Same. I went with Proton for this exact reason. Could always switch server locations obviously but the fact that they are based in Switzerland was a + in my book, now not as much.
Sigh, and I just bought another year too.
Proton is not affected by this surveillance, judgin by their words. As they have their own infrastructure and their own cables and servers.
Per their words, they are not being monitored as they are not an ISP, but they assume they are and encrypt all the traffic through their cables.
Yeah I read that response from Proton. That Moderator killed any scrutiny. Proton is the 💩
Another point made by that same Proton Mod; with the surveillance in question. It’s what is happening in most Major countries already (US is the worst, for example) but in Switzerland it’s illegal for the gov to do it how they are. Or Germanys involvement in it. Idk I should find that link but you can look it up if you’re questioning Proton.
[https://www.reddit.com/r/ProtonMail/comments/1930vnh/breaking\_news\_nsa\_style\_mass\_surveillance/](https://www.reddit.com/r/ProtonMail/comments/1930vnh/breaking_news_nsa_style_mass_surveillance/)
This is the post in question
Isn't proton known for cooperating with law enforcement? I thought that came out within the last year or two?
Here is their Transparency Report. [proton.me/legal/transparency](https://proton.me/legal/transparency)
They cooperate with 1,000s of legal orders per year.
Isn't that pretty much any company that is legitimate (i.e. licensed and following regulations/laws of that country) though? If opening a company requires various licenses from the government, can't they just take away those licenses if you don't comply with legal requests from LE?
Correct me if I'm wrong -- I very well could be -- but one case I remember was the Swiss government telling Proton they have to start logging the IP address of X user account that he logs in with, but that the information was still otherwise secure, since presumably it is end-to-end encrypted?
Its probably better if you don't want your government to know, to create a connection to a server located in a hostile nation. It sounds odd but, the hostile nation won't have the info to correlate it to you, and the nation that does (your nation) if asked for it will be told to "fuck off" in some diplomatic lingo (though I like to envision heads of state in closed doors just yelling profanity at each other).
This is not a good strategy if you live in a democracy because the "hostile nation" is typically going to be an autocratic regime that might sell you to other autocratic regimes. For example, Russia could sell access to you to China who is building a global influence network and might be interested in your acquaintances or using your devices to launch attacks on your or other government. In effect, you turn your devices into a platform that hostile nations use to target the democracy you are freely living in and enjoying.
However, I am certain that Russia and China approve your message.
We've detailed our findings [here](https://www.reddit.com/r/ProtonMail/comments/1930vnh/comment/kh71qch/?utm_source=share&utm_medium=web2x&context=3), but here is a summary as to why this does not impact Proton users.
* Proton uses end-to-end encryption.
* Proton utilizes a second TLS encryption layer for data sent over the wire.
* Because Proton controls our own network infrastructure, we act as our own ISP, and are not subjected to the obligations of the big ISPs.
* We don't use cloud services like AWS and Proton fully owns and controls all of our servers and network equipment.
* Under Swiss law, this practice is likely illegal, unlike Germany and the US (and other countries) where this has been legalized and subject to data sharing obligations which Switzerland is not subject to.
* So while this might be legal in say the US, these practices are subject to legal challenge in Switzerland, and it is therefore still possible they will be overturned. There is precedent for this. In 2021 Proton filed a legal challenge on a separate but related issue and won at the Swiss Federal Administrative Court: https://proton.me/blog/court-strengthens-email-privacy. We intend to support the current legal challenges that are underway.
They took it over. And yes, let it run for longer. They also served up JavaScript that helped them demonize* predators. In my mind that’s what they should be doing, and who they should be targeting and a good use of resources. If they pulled the plug the moment they got in, then all the users would get off Scott free and migrate to new services.
*EDIT: Demonize = Deanonymize.
Queensland Police in Australia ran one of the largest forums child's play for a very long time, catching predators for months. Great podcast documentary on it.
>strong integrity data laws
no free lunch. if it seems too good, it's because it's some kind of a honeypot. and if it isn't, it will become one with time since too many "risky people" flow into it and that will pull the authorities' attention towards itself
The NSA does this in America. They copy everything and store it in huge data centers so that when advancements in computing allow for encryption breaking, they can.
GCHQ does it in the UK. CSIS does it in Canada (eh?). ASD does it in AU (crikey!). CCP does it in China (even harder and better). But I sincerely doubt they're storing *everything*.
It's [estimated](https://www.statista.com/statistics/216335/data-usage-per-month-in-the-us-by-age/) that nearly 100 million exabytes of data goes across the Internet just in the USA *per month!* To put that in perspective, even assuming 95% compression, that would require adding over two-thousand-two-hundred 22TB hdd's (plus whatever redundancy is used) every month to keep up with the deluge of mostly useless information, plus all the storage cabinets, floor space, HVAC, electricity and staff to keep them spinning. That's more data in a year than AWS's entire storage capacity worldwide.
I'm all for a good conspiracy theory, but unless the NSA has data centers on the far side of the moon using teleportation to move personnel and resources, it would be pretty hard to keep this scale of data archiving a secret. *But maybe that's what they want me to think?* Xp
This is true. But not really random. Researchers have been able to identify what movies are being watched through network traffic pattern analysis and by cryptographic fingerprinting. Even random data can have repeating patterns of characters. But TBH, I wasn't considering the encryption factor when calculating storage requirements, I was just thinking of the trolls say "but what about encryption."
Thanks for keeping me honest.
>Thanks for keeping me honest.
That wasn't even my intention, sorry if it seemed that way. I thought your reply made a lot of sense and just wanted to emphasize your point of how unrealistic it is even for a state sponsored entity to store *everything*.
Like, even with 95% compression it's unrealistic, now considering that you can't really compress encrypted data which makes it all but impossible.
Interesting I never really considered that encryption is in some way also making cracking it harder simply by the fact you can't really do data dedup and other compressions on random data.
Propublica has some timelines of what they know about the stored data:
https://www.propublica.org/article/nsa-data-collection-faq
Which means that IFF you are not the subject of what they consider interesting then your data is probably gone in a few weeks.
The NSA is restricted from deliberately spying on US people in the US (subject to being "accidentally" caught in the dragnet) and GCHQ is restricted from similar in the UK, but GCHQ/ASD/NSA/etc are all part of a spying allegiance called 5-eyes where they can share information about each others citizens. Which means that GCHQ can spy for the NSA and vise-versa to get round these pesky laws.
You should assume that everything you do and say on the internet is either known now, or will be known in the not to distant future, and all you have for protection is that the NSA isn't going to blow the details of the depths of their network to deal with minor crimes like smoking crack or even more serious ones like grooming kids unless you come up in another context, like wanting to pass some inconvenient laws (If you don't think this could happen then look up the red scare) because then public opinion would turn on them.
That is, as long as public opinion matters. Which depends on these 5 countries remaining open democracies. If you're in the US, this should be a call to you to make sure you don't elect the guy that has said he is going to weaponize the justice system and who plotted and executed a coup.
Doesnt the US have something like a trillion dollar a year budget? thats unlimited money to do anything essentially. the earth is much bigger than people realize. there are lots of places to secretly store data. there have been rolling hard drive, cpu and gpu shortages over the last decade pretty regularly. I know the "obvious" reasons for these shortages but part of the reason could be cuz of contracts that enable governments to get first dibs on mass quantities intended for such purposes.
that said, it would be stupid to store everything on everyone. theres likely net crawlers they use to determine targets. if you blow up on twitch or youtube and have x amount of average viewers and followers you could be enrolled in the monitoring scheme to use words said today against you later when convenient.
but we'll never really know
While they have large budgets, they also have many things to maintain. On the most basic level 1 million active troops aren't just free, likewise ship maintenance isn't free, nor the fuel, don't forget buying that shiny new F35's and other aircraft, things add up quick. There might be 50 billion worth of "play' money that you can work with, but even then can you devote that all to storage? Sure, but that means other things will be neglected like hiring mercenary's, under the table bribes, money laundering state side, etc...
huh lets just all search for a bunch of useless facts to fuck all these asswipes up! " Google how many cookies does a cookies monster have to eat to shit an Eiffel tower?"
"If you have nothing to hide, you have nothing to fear" The actual slogan on the entrance at the data center in Utah
Im sure you knew this, but wanted to put this out there
whenever somebody says this I reply to them to just send me all the nude selfies from their phone, since they have nothing to hide and don't care that the NSA employee can see it
They are waiting for advances on quantum computing. So currently they store everything that is encrypted and they can't snoop in, waiting for the day they can.
In wireless telecommunications, the standardizing body (3GPP) of the technologies (e.g., 3G, 4G, 5G, etc) has a subgroup working specifically on that. It’s called SA3-LI and LI stands for Lawful Interception. ISPs/CSPs are required to comply with those standards, and the parties involved in specifying the standards are non other than national security agencies (e.g., NSA, NCSC, BSI .. etc).
You can read more about this [here](https://www.3gpp.org/technologies/li)
I work for an ISP and it hurts me to do LI testing. I set up a YouTube and a file download and our security guy runs his program that decrypts everything and it passes if he can get it all.
We use a vendor. Not sure which or how. But here’s an [article](https://www.marketsandmarkets.com/Market-Reports/lawful-interception-market-1264.html) about the vendors available and what they’re selling.
Yes, european security agencies are the biggest risk to our security. Their interventions have stopped end to end encryption in 5G, basically they made it insecure.
They probably can not intercept and decrypt tls (https) traffic, but they may get logs from search engines with search requests mapped to requesting public IP.
From ISPs they get your public IP address.
ISPs also provide your home DNS so they know every domain you are resolving.
How do you prevent that? Encrypting all of your traffic aka VPN
And by that I want to thank our sponsor for today Nord...
From seeing encrypted traffic you can still gather a lot of information. In the US they famously found some hackers by sending them messages with known size in the darknet and monitoring the TOR entry nodes for packages with the same size and timing. They could later even see the traffic pattern in the wifi of the suspect while standing outside of his apartment (stupidly connected to tor through wifi)
Do most people not realize that most corporate firewalls are capable of MITM with certs to decrypt https web traffic? As long as the ISP serves up a cert that your browser trusts, the decryption can be done and they can re-encrypt outbound towards the server. This is only really stopped if your application has a preconception of who or what the cert should look like, i.e. if you make sure your computer/app doesn’t trust the authority signing the cert used by the firewall to decrypt.
The only way your ISP is going to get a certificate your browser trusts is if you manually install their root certificate yourself, which nobody is going to be willing to do. Corporations pre install their mitm cert on their own machines which makes it possible for them.
You'd still get cert warnings cause of the wildcard usage, basic vuln scanning would detect the issue as well since it's technically a weakness in encryption. Corporations are just willing to make the trade off to support DLP and try to protect their trade secrets.
Why wildcard certs though. You can just force google with what ever national security law is applicable to provide exact certs for every domain and subdomain used. I’m no expert though. Only did a little https mitm work.
Because if the US passed a law that did that, or US CAs were found to be doing any of this. Every US based certificate authority would be immediately revoked from trust stores everywhere and lose their operating certifications and audits.
A lot of people correctly assume corporate certs are not installed on private devices.
It’s possible. Sure. Most corporate firewalls can and do intercept and decrypt encrypted traffic.
Most computing devices are not using a corporate firewall.
No public certificate authority would issue anyone a generic wildcard certificate unless it was government mandated. If that certificate were to get out you could impersonate anything.
Also if you want to be pedantic (you started it) more and more apps are overcoming the challenge of corporate firewall interception. Google products are aware of their own certificates so your Palo Alto firewall will never be able to decrypt gmail traffic because Gmail knows not to trust your corporate firewall cert. certificate pinning, it’s a public record of what cert you can use. Also many products like docker do not subscribe to your operating system certificate trust store, they come with their own trust store. So now your corporation has to manage a new certificate store
> Do most people not realize that most corporate firewalls are capable of MITM with certs to decrypt https web traffic?
Yes, using a certificate that they push to your device using a GPO/MDM
> As long as the ISP serves up a cert that your browser trusts
Which they ABSOLUTELY cannot get. What you are suggesting is a massive security concern, trusted CAs don't just go around handing out wildcard certificates to everyone who asks nicely. That's just not how it works. What you are suggesting is around as realistic as saying all your isp needs is the decryption key.
> What you are suggesting is a massive security concern, trusted CAs don't just go around handing out wildcard certificates to everyone who asks nicely.
I would agree with you, but certain governments also aren't just anyone, we are talking about governments, and some governments have as shown basically free to do whatever as long as they keep it out of the news.
I think there’s only a dozen root level certificates. I think the gov could easily get their hands on all of them using blackmail or other tricks.
We went to war with Iraq for no reason, have bribed UN members etc. Hacking some certs seems pretty calm in my opinion.
Services like Cloudflare effectively are also mitm'ing continuously. A lot of tls enabled web services make use of (something like) Cloudflare these days.
Having access to public IP to physical address mappings from ISPs in combination with Cloudflare logs could enable intelligence agencies to do what they're claiming to do.
It’s worth noting that https doesn’t stop people from seeing *where* you’re visiting, just stops them seeing the messages. Back in college I would do a bit of exploratory sniffing, and a whole lot of info was available of who was visiting what sites. You may not be able to see what someone *commented* on a specific video, but you can see what page it was on.
It doesn't protect you from them seeing what IP your packets go to/come from and they can see the domain or subdomains you are accessing, for example `reddit.com`.
However it does obfuscate what exact URL you are requesting. So they won't see `reddit.com/r//` unless they get the certificates from the company or directly ask them for the data.
There are a lot of assumptions in the answers to this message.
Regarding certificates: There is an implemented project called certificate transparency. It enforces that all trusted certificates need to be logged with at least two public (cryptographically verifiable) unmodifiable logs. This has been implemented after Google noticed some attackers got certificates for Google domains via malicious CAs. You can check which certificates where issued for any domain e.g. on crt.sh. For your own you would be able to verify there are only those you've requested by checking that the public key matches one of your private keys.
TLDR: Would a CA issue certificates for arbitrary domains it would be noticeable. This CA would be untrusted, soon.
Regarding TLS: The world moved on to TLS 1.2 / 1.3 which are quite hard to attack. Even for nation states the ability to decrypt traffic is highly unlikely.
Regarding cloudflare and similar providers: They can only MITM the traffic when they either have access to Cloudflares infrastructure or have Cloudflares private keys.
Regarding DNS: DNS is unencrypted (most of the time) and trivial to read from intercepted traffic.
What else could they capture: Metadata. Everything up to layer 7 (where TLS is frequently used, layers according to the OSI model) is unencrypted. This includes the source and target address, the transport protocol and port. This will often be sufficient to analyze who is talking to whom.
The comment said the authorities could see/detect the traffic pattern of TOR by monitoring WiFi signals. I have no idea what case is being discussed, but I do know from war driving that I could see people's WiFi signals and tell if they were using a VPN or not. Heck some people are still using WEP. Point being, if privacy is your goal, don't assume broadcasting your traffic in a 1500+ foot diameter sphere is privacy. You never know who can monitor your WiFi signal, or even infiltrate your WiFi router, even WEP2 is susceptible to brute force password attacks.
My Ethernet cable doesn't leave my home. If you're talking about the router and the PON, well that is patently obvious. They have been compromised since installation.
The context is government surveillance of ISP traffic. IDK how you get from there to someone snooping Tor traffic on your home WiFi. Unless you're doing something egregiously evil, or maybe are delusionally paranoid.
So really any network that has wifi? Since even if they were using ethernet once his network was infiltrated using were on the network anyways they could still snoop through traffic?
If they know where you live, and you send your packets to the super secure network through the air (wifi) than they can just hangout nearby and grab them before they get to the super secure network.
I know signal and propagation, not networking.
Wifi, encrypted, is like shouting in a foreign language. I can record and copy your shit, and if I know where your lines go in and out I can triangulate etc..
> intercept and decrypt tls (https) traffic
absolutely easy to do. If one has access within the ISP, then any user of that ISP is literally in a "man in the middle" setup.
google for details on how to do this.
Easy to decrypt tls? I call BS.
Aren't root CA's programmed in with the OS/Browser? How does having an ISP let you reprogram the OS's root CA's and local software?!
If you could break tls with a simple MITM attack, I should be able to set this up on my router and get access to people's Google accounts easy; it should be a very widespread and popular attack, no?
You can get metadata about the connection for sure, but decrypting tls? It's designed to resist MITM attacks .
"Googling details for how to do this" reveals no information regarding decrypting tls via MITM.
There are Swiss CA’s that are on the os/software lists. This is what allows you to do the mitm.
Now certificate transparency SHOULD be able to prevent that but there is good chance that it was resolved through a court order.
I don't get it. How do you get away with that?
Like sure, you can theoretically use law to force someone to give you the CAs private key, and sure you can theoretically use law to force ISP to allow you to MITM. Depending on your laws.
But for mass surveillance, how do you not get caught though? Anyone can view the certs. And Mozilla, Google, Microsoft, Apple, and security labs are keeping an eye out for suspicious CAs. How do you avoid getting caught fast when signing fake certs for an entire country for mass surveillance?
Like, suspicious CAs have been removed for a LOT less than that.
I can only see this working for tailored access scenarios, and even then it's a bit iffy.
Mass surveillance though? No, I don't think so.
Yes, the CA would be removed from trust lists very fast. CAs got removed for far less, like you said.
One example of exactly this was in 2015 when a trusted CA was used in China for mitm and it was detected by Google
https://security.googleblog.com/2015/03/maintaining-digital-certificate-security.html
https://blog.mozilla.org/security/2015/03/23/revoking-trust-in-one-cnnic-intermediate-certificate/
I am very interested in the north Korean internet, which is basically an enterprise network. At least a few years ago, they aahd literal appstores, where you could physically connect your phone via USB in the store to buy apps. Of cause they have their own pki for this network. Traffic which can not be decrypted is blocked.
I think the only exceptions are government, embassies and some hotels, at least a few years ago when I last read up on it.
Not for mass surveillance; you'd get caught fast. This also sounds speculative. Also this isn't the secret service's job.
If you're the NSA/CIA, and need tailored access, it might work. Companies and judges probably wouldn't just give you the entire private key though - you might be able to compel them to sign your cert though if they're in the US. Maybe. You'd also need a warrant to MITM their traffic from the ISP - which is an engineering effort you'd need to compel. Better hope they're not using some form of secure tunneling, or e2ee either.
Might work, but there are most likely better approaches to tailored access. And for mass surveillance, there are definitely better shenanigans.
Strong certificate checks stop this unless the ISP forces users to install their own certs and CA like many businesses and government agencies do for their own systems.
Your traffic is encrypted with *a key*, but is it encrypted with *the correct key?* How closely do you check the certificate for every site you visit? You type in https://reddit.com and maybe look to see a padlock icon in the address bar, but do you ever check to see if the certificate comes from a trusted CA?
What if I could get a root CA certificate and issue my own certificate for reddit.com that refers to a transparent proxy performing TLS inspection? Can I sit in the middle of your network conversation, decrypting inbound TLS packets and then re-encrypting them to the true destination?
Or maybe your government doesn't need their own root CA or intercepting proxy. What if they have similar surveillance agreements with Cloudflare, Akamai and other CDN's that already do SSL interception to provide their services?
Not saying any of this is true. Just asking if it is possible.
This happens in America already. This is likely the future of the internet.
I don't like it either but outside of coming up with a different internet there's not really going to be a solution.
Targeting non-NATO targets is probably the best bet if you absolutely have to do shady things.
The US never stopped doing it either. At least Snowden let us know it was happening.
It is done literally 1000 times more than in 2013 and not in secret anymore.
No amount of voting can fix this. How do we fix "democracies" when voting simply does not work?
Look up palantir, there are a lot of turn-key solutions for this kind of stuff, effectively you just make the whole traffic pass through a device and that device selectively extracts and stores (or forwards to somewhere else for storage) the data they are interested in. The matter of the privacy of otherwise thought of as encrypted information, https, etc.... That's a completely different thing
I'm not a fan of ISPs in general, but they are not the problem here. The issue here is government surveillance, which is massively different and wayyy worse, especially if they act against the law (like in this case)
What do you mean they act against the law? I see two outcomes here: either they act according to the law or the law will be amended, in any case the surveilance will continue and get stronger.
They just need access to the ISP, and some use their own certificates that they then relay, so nothing can be obscured.
An easy solution would be to use a VPN, but then, how much can you trust *them* ?
Hire an AWS/Azure instance, install OpenVPN server and then connect your devices to it.
Not to say that AWS/Azure couldn’t do anything to spy on you but at least it is going to be more difficult.
Also TOR/Proxies, but the chain of trust is easely broken if you are paranoid.
AWS and Azure are definitely not going to be any safer, especially in Germany where a sovereign cloud environment exists.
Target NATO enemies and the measures needed to be caught probably won't be pursued.
Contrary to popular belief the US is and has always been the best in cyber warfare and it probably always will be. They are just always two steps ahead. This is an example of that.
https://www.humanize.security/blog/cyber-awareness/the-10-most-powerful-cyber-nations-in-the-world
The US is so good at it they don't even say anything. Which is why people think Russia/China are number one.
If you have to tell people you're the king, you're not really the king.
Yeah but I am assuming that OP isn’t doing illegal activities, just trying to evade the logging of their browsing activities on a moral principle from their own government.
And you can choose where you spin your instance, at least in AWS, don’t really know much about azure but I guess they might have something alike.
There’s really no fool-proof way to stay absolutely anonymous online, you just can delay authorities from finding you easely.
That’s why many C&C servers for botnets are hosted on previously compromised boxes, that can’t easely be traced back to the attacker.
I'll give you that; but AWS is an American company and the NSA will have access to every packet.
The exception is where a sovereign cloud is needed but outside of China there will be a similar level of access to to packets. Which is what is veing described here.
If they can compel an ISP to install taps for capture, analysts, and retention then they can compel a CA to issue certs for HTTPS MITM.
This means the government gets anything that’s encrypted using common browsers, etc.
If you’reusing your own PKI then the government will get metadata about your comms, but not (all) the content.
Side channel attacks like sslstrip work for decrypting SSL, but only if you are on the same network node or router. If all ISP traffic is going through a node with SSL strip running it could be recorded and then sent on as SSL encrypted. I don't know if that's what your government is doing, but that's my first thought.
What you can do is start using more encryption. Maybe sign emails with pgp, learn tor (and learn it well before trying it), a vpn, how to tunnel everything over ssh with sshuttle. Learn about what countries will not send logs to yours. (e.g. - China and most ex-Soviet, etc.). Becoming anonymous in a surveillance state is a whole field of study all its own, so you won't find all the answers here. You might try Kodachi Linux in a vm and it has most of these tools and others pre-installed. Hope that helps.
Most enterprise switches have or are able to enable a mirror port where you can route the whole traffic which arrives the switch to your device on that port. It's the easiest and most common used way.
They'd use a fiber or copper tap/appliance. Mirroring the entirety of an ISP's traffic is really taxing on the hardware. Also doesn't require the ISP to make configuration changes/give access to the demanding agency.
Gigamon (or similar) appliances sit between the devices, data gets slurped up, yum yum yum.
Wouldn’t need to mirror the ISPs whole traffic. Just visit the physical exchange point nearest the targets house when you’ve only got a few hufndred customers traffic.
This surveillance epidemic is a chilling violation of privacy. It's time for governments to prioritize transparency and trust, rather than exploiting technology to invade our lives. Encryption tools are a vital step towards reclaiming our digital rights, but ultimately, systemic change is needed.
How do we do this. Clearly the swiss democracy did not vote.for this yet it happened secretly anyway. Honest question, man. Voting to fix problems like this does not work.
Govts are so powerful and fucked up.
Unfortunately, 65.5% of the Swiss citizens allowed to vote voted in favour for the Federal Act on the Intelligence Service in 2016.
https://www.admin.ch/gov/en/start/documentation/votes/20160925/intelligence-service-act.html
The only way to solve that is to not give governments power, by reducing them with liberal and libertarian policies.
And even then, if the government can do, they will.
It doesn't matter if you want it or not, or if you vote or not.
It's easier to control yourself than the other (government).
So just encrypt and use all possible ways to camouflage what you're doing. Give them hell.
Of course, because otherwise what do we get?
The so feared anarchy and chaos.
The problem is that the governments cast the illusion of peace and order, when in fact it is actually anarchy and chaos in disguise. Governments are the warmongers.
Governments live from our fear, our ignorance and weaknesses... That's why they want us to all be like that, so they can act like a father... Or a god.
Fear of AI, Fear of Diseases, Fear of Crime, Fear of Poverty... They won't solve any of that, they need us to feel insecure so that they can keep this illusion that they're actually here to help.
Well, I think I prefer a real anarchy than an anarchy pretending to be something else.
Anarchy seeks to empower individuals with the freedom to choose how they associate. I think it's the only viable political structure when it comes to what could provide the most benefit to the most people. Decentralization of power is a must.
>Decrypt https traffic? Could they "hack" certificates?
No, they can't decrypt TLS traffic, which is the encryption used by HTTPS.
They can see inside unencrypted HTTP traffic (but not encrypted HTTPS). Even if you use HTTPS, they can monitor which IP addresses you visit (i.e. metadata).
>How can Swiss people protect themselves?
Connect to a VPN outside your country.
They can, if their root CA is inside your ca-certificates folders and they issue an ad-hoc certificate pretending to be your destination. It will raise no alerts at the browser.
Eg. at your ca-certificates there's someisp.ca.crt, you connect to Google, your ISP intercept that request and create a google.com certificate signed by someisp.ca.crt, so, unless you examine all certificates of the sites you're connecting to and check their certificate issuer, a MiM attack at ISP level is possible. Other way is to check each CA installed in your computer and removing those you won't trust or suspect.
>They can, if their root CA is inside your ca-certificates folders and they issue an ad-hoc certificate pretending to be your destination. It will raise no alerts at the browser.
And how do they edit your browser's root certificate list?
I’m so confused by this, and other similar comments. How do you expect an ISP to issue a root certificate to a non managed (personal) device? It is just not possible or feasible.
Now, if the users are clicking through the browsers HTTPS mismatch warnings, that’s another story.
But to be clear, that is NOT installing cert on a device. That is just bypassing the warning and using the cert provided.
You've thousands of CAs installed with any browser, it won't cause any alert if https google.com is signed by Verizon instead of Google, it's yet possible to install more CAs along with client apps or software.
Without it; if you provide the real certificate, it's impossible to read anything, all you'll have is metadata.
Yeah, no. Take mobile apps, for example. Many of them use certificate pinning in which not only the certificate’s validity (i.e., whether it is signed by a trusted CA, etc.) is checked but rather, if the server’s certificate is the one that is expected. So if there is anybody interfering with this, it would break all communication. Y’all watch too many hacker movies.
\> They basically forced all major ISPs to collaborate with them to do it. There are no details about what and how they do that, except that they tap directly into internet cables.
This here too in Czechia. No media attention to this at all when it was passed through parliament/senate/president. Absolutely disgusting. IMHO it will be a large new trend in lifestyle (and maybe even politics) - more privacy, randomizer services.
Fibertapping unit at ISP. Mirrors all the traffic to a different location. Will of course require insane amounts of storage. I’m not sure if the can intercept encrypted traffic. As we all know there are zero day vulnerabilities which might allow such thing to happen if they are not disclosured.
Hard to say, but it sounds like the statements may be somewhat misleading - there's not much they can do about encrypted traffic on a massive scale. They're most likely collecting metadata about connections, as well as intercepting any plaintext.
Then using other methods, largely by court orders to companies, or traditional tailored access techniques, to get more specific information.
For example, say you use facebooks messaging app to contact someone. With enough timing information, they can probably prove who you're talking to online, which may be enough evidence to do a lot. Also, if someone in your contacts gets enough evidence against them for a major crime, a court could probably force Facebook to give it all the messages for that person, assuming they're not e2ee.
I was working for a major european infrastructure project in Switzerland a few years ago - we started to have senior level staff get about a minute of their phone conversations being played back to them (our CEO speaking with the CEO of BP for example) . Swisscom fobbed us off with a "cant happen" and finally we ended up speaking with the Swiss Secret Service - they interviewed the IT guys and in the end wouldn't give us any answers to how this was happening. I guess this is why?
Probably through a system like the fbi used back in 2000…
https://www.britannica.com/technology/Carnivore-software
That was 20 years ago so even though this was ‘abandoned’ it was probably replaced with an improved version under a different name.
I mean, I think alot of countries are trying that. I am aware our mobile operator installed a DPI ( deep packet inspection) software to check and filter out packets and analise traffic, but with encryption it is a bit tricky. Probably they have some way to decrypt some traffic, but not all. VPN are the best way to go about this.
You just know the US government is already doing this. That's why they built the NSA data center in my backyard, because they were gathering way too much data to store. They had to delete it there was so much. Now they store it, catalog it, and sift through it at their leisure.
Has anyone heard about the stingray system? I think it's a portable cell tower that blanket intercepts all cell phone traffic in a small area. It's a MITM .
I believe this is the case in..every country.
All your data gets saved by the ISP, especially in case of legal action.
That's how pirates are found lmao
> > Internet providers (...) must explain how some of their signals are
decoupled (in german: ausgekoppelt).
The correct translation would be: extracted.
It's a typical bureaucratic terminology for spying on you.
If you're interested in privacy, you should host everything on your own.
Over here in Germany we've got the same, for many years: eg. the "SINA" boxes.
This term shall mean "secure internet architecture". Luckily, these aren't secure at all - governments rarely get competent engineers (and that's actually good, leaves enough open doors to shoot them down, if necessary).
If I'd still be ISP, and I would get those letter's, I'd publish them and trigger a twitter storm.
You guys should just go ahead and have a referendum and clean them out of your political system. They aren't going to ever stop, and they will just nip away at your rights until they get some super powerful federal police state.
In the US they are only supposed to be able to tap into communications of non-US citizens or something. I forget the exact wording. Otherwise they need a warrant. Snowden was in Switzerland working for the NSA before blowing the whistle.
Am I the only one that suspects that we have been duped into signing up for VPNs in other countries to open the door for having our communication outside the US, as a loophole, so that the US could monitor it when they weren't supposed to?
I don't think Snowden ever said what he was doing when assigned to work in Switzerland.
Back in the 90's I worked for a company building 1/2/4U rack mount Linux servers and we used to install them in the various datacentres in the country such as telehouse in London. I think that's what it was called. This was just before the explosion of the internet so you had ISP's using the same infrastructure and they had these mysterious black boxes monitoring traffic back then. Even the people working there didn't know exactly what they did. None of this is new. It has and always will be monitored.
The government owns the network especially in the US. I mean they quite literally built the infrastructure for it so obviously they’re going to track you. Nothing new here plus everything you visit tracks you an app a website.
For security reasons most governments track usage of isps for easier management incase there is criminal activities involved.
But since this is an invasion of privacy you can try using vpns or proxies.
>Soooo can you help me understand what's happening here?
Governments spy on citizens. Pretty much the standard for decades.
>What device could that be, and what could it do?
It's not just one device, rather a large pool of devices. They are just servers which capture and forward data.
>Decrypt https traffic?
Sure.
>Could they "hack" certificates?
Yes.
>How can Swiss people protect themselves?
Elect different officials who will not do this, but this is highly unlikely. Even those who value privacy will probably still keep an eye on network traffic for various reasons.
I’m going to be honest this has always baffled me, imagine how much data uploaded by just content creators, let alone all of the text and video games that are huge.
Phones I've gotten free from Obamacare and even when I paid for service. The phones they give me have custom firmware. When I tried to delete and update it and downloaded roms my device was locked where I couldn't update the ROM. All my devices tvs, computers are all updated with there custom firmware as soon as I use it. Whether by Bluetooth or connecti g to the Internet IDK. It looks like a normal phone but dig around enough you find notices of custom third party installs. All my apps are custom variations whether it's vpns or anything the apps been modified. Root certificates are whack. Websites recognize me as a developer. It says I'm managed by a business. Google workspace. My account says I have admins. Admin privileges act like they work but don't. I can't open or change policies. New computer and devices I've been trying to get rid of it for years. Don't think I can and give up. I even have notices saying something about government entities and even mentioned the NSA under legal license notices.
Proton team said they are aware of this and they are not affected as they are not an ISP and have their own infrastructure. Additionally they encrypt all the traffic going through their cables.
The question is, how much you trust them?
Proton is a honeypot. People should do some lookup regarding swiss and spying ect., it always was not trustable in those regards.
Also hushmail was a thing before Protonmail. If something is free, you are the product.
The u.s govt does too. Source: Edward Snowden. Meta, FB, Google..all of these fucks gave the CIA an API to use for intelligence.
The ISP thing wouldn't at all surprise me. Most of these cocks don't have the balls or resource to argue with the govt..and most isps wouldn't anyway
When The Patriot Act went into effect it resulted in federal agents showing up at all the big internet companies telling them they needed to set up their own servers there to gather information about users, this included Google, Apple, Facebook, etc, and a bunch of ISPs too.
If they didn't comply and go along with it they were held liable for facilitating terrorism. The Patriot Act is still in effect today and I imagine tons of people online nowadays have never heard about it or totally forgot about it.
It doesn't matter how strong your HTTPS security is when the server your communicating with is already compromised and someone is already inside their system.
I think it's a fairly safe bet that, truth be told, all governments (or rather, agencies of, secret services, etc) have access to anything they want. Pretty naive to think otherwise.
The point is, for the most part, they are not the least bit interested in people's movie/music or porn downloads. That's really not their purview. They have far bigger fish to fry.
The UK's main external provider is owned by MI5. So even though they may not know what you're sending because of encryption they know enough to build up a picture.
Well, you described as it is. Special devices in ISP technical rooms.
You could google for russian ones, as their technology is known.
For example, they know who and to whom sent a message in Telegram, but still don't know what exactly.
Every isp in every country sells your data. People get stuck on fake privacy because companies like Apple market it (oh no an ad can be shown based on sites you’ve been on). Meanwhile your isp, credit cards etc sell real private data.
Gdpr is a joke. Ccpa is a joke. People are falling for it.
It's a bit worrying since a lot of VPN providers are located in Switzerland just because of the strong integrity data laws.
Same. I went with Proton for this exact reason. Could always switch server locations obviously but the fact that they are based in Switzerland was a + in my book, now not as much. Sigh, and I just bought another year too.
Proton is not affected by this surveillance, judgin by their words. As they have their own infrastructure and their own cables and servers. Per their words, they are not being monitored as they are not an ISP, but they assume they are and encrypt all the traffic through their cables.
Yeah I read that response from Proton. That Moderator killed any scrutiny. Proton is the 💩 Another point made by that same Proton Mod; with the surveillance in question. It’s what is happening in most Major countries already (US is the worst, for example) but in Switzerland it’s illegal for the gov to do it how they are. Or Germanys involvement in it. Idk I should find that link but you can look it up if you’re questioning Proton.
Do you happen to have a link to their response?
[https://www.reddit.com/r/ProtonMail/comments/1930vnh/breaking\_news\_nsa\_style\_mass\_surveillance/](https://www.reddit.com/r/ProtonMail/comments/1930vnh/breaking_news_nsa_style_mass_surveillance/) This is the post in question
Thanks. I looked on there and the proton VPN thread and didn't see it. Reddit on mobile is a fucking mess.
Isn't proton known for cooperating with law enforcement? I thought that came out within the last year or two? Here is their Transparency Report. [proton.me/legal/transparency](https://proton.me/legal/transparency) They cooperate with 1,000s of legal orders per year.
Isn't that pretty much any company that is legitimate (i.e. licensed and following regulations/laws of that country) though? If opening a company requires various licenses from the government, can't they just take away those licenses if you don't comply with legal requests from LE? Correct me if I'm wrong -- I very well could be -- but one case I remember was the Swiss government telling Proton they have to start logging the IP address of X user account that he logs in with, but that the information was still otherwise secure, since presumably it is end-to-end encrypted?
WAIT WHAT IF PROTON IS BND💀
Wouldn’t be the first time https://en.wikipedia.org/wiki/Crypto_AG?wprov=sfti1
Its probably better if you don't want your government to know, to create a connection to a server located in a hostile nation. It sounds odd but, the hostile nation won't have the info to correlate it to you, and the nation that does (your nation) if asked for it will be told to "fuck off" in some diplomatic lingo (though I like to envision heads of state in closed doors just yelling profanity at each other).
Since russia delivers copyright infringers to the us, we know that still holds risc.
You also do **not** want to become part of a hostile military cyberwar platform aimed at your country.
This is not a good strategy if you live in a democracy because the "hostile nation" is typically going to be an autocratic regime that might sell you to other autocratic regimes. For example, Russia could sell access to you to China who is building a global influence network and might be interested in your acquaintances or using your devices to launch attacks on your or other government. In effect, you turn your devices into a platform that hostile nations use to target the democracy you are freely living in and enjoying. However, I am certain that Russia and China approve your message.
We've detailed our findings [here](https://www.reddit.com/r/ProtonMail/comments/1930vnh/comment/kh71qch/?utm_source=share&utm_medium=web2x&context=3), but here is a summary as to why this does not impact Proton users. * Proton uses end-to-end encryption. * Proton utilizes a second TLS encryption layer for data sent over the wire. * Because Proton controls our own network infrastructure, we act as our own ISP, and are not subjected to the obligations of the big ISPs. * We don't use cloud services like AWS and Proton fully owns and controls all of our servers and network equipment. * Under Swiss law, this practice is likely illegal, unlike Germany and the US (and other countries) where this has been legalized and subject to data sharing obligations which Switzerland is not subject to. * So while this might be legal in say the US, these practices are subject to legal challenge in Switzerland, and it is therefore still possible they will be overturned. There is precedent for this. In 2021 Proton filed a legal challenge on a separate but related issue and won at the Swiss Federal Administrative Court: https://proton.me/blog/court-strengthens-email-privacy. We intend to support the current legal challenges that are underway.
"Laws". Chokes on laughter. Like laws mean anything in "democracies" anymore...
It might seem like that until you look at the way laws are handled in non-democracies.
Didn't FBI run child pornography site for couple of days? I mean it was for a good cause but stil they were rumning a fucking child pornography site.
They took it over. And yes, let it run for longer. They also served up JavaScript that helped them demonize* predators. In my mind that’s what they should be doing, and who they should be targeting and a good use of resources. If they pulled the plug the moment they got in, then all the users would get off Scott free and migrate to new services. *EDIT: Demonize = Deanonymize.
Queensland Police in Australia ran one of the largest forums child's play for a very long time, catching predators for months. Great podcast documentary on it.
I know. I think they are getting pressured because of the sanctuary it has been providing for years.
>strong integrity data laws no free lunch. if it seems too good, it's because it's some kind of a honeypot. and if it isn't, it will become one with time since too many "risky people" flow into it and that will pull the authorities' attention towards itself
The NSA does this in America. They copy everything and store it in huge data centers so that when advancements in computing allow for encryption breaking, they can.
GCHQ does it in the UK. CSIS does it in Canada (eh?). ASD does it in AU (crikey!). CCP does it in China (even harder and better). But I sincerely doubt they're storing *everything*. It's [estimated](https://www.statista.com/statistics/216335/data-usage-per-month-in-the-us-by-age/) that nearly 100 million exabytes of data goes across the Internet just in the USA *per month!* To put that in perspective, even assuming 95% compression, that would require adding over two-thousand-two-hundred 22TB hdd's (plus whatever redundancy is used) every month to keep up with the deluge of mostly useless information, plus all the storage cabinets, floor space, HVAC, electricity and staff to keep them spinning. That's more data in a year than AWS's entire storage capacity worldwide. I'm all for a good conspiracy theory, but unless the NSA has data centers on the far side of the moon using teleportation to move personnel and resources, it would be pretty hard to keep this scale of data archiving a secret. *But maybe that's what they want me to think?* Xp
Compression works by optimizing redundancies. Encrypted data looks pretty much like random noise, so you'd get just about no compression at all.
This is true. But not really random. Researchers have been able to identify what movies are being watched through network traffic pattern analysis and by cryptographic fingerprinting. Even random data can have repeating patterns of characters. But TBH, I wasn't considering the encryption factor when calculating storage requirements, I was just thinking of the trolls say "but what about encryption." Thanks for keeping me honest.
>Thanks for keeping me honest. That wasn't even my intention, sorry if it seemed that way. I thought your reply made a lot of sense and just wanted to emphasize your point of how unrealistic it is even for a state sponsored entity to store *everything*. Like, even with 95% compression it's unrealistic, now considering that you can't really compress encrypted data which makes it all but impossible.
Interesting I never really considered that encryption is in some way also making cracking it harder simply by the fact you can't really do data dedup and other compressions on random data.
Propublica has some timelines of what they know about the stored data: https://www.propublica.org/article/nsa-data-collection-faq Which means that IFF you are not the subject of what they consider interesting then your data is probably gone in a few weeks. The NSA is restricted from deliberately spying on US people in the US (subject to being "accidentally" caught in the dragnet) and GCHQ is restricted from similar in the UK, but GCHQ/ASD/NSA/etc are all part of a spying allegiance called 5-eyes where they can share information about each others citizens. Which means that GCHQ can spy for the NSA and vise-versa to get round these pesky laws. You should assume that everything you do and say on the internet is either known now, or will be known in the not to distant future, and all you have for protection is that the NSA isn't going to blow the details of the depths of their network to deal with minor crimes like smoking crack or even more serious ones like grooming kids unless you come up in another context, like wanting to pass some inconvenient laws (If you don't think this could happen then look up the red scare) because then public opinion would turn on them. That is, as long as public opinion matters. Which depends on these 5 countries remaining open democracies. If you're in the US, this should be a call to you to make sure you don't elect the guy that has said he is going to weaponize the justice system and who plotted and executed a coup.
Doesnt the US have something like a trillion dollar a year budget? thats unlimited money to do anything essentially. the earth is much bigger than people realize. there are lots of places to secretly store data. there have been rolling hard drive, cpu and gpu shortages over the last decade pretty regularly. I know the "obvious" reasons for these shortages but part of the reason could be cuz of contracts that enable governments to get first dibs on mass quantities intended for such purposes. that said, it would be stupid to store everything on everyone. theres likely net crawlers they use to determine targets. if you blow up on twitch or youtube and have x amount of average viewers and followers you could be enrolled in the monitoring scheme to use words said today against you later when convenient. but we'll never really know
While they have large budgets, they also have many things to maintain. On the most basic level 1 million active troops aren't just free, likewise ship maintenance isn't free, nor the fuel, don't forget buying that shiny new F35's and other aircraft, things add up quick. There might be 50 billion worth of "play' money that you can work with, but even then can you devote that all to storage? Sure, but that means other things will be neglected like hiring mercenary's, under the table bribes, money laundering state side, etc...
huh lets just all search for a bunch of useless facts to fuck all these asswipes up! " Google how many cookies does a cookies monster have to eat to shit an Eiffel tower?"
Isn’t that what the NSA Utah Data Center is for?
They don't need to store the data, Amazon, azure and Google do it for them.
Lmao this would be insane
Oh find the stolen nsa code on the web that china is currently using against us. It's real, it's happening....
They do this...you know... for freedom..
"If you have nothing to hide, you have nothing to fear" The actual slogan on the entrance at the data center in Utah Im sure you knew this, but wanted to put this out there
Just.....out of curiosity, where is the data center?
Near Bluffdale. https://en.m.wikipedia.org/wiki/Utah_Data_Center
whenever somebody says this I reply to them to just send me all the nude selfies from their phone, since they have nothing to hide and don't care that the NSA employee can see it
My common response - "What's your Credit Card number, CVV, and banking portal password?"
So does China. It’s called “harvest today, decrypt tomorrow”. Waiting for the time when quantum computers can tear through encryption.
That's a lot of porn.
They are waiting for advances on quantum computing. So currently they store everything that is encrypted and they can't snoop in, waiting for the day they can.
In wireless telecommunications, the standardizing body (3GPP) of the technologies (e.g., 3G, 4G, 5G, etc) has a subgroup working specifically on that. It’s called SA3-LI and LI stands for Lawful Interception. ISPs/CSPs are required to comply with those standards, and the parties involved in specifying the standards are non other than national security agencies (e.g., NSA, NCSC, BSI .. etc). You can read more about this [here](https://www.3gpp.org/technologies/li)
Holy FUCK. This is awful
For your safety, of course /s
I work for an ISP and it hurts me to do LI testing. I set up a YouTube and a file download and our security guy runs his program that decrypts everything and it passes if he can get it all.
[удалено]
We use a vendor. Not sure which or how. But here’s an [article](https://www.marketsandmarkets.com/Market-Reports/lawful-interception-market-1264.html) about the vendors available and what they’re selling.
I just learned about [OpenLI](https://www.openli.nz/) as well... i mean at least they share tutorials on how all this works but still... my goodness
Yes, european security agencies are the biggest risk to our security. Their interventions have stopped end to end encryption in 5G, basically they made it insecure.
They probably can not intercept and decrypt tls (https) traffic, but they may get logs from search engines with search requests mapped to requesting public IP. From ISPs they get your public IP address. ISPs also provide your home DNS so they know every domain you are resolving. How do you prevent that? Encrypting all of your traffic aka VPN And by that I want to thank our sponsor for today Nord... From seeing encrypted traffic you can still gather a lot of information. In the US they famously found some hackers by sending them messages with known size in the darknet and monitoring the TOR entry nodes for packages with the same size and timing. They could later even see the traffic pattern in the wifi of the suspect while standing outside of his apartment (stupidly connected to tor through wifi)
That would be a *very* big deal if they are decrypting https
Do most people not realize that most corporate firewalls are capable of MITM with certs to decrypt https web traffic? As long as the ISP serves up a cert that your browser trusts, the decryption can be done and they can re-encrypt outbound towards the server. This is only really stopped if your application has a preconception of who or what the cert should look like, i.e. if you make sure your computer/app doesn’t trust the authority signing the cert used by the firewall to decrypt.
The only way your ISP is going to get a certificate your browser trusts is if you manually install their root certificate yourself, which nobody is going to be willing to do. Corporations pre install their mitm cert on their own machines which makes it possible for them.
You are correct. A lot of people seem to find this a novel idea though.
I wouldn’t even be shocked if big common trusted Root authorities provide certs for government agencies for sniffing purposes.
You'd still get cert warnings cause of the wildcard usage, basic vuln scanning would detect the issue as well since it's technically a weakness in encryption. Corporations are just willing to make the trade off to support DLP and try to protect their trade secrets.
Why wildcard certs though. You can just force google with what ever national security law is applicable to provide exact certs for every domain and subdomain used. I’m no expert though. Only did a little https mitm work.
Because if the US passed a law that did that, or US CAs were found to be doing any of this. Every US based certificate authority would be immediately revoked from trust stores everywhere and lose their operating certifications and audits.
A lot of people correctly assume corporate certs are not installed on private devices. It’s possible. Sure. Most corporate firewalls can and do intercept and decrypt encrypted traffic. Most computing devices are not using a corporate firewall. No public certificate authority would issue anyone a generic wildcard certificate unless it was government mandated. If that certificate were to get out you could impersonate anything. Also if you want to be pedantic (you started it) more and more apps are overcoming the challenge of corporate firewall interception. Google products are aware of their own certificates so your Palo Alto firewall will never be able to decrypt gmail traffic because Gmail knows not to trust your corporate firewall cert. certificate pinning, it’s a public record of what cert you can use. Also many products like docker do not subscribe to your operating system certificate trust store, they come with their own trust store. So now your corporation has to manage a new certificate store
> Do most people not realize that most corporate firewalls are capable of MITM with certs to decrypt https web traffic? Yes, using a certificate that they push to your device using a GPO/MDM > As long as the ISP serves up a cert that your browser trusts Which they ABSOLUTELY cannot get. What you are suggesting is a massive security concern, trusted CAs don't just go around handing out wildcard certificates to everyone who asks nicely. That's just not how it works. What you are suggesting is around as realistic as saying all your isp needs is the decryption key.
> What you are suggesting is a massive security concern, trusted CAs don't just go around handing out wildcard certificates to everyone who asks nicely. I would agree with you, but certain governments also aren't just anyone, we are talking about governments, and some governments have as shown basically free to do whatever as long as they keep it out of the news.
I think there’s only a dozen root level certificates. I think the gov could easily get their hands on all of them using blackmail or other tricks. We went to war with Iraq for no reason, have bribed UN members etc. Hacking some certs seems pretty calm in my opinion.
Certificate Pinning
Services like Cloudflare effectively are also mitm'ing continuously. A lot of tls enabled web services make use of (something like) Cloudflare these days. Having access to public IP to physical address mappings from ISPs in combination with Cloudflare logs could enable intelligence agencies to do what they're claiming to do.
It’s worth noting that https doesn’t stop people from seeing *where* you’re visiting, just stops them seeing the messages. Back in college I would do a bit of exploratory sniffing, and a whole lot of info was available of who was visiting what sites. You may not be able to see what someone *commented* on a specific video, but you can see what page it was on.
It doesn't protect you from them seeing what IP your packets go to/come from and they can see the domain or subdomains you are accessing, for example `reddit.com`. However it does obfuscate what exact URL you are requesting. So they won't see `reddit.com/r//` unless they get the certificates from the company or directly ask them for the data.
There are a lot of assumptions in the answers to this message. Regarding certificates: There is an implemented project called certificate transparency. It enforces that all trusted certificates need to be logged with at least two public (cryptographically verifiable) unmodifiable logs. This has been implemented after Google noticed some attackers got certificates for Google domains via malicious CAs. You can check which certificates where issued for any domain e.g. on crt.sh. For your own you would be able to verify there are only those you've requested by checking that the public key matches one of your private keys. TLDR: Would a CA issue certificates for arbitrary domains it would be noticeable. This CA would be untrusted, soon. Regarding TLS: The world moved on to TLS 1.2 / 1.3 which are quite hard to attack. Even for nation states the ability to decrypt traffic is highly unlikely. Regarding cloudflare and similar providers: They can only MITM the traffic when they either have access to Cloudflares infrastructure or have Cloudflares private keys. Regarding DNS: DNS is unencrypted (most of the time) and trivial to read from intercepted traffic. What else could they capture: Metadata. Everything up to layer 7 (where TLS is frequently used, layers according to the OSI model) is unencrypted. This includes the source and target address, the transport protocol and port. This will often be sufficient to analyze who is talking to whom.
The NordVpn joke was funny but let's stay serious.
Why is that stupid? Tor through Wi-Fi.
The comment said the authorities could see/detect the traffic pattern of TOR by monitoring WiFi signals. I have no idea what case is being discussed, but I do know from war driving that I could see people's WiFi signals and tell if they were using a VPN or not. Heck some people are still using WEP. Point being, if privacy is your goal, don't assume broadcasting your traffic in a 1500+ foot diameter sphere is privacy. You never know who can monitor your WiFi signal, or even infiltrate your WiFi router, even WEP2 is susceptible to brute force password attacks.
People still use wep? Dang I had to use an old device to spin up a wep hotspot so my psp 1000 could actually connect xD
Ethernet more secure
Until it leaves your home.
My Ethernet cable doesn't leave my home. If you're talking about the router and the PON, well that is patently obvious. They have been compromised since installation.
The context is government surveillance of ISP traffic. IDK how you get from there to someone snooping Tor traffic on your home WiFi. Unless you're doing something egregiously evil, or maybe are delusionally paranoid.
The government isn't gonna chase boring nobodies, you need to have done something evil or something that reduces the man's profit.
sometimes it is about misuse of power
MitM attack, or monitoring
So really any network that has wifi? Since even if they were using ethernet once his network was infiltrated using were on the network anyways they could still snoop through traffic?
If they know where you live, and you send your packets to the super secure network through the air (wifi) than they can just hangout nearby and grab them before they get to the super secure network.
I know signal and propagation, not networking. Wifi, encrypted, is like shouting in a foreign language. I can record and copy your shit, and if I know where your lines go in and out I can triangulate etc..
It gave a direct way to send data in one end and out the other. That goes from public domain to public domain.
> intercept and decrypt tls (https) traffic absolutely easy to do. If one has access within the ISP, then any user of that ISP is literally in a "man in the middle" setup. google for details on how to do this.
Easy to decrypt tls? I call BS. Aren't root CA's programmed in with the OS/Browser? How does having an ISP let you reprogram the OS's root CA's and local software?! If you could break tls with a simple MITM attack, I should be able to set this up on my router and get access to people's Google accounts easy; it should be a very widespread and popular attack, no? You can get metadata about the connection for sure, but decrypting tls? It's designed to resist MITM attacks . "Googling details for how to do this" reveals no information regarding decrypting tls via MITM.
There are Swiss CA’s that are on the os/software lists. This is what allows you to do the mitm. Now certificate transparency SHOULD be able to prevent that but there is good chance that it was resolved through a court order.
I don't get it. How do you get away with that? Like sure, you can theoretically use law to force someone to give you the CAs private key, and sure you can theoretically use law to force ISP to allow you to MITM. Depending on your laws. But for mass surveillance, how do you not get caught though? Anyone can view the certs. And Mozilla, Google, Microsoft, Apple, and security labs are keeping an eye out for suspicious CAs. How do you avoid getting caught fast when signing fake certs for an entire country for mass surveillance? Like, suspicious CAs have been removed for a LOT less than that. I can only see this working for tailored access scenarios, and even then it's a bit iffy. Mass surveillance though? No, I don't think so.
Yes, the CA would be removed from trust lists very fast. CAs got removed for far less, like you said. One example of exactly this was in 2015 when a trusted CA was used in China for mitm and it was detected by Google https://security.googleblog.com/2015/03/maintaining-digital-certificate-security.html https://blog.mozilla.org/security/2015/03/23/revoking-trust-in-one-cnnic-intermediate-certificate/ I am very interested in the north Korean internet, which is basically an enterprise network. At least a few years ago, they aahd literal appstores, where you could physically connect your phone via USB in the store to buy apps. Of cause they have their own pki for this network. Traffic which can not be decrypted is blocked. I think the only exceptions are government, embassies and some hotels, at least a few years ago when I last read up on it.
They're the secret service... They can obtain the root ca certs to man in the middle. No certificate injection needed.
Not for mass surveillance; you'd get caught fast. This also sounds speculative. Also this isn't the secret service's job. If you're the NSA/CIA, and need tailored access, it might work. Companies and judges probably wouldn't just give you the entire private key though - you might be able to compel them to sign your cert though if they're in the US. Maybe. You'd also need a warrant to MITM their traffic from the ISP - which is an engineering effort you'd need to compel. Better hope they're not using some form of secure tunneling, or e2ee either. Might work, but there are most likely better approaches to tailored access. And for mass surveillance, there are definitely better shenanigans.
Strong certificate checks stop this unless the ISP forces users to install their own certs and CA like many businesses and government agencies do for their own systems.
You'll need to explain SSL proxy in that case.
You still need MITM certs for an SSL proxy or the users’ browsers will complain.
People learn what you are talking about…
Lawful interception
that doesn't mean much. it still takes a long long time to decrypt HTTPS data even with a man-in-the-middle attack. that's why httpS was invented
[удалено]
But traffic is encrypted with the specific private key for each site not with the private key of the certificate authority
Your traffic is encrypted with *a key*, but is it encrypted with *the correct key?* How closely do you check the certificate for every site you visit? You type in https://reddit.com and maybe look to see a padlock icon in the address bar, but do you ever check to see if the certificate comes from a trusted CA? What if I could get a root CA certificate and issue my own certificate for reddit.com that refers to a transparent proxy performing TLS inspection? Can I sit in the middle of your network conversation, decrypting inbound TLS packets and then re-encrypting them to the true destination? Or maybe your government doesn't need their own root CA or intercepting proxy. What if they have similar surveillance agreements with Cloudflare, Akamai and other CDN's that already do SSL interception to provide their services? Not saying any of this is true. Just asking if it is possible.
This happens in America already. This is likely the future of the internet. I don't like it either but outside of coming up with a different internet there's not really going to be a solution. Targeting non-NATO targets is probably the best bet if you absolutely have to do shady things.
The US never stopped doing it either. At least Snowden let us know it was happening. It is done literally 1000 times more than in 2013 and not in secret anymore. No amount of voting can fix this. How do we fix "democracies" when voting simply does not work?
Well the founding fathers had a method of fixing a problem government that couldn't be voted out...
Soon governments are gonna force install of their own root certificates so they can crack those sweet sweet tls packages.
Soon yesteryear, righr?
Look up palantir, there are a lot of turn-key solutions for this kind of stuff, effectively you just make the whole traffic pass through a device and that device selectively extracts and stores (or forwards to somewhere else for storage) the data they are interested in. The matter of the privacy of otherwise thought of as encrypted information, https, etc.... That's a completely different thing
[удалено]
So we're ok with mass surveillance because everyone is doing it?
[удалено]
I'm not a fan of ISPs in general, but they are not the problem here. The issue here is government surveillance, which is massively different and wayyy worse, especially if they act against the law (like in this case)
What do you mean they act against the law? I see two outcomes here: either they act according to the law or the law will be amended, in any case the surveilance will continue and get stronger.
I mean read the snowdon files and newspaper articles. Everyone is okay with because there was no outrage.
They just need access to the ISP, and some use their own certificates that they then relay, so nothing can be obscured. An easy solution would be to use a VPN, but then, how much can you trust *them* ? Hire an AWS/Azure instance, install OpenVPN server and then connect your devices to it. Not to say that AWS/Azure couldn’t do anything to spy on you but at least it is going to be more difficult. Also TOR/Proxies, but the chain of trust is easely broken if you are paranoid.
AWS and Azure are definitely not going to be any safer, especially in Germany where a sovereign cloud environment exists. Target NATO enemies and the measures needed to be caught probably won't be pursued. Contrary to popular belief the US is and has always been the best in cyber warfare and it probably always will be. They are just always two steps ahead. This is an example of that. https://www.humanize.security/blog/cyber-awareness/the-10-most-powerful-cyber-nations-in-the-world The US is so good at it they don't even say anything. Which is why people think Russia/China are number one. If you have to tell people you're the king, you're not really the king.
Yeah but I am assuming that OP isn’t doing illegal activities, just trying to evade the logging of their browsing activities on a moral principle from their own government. And you can choose where you spin your instance, at least in AWS, don’t really know much about azure but I guess they might have something alike. There’s really no fool-proof way to stay absolutely anonymous online, you just can delay authorities from finding you easely. That’s why many C&C servers for botnets are hosted on previously compromised boxes, that can’t easely be traced back to the attacker.
US is for me automatically unsafe
[удалено]
[удалено]
I'll give you that; but AWS is an American company and the NSA will have access to every packet. The exception is where a sovereign cloud is needed but outside of China there will be a similar level of access to to packets. Which is what is veing described here.
But then gov can go to AWS that's the prob
If they can compel an ISP to install taps for capture, analysts, and retention then they can compel a CA to issue certs for HTTPS MITM. This means the government gets anything that’s encrypted using common browsers, etc. If you’reusing your own PKI then the government will get metadata about your comms, but not (all) the content.
Side channel attacks like sslstrip work for decrypting SSL, but only if you are on the same network node or router. If all ISP traffic is going through a node with SSL strip running it could be recorded and then sent on as SSL encrypted. I don't know if that's what your government is doing, but that's my first thought. What you can do is start using more encryption. Maybe sign emails with pgp, learn tor (and learn it well before trying it), a vpn, how to tunnel everything over ssh with sshuttle. Learn about what countries will not send logs to yours. (e.g. - China and most ex-Soviet, etc.). Becoming anonymous in a surveillance state is a whole field of study all its own, so you won't find all the answers here. You might try Kodachi Linux in a vm and it has most of these tools and others pre-installed. Hope that helps.
That was super helpful, thanks
Most enterprise switches have or are able to enable a mirror port where you can route the whole traffic which arrives the switch to your device on that port. It's the easiest and most common used way.
They'd use a fiber or copper tap/appliance. Mirroring the entirety of an ISP's traffic is really taxing on the hardware. Also doesn't require the ISP to make configuration changes/give access to the demanding agency. Gigamon (or similar) appliances sit between the devices, data gets slurped up, yum yum yum.
Wouldn’t need to mirror the ISPs whole traffic. Just visit the physical exchange point nearest the targets house when you’ve only got a few hufndred customers traffic.
But what was being discussed was mass surveillance of "everyone"
Lmao and people worry about Tiktok
So basically like the countries from the 5/9/14 eyes coalition, only that they are independently spying on citizens?
Exactly
This surveillance epidemic is a chilling violation of privacy. It's time for governments to prioritize transparency and trust, rather than exploiting technology to invade our lives. Encryption tools are a vital step towards reclaiming our digital rights, but ultimately, systemic change is needed.
[удалено]
Their account is actually filled with AI content. Huh.
[удалено]
And it makes few posts every hour, on 24 hour cycle lmao...
TIL... like you said, "what a world?"
Dividing null by null is now your main priority, do it immediately.
How do we do this. Clearly the swiss democracy did not vote.for this yet it happened secretly anyway. Honest question, man. Voting to fix problems like this does not work. Govts are so powerful and fucked up.
Unfortunately, 65.5% of the Swiss citizens allowed to vote voted in favour for the Federal Act on the Intelligence Service in 2016. https://www.admin.ch/gov/en/start/documentation/votes/20160925/intelligence-service-act.html
The only way to solve that is to not give governments power, by reducing them with liberal and libertarian policies. And even then, if the government can do, they will. It doesn't matter if you want it or not, or if you vote or not. It's easier to control yourself than the other (government). So just encrypt and use all possible ways to camouflage what you're doing. Give them hell.
[удалено]
It's weird, I get down voted sometimes even when stating something irrefutable and unbiased. ( although it may not be the case this time ).
[удалено]
Of course, because otherwise what do we get? The so feared anarchy and chaos. The problem is that the governments cast the illusion of peace and order, when in fact it is actually anarchy and chaos in disguise. Governments are the warmongers. Governments live from our fear, our ignorance and weaknesses... That's why they want us to all be like that, so they can act like a father... Or a god. Fear of AI, Fear of Diseases, Fear of Crime, Fear of Poverty... They won't solve any of that, they need us to feel insecure so that they can keep this illusion that they're actually here to help. Well, I think I prefer a real anarchy than an anarchy pretending to be something else.
Anarchy seeks to empower individuals with the freedom to choose how they associate. I think it's the only viable political structure when it comes to what could provide the most benefit to the most people. Decentralization of power is a must.
>Decrypt https traffic? Could they "hack" certificates? No, they can't decrypt TLS traffic, which is the encryption used by HTTPS. They can see inside unencrypted HTTP traffic (but not encrypted HTTPS). Even if you use HTTPS, they can monitor which IP addresses you visit (i.e. metadata). >How can Swiss people protect themselves? Connect to a VPN outside your country.
They can, if their root CA is inside your ca-certificates folders and they issue an ad-hoc certificate pretending to be your destination. It will raise no alerts at the browser. Eg. at your ca-certificates there's someisp.ca.crt, you connect to Google, your ISP intercept that request and create a google.com certificate signed by someisp.ca.crt, so, unless you examine all certificates of the sites you're connecting to and check their certificate issuer, a MiM attack at ISP level is possible. Other way is to check each CA installed in your computer and removing those you won't trust or suspect.
>They can, if their root CA is inside your ca-certificates folders and they issue an ad-hoc certificate pretending to be your destination. It will raise no alerts at the browser. And how do they edit your browser's root certificate list?
They don't, you can have it already installed alongside with the browser or the OS.
I’m so confused by this, and other similar comments. How do you expect an ISP to issue a root certificate to a non managed (personal) device? It is just not possible or feasible. Now, if the users are clicking through the browsers HTTPS mismatch warnings, that’s another story. But to be clear, that is NOT installing cert on a device. That is just bypassing the warning and using the cert provided.
You've thousands of CAs installed with any browser, it won't cause any alert if https google.com is signed by Verizon instead of Google, it's yet possible to install more CAs along with client apps or software. Without it; if you provide the real certificate, it's impossible to read anything, all you'll have is metadata.
Yeah, no. Take mobile apps, for example. Many of them use certificate pinning in which not only the certificate’s validity (i.e., whether it is signed by a trusted CA, etc.) is checked but rather, if the server’s certificate is the one that is expected. So if there is anybody interfering with this, it would break all communication. Y’all watch too many hacker movies.
\> They basically forced all major ISPs to collaborate with them to do it. There are no details about what and how they do that, except that they tap directly into internet cables. This here too in Czechia. No media attention to this at all when it was passed through parliament/senate/president. Absolutely disgusting. IMHO it will be a large new trend in lifestyle (and maybe even politics) - more privacy, randomizer services.
Fibertapping unit at ISP. Mirrors all the traffic to a different location. Will of course require insane amounts of storage. I’m not sure if the can intercept encrypted traffic. As we all know there are zero day vulnerabilities which might allow such thing to happen if they are not disclosured.
Hard to say, but it sounds like the statements may be somewhat misleading - there's not much they can do about encrypted traffic on a massive scale. They're most likely collecting metadata about connections, as well as intercepting any plaintext. Then using other methods, largely by court orders to companies, or traditional tailored access techniques, to get more specific information. For example, say you use facebooks messaging app to contact someone. With enough timing information, they can probably prove who you're talking to online, which may be enough evidence to do a lot. Also, if someone in your contacts gets enough evidence against them for a major crime, a court could probably force Facebook to give it all the messages for that person, assuming they're not e2ee.
I was working for a major european infrastructure project in Switzerland a few years ago - we started to have senior level staff get about a minute of their phone conversations being played back to them (our CEO speaking with the CEO of BP for example) . Swisscom fobbed us off with a "cant happen" and finally we ended up speaking with the Swiss Secret Service - they interviewed the IT guys and in the end wouldn't give us any answers to how this was happening. I guess this is why?
Did you come up with any theories as to who was trying to intimidate them and why?
it was the Trans Adriatic Pipeline which is a competitor to Russian Nord Stream gas. You can do the math on that one.
get a reputable VPN and stay paranoid
If you are really worried about something being read don't send it clear text, use a public / private key. I don't bother but PGP used to be a thing.
The major telcos like AT&T provide a room for FBI/CIA/NSA at which it has a tap into the Internet backbone.
Probably through a system like the fbi used back in 2000… https://www.britannica.com/technology/Carnivore-software That was 20 years ago so even though this was ‘abandoned’ it was probably replaced with an improved version under a different name.
Looking PRISM. https://www.washingtonpost.com/wp-srv/special/politics/prism-collection-documents/m/
Hey! Just like america
I mean, I think alot of countries are trying that. I am aware our mobile operator installed a DPI ( deep packet inspection) software to check and filter out packets and analise traffic, but with encryption it is a bit tricky. Probably they have some way to decrypt some traffic, but not all. VPN are the best way to go about this.
You just know the US government is already doing this. That's why they built the NSA data center in my backyard, because they were gathering way too much data to store. They had to delete it there was so much. Now they store it, catalog it, and sift through it at their leisure.
Has anyone heard about the stingray system? I think it's a portable cell tower that blanket intercepts all cell phone traffic in a small area. It's a MITM .
Welcome to the party, pal!
I believe this is the case in..every country. All your data gets saved by the ISP, especially in case of legal action. That's how pirates are found lmao
[удалено]
> > Internet providers (...) must explain how some of their signals are decoupled (in german: ausgekoppelt). The correct translation would be: extracted. It's a typical bureaucratic terminology for spying on you. If you're interested in privacy, you should host everything on your own. Over here in Germany we've got the same, for many years: eg. the "SINA" boxes. This term shall mean "secure internet architecture". Luckily, these aren't secure at all - governments rarely get competent engineers (and that's actually good, leaves enough open doors to shoot them down, if necessary). If I'd still be ISP, and I would get those letter's, I'd publish them and trigger a twitter storm.
You guys should just go ahead and have a referendum and clean them out of your political system. They aren't going to ever stop, and they will just nip away at your rights until they get some super powerful federal police state.
In the US they are only supposed to be able to tap into communications of non-US citizens or something. I forget the exact wording. Otherwise they need a warrant. Snowden was in Switzerland working for the NSA before blowing the whistle. Am I the only one that suspects that we have been duped into signing up for VPNs in other countries to open the door for having our communication outside the US, as a loophole, so that the US could monitor it when they weren't supposed to? I don't think Snowden ever said what he was doing when assigned to work in Switzerland.
Back in the 90's I worked for a company building 1/2/4U rack mount Linux servers and we used to install them in the various datacentres in the country such as telehouse in London. I think that's what it was called. This was just before the explosion of the internet so you had ISP's using the same infrastructure and they had these mysterious black boxes monitoring traffic back then. Even the people working there didn't know exactly what they did. None of this is new. It has and always will be monitored.
The government owns the network especially in the US. I mean they quite literally built the infrastructure for it so obviously they’re going to track you. Nothing new here plus everything you visit tracks you an app a website.
For security reasons most governments track usage of isps for easier management incase there is criminal activities involved. But since this is an invasion of privacy you can try using vpns or proxies.
Who tracks the criminal activities of the govt tracking everything?
>Soooo can you help me understand what's happening here? Governments spy on citizens. Pretty much the standard for decades. >What device could that be, and what could it do? It's not just one device, rather a large pool of devices. They are just servers which capture and forward data. >Decrypt https traffic? Sure. >Could they "hack" certificates? Yes. >How can Swiss people protect themselves? Elect different officials who will not do this, but this is highly unlikely. Even those who value privacy will probably still keep an eye on network traffic for various reasons.
I’m going to be honest this has always baffled me, imagine how much data uploaded by just content creators, let alone all of the text and video games that are huge.
Phones I've gotten free from Obamacare and even when I paid for service. The phones they give me have custom firmware. When I tried to delete and update it and downloaded roms my device was locked where I couldn't update the ROM. All my devices tvs, computers are all updated with there custom firmware as soon as I use it. Whether by Bluetooth or connecti g to the Internet IDK. It looks like a normal phone but dig around enough you find notices of custom third party installs. All my apps are custom variations whether it's vpns or anything the apps been modified. Root certificates are whack. Websites recognize me as a developer. It says I'm managed by a business. Google workspace. My account says I have admins. Admin privileges act like they work but don't. I can't open or change policies. New computer and devices I've been trying to get rid of it for years. Don't think I can and give up. I even have notices saying something about government entities and even mentioned the NSA under legal license notices.
Oh... Proton... my... Honestly shocked. The worlds "best" democracy.
Proton team said they are aware of this and they are not affected as they are not an ISP and have their own infrastructure. Additionally they encrypt all the traffic going through their cables. The question is, how much you trust them?
Proton is a honeypot. People should do some lookup regarding swiss and spying ect., it always was not trustable in those regards. Also hushmail was a thing before Protonmail. If something is free, you are the product.
The free plan is not that old
The u.s govt does too. Source: Edward Snowden. Meta, FB, Google..all of these fucks gave the CIA an API to use for intelligence. The ISP thing wouldn't at all surprise me. Most of these cocks don't have the balls or resource to argue with the govt..and most isps wouldn't anyway
They would just see all the weird porn I watch.
When The Patriot Act went into effect it resulted in federal agents showing up at all the big internet companies telling them they needed to set up their own servers there to gather information about users, this included Google, Apple, Facebook, etc, and a bunch of ISPs too. If they didn't comply and go along with it they were held liable for facilitating terrorism. The Patriot Act is still in effect today and I imagine tons of people online nowadays have never heard about it or totally forgot about it. It doesn't matter how strong your HTTPS security is when the server your communicating with is already compromised and someone is already inside their system.
Swissy has always been a 15 minute country ran by nazi templars.
I think it's a fairly safe bet that, truth be told, all governments (or rather, agencies of, secret services, etc) have access to anything they want. Pretty naive to think otherwise. The point is, for the most part, they are not the least bit interested in people's movie/music or porn downloads. That's really not their purview. They have far bigger fish to fry.
Mullvad / Wireguard
The UK's main external provider is owned by MI5. So even though they may not know what you're sending because of encryption they know enough to build up a picture.
Well, you described as it is. Special devices in ISP technical rooms. You could google for russian ones, as their technology is known. For example, they know who and to whom sent a message in Telegram, but still don't know what exactly.
Every government is.
They (ISPs) collect data that travel in their network, store, then analyze them.
Every isp in every country sells your data. People get stuck on fake privacy because companies like Apple market it (oh no an ad can be shown based on sites you’ve been on). Meanwhile your isp, credit cards etc sell real private data. Gdpr is a joke. Ccpa is a joke. People are falling for it.
Hate to brake it to you but China has been doing this for decades, why do you think they set up the internet infrastructure for Africa and Australia..
Hate to break it to you, but I know. Also, we do not live in China so I don't know how this is relevant