Teken Posted March 23, 2017 Posted March 23, 2017 Lets see what happens in the US Senate with respect to web browsing history being allowed to be shared to ISP's: http://www.theverge.com/2017/3/23/15026666/senate-broadband-privacy-rules-congressional-review-act-fcc-vote What happens in the USA will surely trickle down to other countries . . . As of this writing the UK is the most abused nation in the free world with regard to the lack of user privacy. One would think Canada is the hall mark of freedom and privacy - no longer. Its a very dark day in Interwebs for the general populace of the free world. One only needs to ask anyone from Russia, China, North Korea, or any 3rd world controlled communist nation. And people wonder how it is the Dark Web has gained in popularity along with cloaking proxy servers.
Scottmichaelj Posted March 24, 2017 Posted March 24, 2017 This is why there is a the need for VPN and anonymous DNS with no logging from either. Clear cache, cookies, temp files each time closing your browser. I am even looking at how to get emails on my own private server that can't be read but that maybe far fetched. Using encrypted apps like iMessage for texts (and whatsapp).
larryllix Posted March 24, 2017 Posted March 24, 2017 Maybe we should all set automatic email and text message forwarding, to the US authorities, until they ask us to stop, and apologise for being too nosy? Perhap Trump money saving programs could do some cut-backs on the thousands of listeners being paid, this must take.
KeviNH Posted March 24, 2017 Posted March 24, 2017 It's not about privacy from the government, that is already long gone. Rather, the new rules are about letting your ISP blatantly violate your privacy, collect data on their paying customers and sell it to the highest bidder, so the buyer can do better targeted advertising and sell you more stuff. In markets where consumers have a choice of ISP, offering to include explicit privacy protection and reduced logging as a contract feature may be a way for an alternate ISP or WISP to differentiate themselves. But many parts of the country, you are lucky to have a choice between DSL and cable, if that. I don't trust the free/cheap VPN offerings.
Teken Posted March 25, 2017 Author Posted March 25, 2017 Welps, looks to be one more notch to the loss of user privacy and security as the rules have been changed in favor of big business.
elvisimprsntr Posted March 25, 2017 Posted March 25, 2017 I already use an openDNS (Cisco) DNS free personal account for malware/content filtering. https://www.opendns.com/home-internet-security/ pfSense open source firewall software supports openDNS DDNS client to dynamically update your IP address, which means you don't need a separate openDNS client running on your LAN. I may need to look into adding Cisco Umbrella VPN. https://umbrella.cisco.com. I think I read it's $20/year for a personal account.
KeviNH Posted March 25, 2017 Posted March 25, 2017 I already use an openDNS (Cisco) DNS free personal account for malware/content filtering. https://www.opendns.com/home-internet-security/ pfSense open source firewall software supports openDNS DDNS client to dynamically update your IP address, which means you don't need a separate openDNS client running on your LAN. Pointing your DNS to a third-party server helps, as services like OpenDNS makes it slightly more difficult for your ISP to hijack your traffic. Even with OpenDNS, if your ISP can see your DNS lookups (even if you don't point at their DNS server, they can see the query and answer), they can record what sites you are visiting, when, and even with SSL can tell whether you are only reading or actively contributing. If you run everything inside an encrypted VPN tunnel, then the tunnel provider and their ISP can see your traffic, but not your local ISP. So if you trust the tunnel provider and they have a contract with good privacy clauses, that could be an improvement for privacy against corporate data collection. I may need to look into adding Cisco Umbrella VPN. https://umbrella.cisco.com. I think I read it's $20/year for a personal account. Looks like Cisco Umbrella is designed to look even deeper into your traffic than what the average snooping ISP would do, but presumably the Cisco terms of services say that Cisco won't use the data they collect to sell to marketing firms.
elvisimprsntr Posted March 25, 2017 Posted March 25, 2017 Precisely why I am thinking of setting up an encrypted VPN tunnel. I'm hoping to find a solution which will work on pfSense to avoid having to run a client on every device. The question is if the IPSec client on pfSense could be configured to connect to Cisco Umbrella VPN.
jtara92101 Posted March 25, 2017 Posted March 25, 2017 IPSec is generally a pain to set-up, and won't work in all environments. It makes little sense, for example, for a notebook, which you might find you have to use in an environment where IPSec is blocked. http://nmav.gnutls.org/2016/02/why-do-we-need-ssl-vpns-today.html Reliability, i.e., operation over any network. In my opinion, the major reason of existance of SSL VPN applications and servers is that they can operate under any environment. You can be restricted by firewalls, broken networks which block ESP or UDP packets and still be able to connect to your network. That is, because the HTTPS protocol which they rely on, cannot be blocked without having a major part of the Internet go down. That's not something to overlook; a VPN service which works most of the times but not always because the user is within some misconfigured network is unreliable. Reliability is something you need when you want to communicate with colleagues when being on the field, and that's the real problem SSL VPN solve (and the main reason companies and IT administrators usually pay extra to have these features enabled). Furthermore, solutions like Openconnect VPN utilize a combination of HTTPS (TCP) and UDP when available to provide the best possible user experience. It utilizes Datagram TLS over UDP when it detects that this is allowed by network policy (and thus avoiding the TCP over TCP tunneling issues), and falls back to tunneling over HTTPS when the establishment of the DTLS channel is not possible.
Scottmichaelj Posted March 26, 2017 Posted March 26, 2017 So FWIW this year my New Years resolution was to look at protecting my privacy. My first move was to get a router to protect all my devices behind it via a VPN. I found a VPN megathread over at Reddit here: https://www.reddit.com/r/VPN/comments/5lwze3/rvpn_recommendations_megathread/?st=J0PZBQMK&sh=7c439fbc - shared from the Reddit app (https://reddit.app.link/3CsFK8W7iB) Theres a guy who did some serious logging and comparisons between them. I found one that fit my needs well and that was able to max out my ISP speeds. Theres also a great article for VPNs here: https://torrentfreak.com/vpn-services-anonymous-review-2017-170304/ My next step was finding aa anonymous DNS. I found and am using FreeDNS since they have no logging policy. https://freedns.zone/en/ All this is done using on my pfsense router. For fun I am also using Squidguard to blacklist sites known as bad. https://en.m.wikipedia.org/wiki/SquidGuard Will this help? Who knows? At the end of the day I feel better and thats really all that matters. I try and use only encrypted software like iMessages but sometimes I need to use other software so be it. I have also seen some packet shaping documentation for pfsense but using OpenVPN at 256 bit it's probably more important now to get a serious password manager and change all sites to different strong passwords instead and get my emails off google and onto a private encrypted server. I make sure HTTPS is used as possible for websites visited, dump cookies and cache when closing my browser and don't accept tracking or third party cookies. I even have OpenVPN setup on my mobile device so I connect to my own home when I am outside my network and use my router to connect to the internet. I would love to hear what others are doing for actual protection. Always looking to up my game.
elvisimprsntr Posted March 29, 2017 Posted March 29, 2017 Alright. It's time to find a VPN solution. https://venturebeat.com/2017/03/29/vpn-uptake-could-surge-as-u-s-congress-repeals-broadband-privacy-rules/ Is there a single cost effective and secure VPN solution which provides both protection at home/mobile and ability to connect to ones home network remotely? Or to get both one has to use a premium VPN provider?
elvisimprsntr Posted April 4, 2017 Posted April 4, 2017 Time to buy stock in VPN service providers. https://www.macrumors.com/2017/04/03/trump-signs-repeal-of-u-s-broadband-privacy-rules/
jtara92101 Posted April 4, 2017 Posted April 4, 2017 A first step is to make sure you use https: instead of http: where-ever possible. Websites are now being encouraged to enable HTTPS by default. It will help if users do the same as well. One way to help insure that is to use an HTTPS Everywhere extension (or similar), so that you don't have to remember to always prepend https:// I just installed HTTPS Everywhere for Chrome, published by the Electronic Frontier Foundation. It is also available for Firefox, Firefox for Android, and Opera. https://www.eff.org/HTTPS-EVERYWHERE It forces https: for sites that it has rules for (yes, afraid it is opt-in only) and, as well, rewrites insecure URLs found in pages with secure ones. So, for example, some site embeds a YouTube video using http://youtube.com....The extension will rewrite the URL to https: (Probably a bad example, as I think YouTube as all Alphabet properties are now defaulting to https:) While it would still be possible for ISPs to track what sites you go to, and (in most cases) what pages you visit, they would not be able to snoop at content. (Hey, I said it was a first step...) Of course, this will not help with sites that do not use HTTPS, or use it for only some content. That - apparently - includes this forum! Am I missing something? FWIW I already use Google DNS, because despite protestations to the contrary, I've not been able to disable Cox's DNS "assistance" when browsing the web. An ISP should transport packets according to official protocols - period. They have no business messing with content, even if it is to "assist". (And, as well, Cox DNS doesn't properly support IPV6, at least last time I checked. Cox says they don't "officially" support IPV6, and discourage users from using it when they discover that it's enabled on Cox's network...) Besides just being intrusive, any kind of DNS "assistance" injected into web pages can cause technical problems with e.g. applications that use web services, as they deny the application expected error responses, instead sending fake content intended as "assistance" for humans.
Scottmichaelj Posted April 4, 2017 Posted April 4, 2017 A first step is to make sure you use https: instead of http: where-ever possible. Websites are now being encouraged to enable HTTPS by default. It will help if users do the same as well. One way to help insure that is to use an HTTPS Everywhere extension (or similar), so that you don't have to remember to always prepend https:// I just installed HTTPS Everywhere for Chrome, published by the Electronic Frontier Foundation. It is also available for Firefox, Firefox for Android, and Opera. https://www.eff.org/HTTPS-EVERYWHERE It forces https: for sites that it has rules for (yes, afraid it is opt-in only) and, as well, rewrites insure URLs found in pages with secure ones. So, for example, some site embeds a YouTube video using http://youtube.com....The extension will rewrite the URL to https: (Probably a bad example, as I think YouTube as all Alphabet properties are now defaulting to https:) While it would still be possible for ISPs to track what sites you go to, and (in most cases) what pages you visit, they would not be able to snoop at content. (Hey, I said it was a first step...) Of course, this will not help with sites that do not use HTTPS, or use it for only some content. That - apparently - includes this forum! Am I missing something? FWIW I already use Google DNS, because despite protestations to the contrary, I've not been able to disable Cox's DNS "assistance" when browsing the web. An ISP should transport packets according to official protocols - period. They have no business messing with content, even if it is to "assist". (And, as well, Cox DNS doesn't properly support IPV6, at least last time I checked. Cox says they don't "officially" support IPV6, and discourage users from using it when they discover that it's enabled on Cox's network...) Besides just being intrusive, any kind of DNS "assistance" injected into web pages can cause technical problems with e.g. applications that use web services, as they deny the application expected error responses, instead sending fake content intended as "assistance" for humans. Your DNS info is also being logged. Take a look at https://freedns.zone/en/ - also try switching your search engine to https://duckduckgo.com/ - "Knowings half the battle..." [80s childhood quote]
KeviNH Posted April 4, 2017 Posted April 4, 2017 As I stated upthread, pointing your client at a 3rd party DNS server won't do anything about your ISP logging your DNS (name lookups are more revealing than you'd think). You need to tunnel DNS inside an encrypted protocol (e.g. a VPN) or use a full proxy if you want to avoid having your ISP log your DNS lookups. One approach is to do like Scottmichaelj and replace the "firewall" provided by your ISP (usually a feature in your cable or DSL box) with one entirely under your control. That way you can catch outbound traffic, intercept your own DNS, and look for rogue IoT devices, rather than trusting your ISP to have your best interests at heart. If you don't want to build your own, several "enterprise grade" firewall vendors have SOHO versions of their appliances available under $500.
Michel Kohanim Posted April 4, 2017 Posted April 4, 2017 Teken, You have broken the first rule of this forum: NO POLITICAL AND RELIGIOUS TOPICS. It's removed. With kind regards, Michel
jtara92101 Posted April 4, 2017 Posted April 4, 2017 You are right Kevin, but I do think changing to 3rd party DNS makes is less likely the ISP will log the DNS. It is easier if you use the ISP's DNS server. In that case, the server itself can easily produce a log. If you do not use their DNS server, now some router belonging to the ISP has to log the DNS requests. OpenDNS has something called DNSCrypt. It's not a universal solution. They have apps for Windows and MacOS.
paulbates Posted April 4, 2017 Posted April 4, 2017 DNSSec was to help with this exposure too, but like IPV6, its adoption by hosters has been glacial. Until both sides support the capability, its of very little help.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.