who I am.
I'm under no illusions that Google could work that out, if they wanted to, and very likely they already do that in a number of systems. But there's still, as yet, no single joined-up system that actually links and tracks all that information.
No Google account, don't use Chrome, I use another search engine unless I have to, and a dynamic IP.
Also the HTTPS question doesn't take account of client-based encryption and PFS.
The mail answer doesn't take into account a MITM fiddling with strings to stop STARTTLS from working.
The password answer talks about data in transit but doesn't say that data at rest can be stored without encryption (Talk Talk).
Probably others. Someone else will comment.
And the obligatory question - when is El Reg going to switch to HTTPS?
But don't forget google-analytics, doubleclick, and any other google-pwned or related thing out there, unless you blocked them of course... So - true, google doesn't have everything but don't mistake that for meaning 'nothing' and there are plenty of others who get rather more than we might expect.
e.g. the various 'share button bar' services which pull in data without needing a click, and watch out for that 'mouseover' thing that I'd swear people put in to places just to piss me off (though some have the manners to at least have a delay) but which activates all manner of evilness.
"If I was upto-no-good..." define "upto-no-good*"...
why should I have to be upto-no-good before I care about my privacy
once I was innocent until I did something wrong, now I'm guilty unitl someone (anyone) can check I'm not 'upto-no-good' when did this become acceptable?
*e.g. I would define everything George Osbourne does as 'upto-no-good' but I imagine he may disagree.
In your paragraph about https you've stated that :
"Only the IP address of the destination (and the port used, usually 443) can be determined"
Actually the domain name is also visible to the ISP as it's needed to request the correct certificate as part of the initial handshake (to accommodate servers hosing multiple domain names), so even if everything you use is HTTPS and you use DNSCrypt or local DNS resolution, your ISP will still be able to see the domain name of the server you contacted.
https://en.wikipedia.org/wiki/Server_Name_Indication
Actually the domain name is also visible to the ISP as it's needed to request the correct certificate as part of the initial handshake (to accommodate servers hosing multiple domain names),
When you're doing HTTPS you negotiate the certificate before you say what website you want to access. HTTPS servers that need to host multiple website either need to use certs that cover multiple website (which doesn't work with older browsers) or they need to use multiple IP addresses.
That's not my understanding of how the TLS handshake works in most modern browsers.
The very first "client hello" packet will normally contain the server name, so that the "server hello" packet can respond using the correct certificate for the domain name.
I'll admit that whenever I've used this for performance tuning, I've seen it on the same client device as the browser, but I'm pretty sure that it would also be visible on the wire, as wireshark is only viewing the transport layer.
When you're doing HTTPS you negotiate the certificate before you say what website you want to access. HTTPS servers that need to host multiple website either need to use certs that cover multiple website (which doesn't work with older browsers) or they need to use multiple IP addresses.
Christ, when did you last touch a HTTPS server? RFC 3456 was back in 2003, what you've said above hasn't been true since shortly after then
Yes, Server Name Indication is visible on the wire in plaintext as part of the initial TLS Client Hello. I've seen it myself in Wireshark traces of HTTPS connections. Use of SNI is common nowadays since many web servers host multiple sites and need that information to present the correct server certificate.
Don't forget that the domain name of a web site could potentially reveal a great deal of personal information about the person accessing it, even if the individual pages and requests are hidden. Visiting a website for a divorce lawyer likely indicates a relationship in trouble, visiting certain adult sites may reveal sexual orientation or fetishes, visiting a payday loan company could reveal financial troubles etc etc. For this reason we should still be concerned about government plans to keep lists of visited domains. Also, whilst "use HTTPS" is good advice as far as it goes, there's a danger that the manta becomes a substitute for deeper understanding of the risks involved.
Having said that, thanks for doing an article about internet security in simple language. I've been looking for something I can show friends and family about the topic in words they can grasp. I'm not ready to show it to them in its current form: many commenters have pointed out various flaws in the text as written. With a bit of redrafting, it could become a really nice starter article for those who want to improve their awareness.
This post has been deleted by its author
Yes, for those based in Britain.
So, as someone who currently hosts a load of websites for friends, when am I going to be instructed as to how long I need to hold web log data from my servers?
And. as a Sys Admin for a company that hosts thousands of web sites in the UK (but is not an ISP by current definition) when are we going to be formally informed as to our obligations regarding log data? At present there doesn't seem to be a clearly defined period for which we have to hold logs, nor is there much information about when we should destroy log data.
> ... when are we going to be formally informed as to our obligations ...
Oh you naive fool !
They don't inform you, you have to know - that's the basis that laws work under. They may well inform some larger operators simply because there'll be a certain amount of "negotiation" involved over technical specs to allow automated access, but in general it is your responsibility to know the law.
In a completely unrelated business field I have a hat for, there are some laws recently come into effect, and others coming into effect soon. The government have made little (if any) attempt to inform anyone, and it's being left to trade groups and the like to get the message across. For those that aren't members of one of the trade bodies, they may be in for some uncomfortable shocks.
But that's not uncommon.
"So, as someone who currently hosts a load of websites for friends, when am I going to be instructed as to how long I need to hold web log data from my servers?"
Well firstly, congratulations you've just qualified as a "Communication Service Provider", so this Bill will apply to you, unless in the actual bill they qualify a CSP to be a 'major' whatever. So take it that you've just been notified that you will need to be looking to store 13 months worth of log data.
"At present there doesn't seem to be a clearly defined period for which we have to hold logs, nor is there much information about when we should destroy log data."
Well currently you aren't a telco or ISP so there seems to be no official obligation for you to retain logs. As for the destruction of log data, that is up to you and given the example of Enron (taken to court for failing to destroy records in a timely manner), I would look up "Records Management" and write up a policy asap.
Plus you may wish to check to see whether you should be on the ICO - Data Protection Register with respect to your friends hosting...
This is incorrect, isn't it? Or, strictly speaking, for the user-accessible search history it is correct ONLY if you have a google account. Naturally, one can assume, that such web search is also stored for non-google-account users, but google offers no way for the minions to retrieve that. Perhaps it'd be useful if you clarifien if google is allowed, legally, to hand over this data to our intelligence services. Or do they not bother, as they can get the same in other ways?
If you are using tor then everything that goes over Tor, dns requests, web pages, email is secure.
Unless all the Tor nodes are being run by the spooks or you are sufficiently of interest that they are monitoring a majority o the network and can do timing attacks.
But against general data gathering it's pretty secure.
I presumed that if I used a VPN to access web sites the IP address provided by the VPN would be logged not mine. For example, VPN turns on as soon as I connect to the internet. It gives me a IP address from London or Manchester even though I am in the Highlands. If I then do a google search, with the VPN turned on, doesn't google record that search as coming from the VPNs IP address (and therefore location)?
The search engines and other sites aren't just building a profile of you based on IP. They leave ID cookies on your machine which are passed as part of the HTTP(S) request.
It doesn't matter how the data gets to Google/facebook etc, if the ID cookie is there, it knows who you are, and anything you then do over that connection will be added to the profile.
If you want to be completely unrecognisable you'd need to block or delete the cookie so the target website won't recognise you from the last time you visited, and use a VPN, and home HM Gov haven't got a warrant for the VPN company's logs.
If you only ever access the 'net via VPN, the only info the search engines etc will be missing will be your location... Although your search history, maps use and site visit history will probably give a good indication...
Scare yet?
I read about this on the BBC News. From what I read there, the IPB will require ISP's to log all DNS look-ups.
Which to me seems like the absolute maximum an ISP could do with out serious impact on cost or speed.
It also will have zero effect on any criminal with 1/4 ounce of IT knowledge.
I'm setting up my own DNS server anyway to increase our own security and web safety.
It also will have zero effect on any criminal with 1/4 ounce of IT knowledge.
Exactly: so it could help to catch small time crims/paedos/terrists - but not the clever, well organised ones - ie this is designed to not catch the people who it is supposedly aimed at.
> If included as general back ground check for unrelated offences (such as speeding, shop lifting) it could throw up DNS results from an disreputable Advert or malware.
Given that both Chrome and Firefox use pre-fetching, there's also no real guarantee that you actually visited a page/domain either - certainly not from the DNS logs or even just a list of FQDN's that TLS handshakes or port 80 GET's have been seen for
>ie this is designed to not catch the people who it is supposedly aimed at.
It's designed to make ordinary people think twice before looking at "dodgy" sites, like Al Jazera, CND, Greenpeace, Medicine Sans Frontiers or the Labour party - if they think these are being logged and will be made available to an employer, local council or the policeman that stops you for speeding
Want to flood the DNS server logs? Download AOSP, 10-20 Gig depending on which version you download. The Git/Repo command downloads gazillions of small packets, each one requiring a DNS resolve.
Google actually tells you to set static IP addresses for the download servers to stop DNS overload !!!
Quote
No. Typically, home broadband connections share a single, traceable public internet IP address between many computers and smartphones using what’s called Network Address Translation (NAT). Your ISP will log only the single public IP address assigned to your home router, not which individual device in the home was using it at the time.
Until IPv6 that is. Isn't NATting V6 supposed to be verboten?
I think I'll be keeping a V4 lan for a while yet (double natted from the internet).
This isn't a problem with IPv6 if your computer does what it's supposed to do: randomise your interface identifier ('Privacy Extensions for Stateless Address Autoconfiguration in IPv6', RFC3041 from 2001, updated by RFC 4941). Any reasonably modern IPv6 stack supports this as the default.
>This isn't a problem with IPv6 if your computer does what it's supposed to do: randomise your interface identifier
The IP address of your router is defined and provided by your ISP... So all you are doing is to make it difficult (or impossible?) to backtrack your external communications through Internet Connection Records to a specific machine/device behind your router.
In fact, it is probably less secure than using IPv4 and NAT!
This is because with NAT the IP address of the end system never gets beyond your in-house router, ie. all systems within your network share the same IP address, namely the one provided by the ISP.
With IPv6 SLAAC, the router address is simply the forwarding address to the given address. Hence the IPv6 SLAAC address gets beyond your router, which means that it can be collected, and there is probably sufficient data in the clear for different sessions to be narrowed down to say a Windows 10 workstation with a reasonable level of confidence. In a large organisation, your system will be hiding in a crowd, in many home's it is probably the only such system...
All of that applies to a NATted IPv4 session: the apps metadata is the same. Anybody who thinks that NAT protects them from pervasive surveillance is dreaming. With both NAT and IPv6 they'd have to come to your home to tie the traffic to a specific person using a specific computer.
That the lying bastards (aka HMG), will only be able to access the browsing history of the innocent and the stupid criminals/terrorists.
Anyone else (i.e those of "interest") will be using VPNs, Proxy Servers, TOR etc. Not to mention, that there's no way to identify an individual from an IP address - especially if it's publicly accessable.
More public funds being wasted on a pointless excercise. The real criminals and the real danger to the public comes from muppets like Teresa May and Iain Duncan Smith.
It's definitely about time we brought out the pitchforks and burning brands...
You say NO,
But this could be "perhaps"
I've got Internet connections from A&A and from BT. The A&A connection uses a mix of static and NAT based addresses, the static ones are obviously easily traceable whois will do it for you, but the NAT based ones on this link would be hidden from the ISP since the DHCP and the NAT is being done by my local Linux boxes.
For the BT the BT supplied router knows which devices are been allocated which internal IP addresses and could be logging the translations, so I don't know whether they could map the sites visited back to the individual gadgets used within the house. I have also seen my phone connected the generic BT WiFi at home rather than the local WiFi, so they could be logging things that way.
For my Linux managed NAT I can it I have to map the NAT'd connections back to the local device, so there is no reason to believe that BT Internet can't do that too, if the guys in the black helicopters ask nicely.
Far simpler than that. A simple profiling of the websites visited is likely to indicate which users are online from a single IP, as most of us multitask in a repetitive fashion. Who visited Peppa Pig website and who visited the Bullingdon Club website are likely to be two different members of the family...
>"But this could be "perhaps""
Agree particularly if, like most residential broadband, the use of the ISP supplied router is mandated.
From a tech call with EE, I know they have full access to the admin console on my Brightbox 2. So they have full visibility of all my attached devices.
Indeed, Google does not know what I am up to because I very rarely use it. Duckduckgo or similar is a good alternative.
I also have a linux VM that has a VPN to the Netherlands. I made a gmail account on that and I use that when i really want to see something on youtube.
However, some times when I think I have done enough I end up getting scuppered by someone close to me. So I have a facebook account, but it has a sound like name not my actual name and my family and non work friends all know its me. However some plonker in work looked over my shoulder (I was trying hard to keep a distance between work and home life) and he saw the name and invited me to be his friend and now EVERY FUCKER AT WORK is trying to do it. What a shithead.
They can if you don't have complete control over which certificates are (pre-)installed on your system. So work machines (and maybe Lenovo computers) may be vulnerable to MITM.
* Slightly ambiguous - I'm taking it to imply "no-one can see my web requests if I use HTTPS", but it might mean "not just anyone".
Absolutely true. Where I work this is specifically mentioned in our employment contracts (or at least in a policy doc that is deemed part of our contract). Effectively they MITM every HTTPS because they can set whatever root certificates they like on our workstations. They have legitimate reasons to do this but as a consequence get to sweep up all such data. I'm also presuming that any legislation will at least attempt to be sufficiently broad that they can get such logs from employers too.
If you don't like this then you should only browse personal stuff at home. I nearly added "or on your smartphone" then I laughed at myself.
"copies of major root CA private keys"
Why bother with that? Just go for implementation flaws and protocol vulnerabilities... SSL 2 is obsolete, SSL 3 is vulnerable ... and SSL in itself is potentially flawed... TLS isn't so perfect either...
My workplace already has a MiTM attack vs HTTPS installed. Blue Coat https://bto.bluecoat.com/webguides/proxysg/65/acceleration/Content/01Concepts/ssl_proxy_co.htm.
'One of the functions of the SSL proxy is to emulate server certificates; that is, present a certificate that appears to come from the origin content server (OCS). '. Oh dear.
Ironically these clowns call themselves a security company and my employer appears to have lapped it up. I guess whatever passes through this can be 'requested' by the security services and they don't have to do any work at all.
It is only politicians that are worth snooping on. Look at how Gordon Brown got pilloried for buying Champagne a few ears ago, when his credit card account was hacked.
Apple, Google FaceBook can make dangerous associations between politicians (E.g. two mobiles in the same hotel room overnight) and then have power over them! I'm sure the current management of these august companies wouldn't stoop so low, but an unscrupulous policeman using these powers?
Us hoi poloi have little to worry about, apart from this type of abuse of our politicians!
"So, who really knows what I access?
Google. You can even download your complete history of every search you’ve ever made."
ORLY?
"Archive for [me]
Nov 10, 2015 5:25:17 AM PST
Google Takeout
1 Google product
0.0 bytes total
Learn more about Google archives.
Searches
Searches
No data found
Searches
No data found"
All it takes is a little care when you use the intertubes.
That really depends how they capture and log this stuff...
Remember that unless you're using DNSCrypt, all your queries to OpenDNS are in plain text, traversing your ISP's network, so even if you don't use their servers they can still see it.
The actual legislation proposed wisely doesn't seem to dictate any specific technical mechanism, so they've got two options:
1. Log your DNS queries to their servers, along with anything other DNS traffic traversing them (easy cheap but not very comprehensive, as many devices and browsers will use a local DNS cache).
2. Inspect the packets exiting your network and process them to capture more accurate destination information (more processor intensive and complex, resulting in a larger data storage volume).
My guess is the smaller or less competent ISPs (hello TalkTalk!) will go for option one, but that the larger ones will be leaned on to go for option 2 (and let's face it ,BT has some history of using deep packet inspection technology).
webcaching --- theres the simple answer, oh wait they implemented that on most ISPs about 5 years ago...
if any request frame passes through port 80 or port 443 then cache... log data of what IP, time and URL requested (in the frame)
Similar to how a proxy works... its just mandated at the router...
1. Tor hostspot using a raspberry pi
https://learn.adafruit.com/onion-pi/overview
2. Coming to the register via an exit node... password compromised for lack of https, throwaway account.
3. Use tor for all browsing (I have "nothing to hid" but fuck off with your spying)
4. Python script running on said pi to generate a shit load of random web browsing meta data (enjoy storing it ISPs!)
5. (cheap) VPS in foreign lands tunnel shit load of data over ssl
I'm not a criminal, nor are any of these measures difficult to implement. I'm sure if I really wanted to I could create an even more obscure and secure route to the sewage pipes that is the internet.
Actually now considering becoming a private contractor for people interested in not having their cat videos snooped on.
Can anyone see all my web requests?
Yes - Should be No not if you use opportunistic TCP encryption such as TCP/Crypt.
Can anyone see my web requests if I use HTTPS?
No - Should be Yes if they've inserted there own Root CA.
If I use HTTPS, will anyone be able to access my details from the remote web server logs?
Yes - Should be No - Not if you've fudged there Geo-location and forged your Headers.
Can my DNS requests be logged?
Yes - Should be No, not if your using DNSMasq and an OpenDNS uses unencrypted UDP on port 53 so obviously you should encrypt your UDP as well as your TCP.
Can my ISP determine which of us at home is accessing a certain site?
No - Should read yes, if they're using immortal cookie technique!
If I connect to a website using a VPN, will my requests be logged?
Perhaps should read as Depends on who owns the VPN.
If I use a Tor browser, will my ISP be able to log my web requests?
No - Should again read Yes because of all of the above.
How can ISPs trace me?
A session cookie is used for each user’s web browsing session which can not always be harvested if you disable JavaScript and use a browser that refuses 'Cookies'
Will investigators have powers to examine web server logs?
Yes - Should read No, not every country is going to kiss your ass!
Could there be a “man in the middle”?
Perhaps - Should read Yes there can be which is why you need to take steps.
Will an investigator see my passwords?
No - Yes, they'll see them being typed in if you use Android or X11
So, who really knows what I access?
Good question!
Well, as a result of this, I wrote a script in mIRC that'll connect to a random website via sockets from a list every five minutes. (Unless it only logs if connecting to a website via a web browser.)
Some I do legitimately use, some I don't. So, if worst ever comes to worst, the authorities can have fun trying to figure out which are real, and which aren't.
What I didn't know about was that all my DNS request would be logged.
Guess I'll have to write another script to cycle through and DNS every IP.
Of course that's because Google wants to own all your DNS requests as well as your CA on your phone and thieve Java so they can spy on your Droid hence why privacy advocates use "X-Privacy" which completely screw's up the Geo-Location features and disables all there advertising, the back-door is widely published as being the "Talkback" service programmed into the device.
In point of fact there are plenty of solutions to these carefully crafted problems that Google has deliberately created to dominate it's marketing position on the web as a search giant. You only have to look at how they fly off the handle at rouge "CA certificates" to see there's something clearly very wrong with the security of all Certificate Authorities, such as TurkTrust ie: we spied on Turkey!
"Guess I'll have to write another script to cycle through and DNS every IP"
That's not a bad idea, nor is the idea of using "Peer Guardian" to banish all IP addresses belonging to advertising firms like there's along with all IP addresses belonging to the US Government.
ie: IP addresses in the ranges of: 6 - 7 - 11 - 21 - 22 - 24 - 25 - 26 - 29 - 30 - 49 - 50 - 55 - 62 - 64 - 128 - 129 - 130 - 131 - 132 - 134 - 136 - 137 - 138 - 139 - 140 - 143 - 144 - 146 - 147 - 150 - 152 - 153 - 155 - 156 - 157 - 158 - 159 - 160 - 161 - 162 - 163 - 164 - 167 - 168 - 169 - 194 - 195 - 199 - 203 - 204 - 205 - 207 - 208 - 209 - 212 - 213 - 216.
Erm, nearly half of the internet would appear to be there military IP Ranges and they claim, they're not "out of control" and don't "have a problem?!"
TCP/Crypt - SSHNet - OpenBSD - Bitrig - Oberon - Bell-Labs Plan9 & LibreSwan with your own CA's pre-programmed inside Key Manager and exported from Firefox for the Win. Time to banish all those rouge CA certificates that you didn't write or place into your Open Source OS in the first place, hence why there secret secure OS doesn't use CA's except the ones you've written yourself!
They have indeed annexed the internet - Thank "Ken" & Bell-Labs - Who have a long history of always giving the US Military what they want, whilst at the same time they've developed quite a "cult" following hence "hackin9"
When I say a "Cult" I mean a "Cult" they're known as the Masters and they follow the 9 Keys of Enoch - Council of Nine
Amongst it's collective and most prominent members are - where:
Gene Roddenberry was part of that inner circle in 1974 and 1975 (Deep Space 9) (7of9) - Andrija Puharich, James Hurtak and Richard Hoagland have all lectured at the United Nations in New York. And individuals all connected with "Nine" are also known to have had influence over Vice-President Al Gore - President Bush Sr - President Bush Jr - President Clinton - President Obama - President Ronald Reagan etc, etc..
Known simply as 'The Nine', its disciples include cutting edge scientists, multi-millionaire industrialists and leading politicians.
"I am the beginning. I am the end. I am the emissary. But the original time I was on the Planet Earth was 34,000 of your years ago. I am the balance. And when I say "I" - I mean because I am an emissary for The Nine. It is not I , but it is the group - We are nine principles of the Universe, yet together we are one."
Perhaps the most disturbing aspect of the history of the Nine is its relationship to the career of Andrija Puharich. Recent research has revealed Puharich to have a distinctly sinister side. As an Army doctor in the 1950s, he was deeply involved with the CIA's notorious MKULTRA mind control project. He together with the infamous Dr Sidney Gottlieb experimented with a variety of techniques to change or induce actual thought processes even to creating the impression of voices in the head.
As president Putin has already said a CIA Mind Control experiment & Zionism (they're all Jewish!) pure and simple!
It has everything to do with what Robert Morris a Cryptographer who worked at the NSA & Bell-Labs actually did to the SSL layer, you see you believe that SSL is Secure Sockets Layer that is in point of fact incorrect it's Secure Sockets Record!
Why reveal the 9 - Because I would think of myself as "Horus", being of two world's "stealing the all seeing eye!"
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
