Adult Content Warning

This community may contain adult content that is not suitable for minors. By closing this dialog box or continuing to navigate this site, you certify that you are 18 years of age and consent to view adult content.

Your ISP and VPNs

Discussion in 'Technical Board' started by Nettdata, Mar 25, 2017.

  1. Nettdata

    Nettdata
    Expand Collapse
    Mr. Toast

    Reputation:
    2,863
    Joined:
    Feb 14, 2006
    Messages:
    25,737
    I'll get back to this a bit later tonight, but let's start up a thread that will help people understand what the latest ISP selling your data means, and how VPN's tie into that.

    For now, I seem to remember this video as being somewhat reasonable when it came out a couple years ago.

     
  2. AFHokie

    AFHokie
    Expand Collapse
    Emotionally Jaded

    Reputation:
    282
    Joined:
    Apr 13, 2010
    Messages:
    1,435
    Location:
    Manassas, VA
    What's you guys opinions of Proton VPN?

    Is it a decent free VPN, or should I look for something else?
     
  3. Binary

    Binary
    Expand Collapse
    Emotionally Jaded

    Reputation:
    383
    Joined:
    Oct 21, 2009
    Messages:
    4,062
    If you want a VPN, you should pay for it.

    Proton is a good VPN service. Mullvad is another good one. Both are privacy focused. Mozilla has a decent one now as well though I haven't used it.

    But you should pay for your VPN providers. They are providing an important service relating to your privacy and user data - don't give them an incentive to sell that data.
     
  4. Juice

    Juice
    Expand Collapse
    Moderately Gender Fluid

    Reputation:
    1,382
    Joined:
    Oct 19, 2009
    Messages:
    13,397
    Location:
    Boston
    I pay for ExpressVPN, but Proton is great alternative and is probably better. No idea what you're planning on doing, but keep in mind VPNs are not an end-all, be-all of privacy or digital security. You can still be identified. They prevent ISP snooping and someone trying to sniff packets in-transit.
     
  5. Binary

    Binary
    Expand Collapse
    Emotionally Jaded

    Reputation:
    383
    Joined:
    Oct 21, 2009
    Messages:
    4,062
    Couple notes on the original video:
    • The idea that a second layer of encryption is "safer" or less prone to hacking is, essentially, nonsense. While it's true from a very technical standpoint (i.e. two layers of encryption are indeed harder to attack than one layer), from a practical standpoint nobody has broken the normal modern protocols that are being used. The practical difference between two layers of unbreakable encryption and one layer is not very relevant. Also: I'm leery of anyone who uses the word "hacking" in that context because it's really not a good descriptor.
    • The idea that your ISP is unable to throttle you because you're using a VPN is also not accurate; most ISPs throttle based on usage patterns, not destination IPs. They can and will throttle a high-bandwidth user who is behind a VPN. Modern data shaping protocols are very good at detecting types of traffic even without being able to examine the contents.
     
    #5 Binary, Feb 25, 2024
    Last edited: Feb 25, 2024
  6. Binary

    Binary
    Expand Collapse
    Emotionally Jaded

    Reputation:
    383
    Joined:
    Oct 21, 2009
    Messages:
    4,062
    So since this is kinda my wheelhouse, and it's good for your brain to exercise it by explaining things, here's Binary's Lecture Series on Data Privacy and VPNs.

    First, let's clarify - when I refer to "your ISP" here, I'm generally referring to, "anyone who touches your connection to the internet." This includes places that provide public wi-fi, as well as lots of network providers out there who provide connectivity across the world. Lots of people touch your data between you and your destination.

    What Can Your ISP See? Part 1: Unencrypted protocols
    What Is It? The easiest example is websites that don't have the little "lock" icon - or if it says "http" instead of "https" in your browser address bar. This is data which is transmitted without any protections on it. Anyone between you and your destination can see all of the contents of any unencrypted data that's sent - this includes the pages you request, but also includes the contents of the pages, and anything you might submit (e.g. contents of a form, or your credentials).

    What Can I Do About It? Thankfully, this is fairly rare now. Estimates are that around 95% or so of websites use HTTPS. Android and iOS both default to secure protocols even for non-HTTP traffic. Nearly everything you transmit that's HTTPS or otherwise encrypted is not visible to your ISP. All major messaging and voice providers use secure protocols as well.

    If you'd like an additional layer of assurance, the Electronic Frontier Foundation (EFF) has a nice page on enabling browser configuration to prioritize HTTPS.

    Does a VPN Fix This? Sorta. The VPN encrypts the data between you and the VPN provider, so your ISP no longer gets to see it. However, everyone else, including the VPN provider, gets to see everything. So you should always be aware that fully unencrypted sites are a privacy risk.


    What Can Your ISP See? Part 2: DNS
    What Is It? DNS is what transforms your domain name requests (e.g. google.com) into the IP addresses that the internet actually operates on. Traditional DNS is unencrypted, and by default your ISP is usually your DNS provider. Consequently, your ISP can see all of the domain names you are interested in visiting. They can't see the contents of the connection, so they can see that you are visiting pornhub.com but cannot see that your fetish is for pregnant trannies in clown shoes.

    What Can I Do About It? Encrypted DNS is here. Your browser may already be using it. Your OS may even be using it. Huzzah! You can check on Cloudflare's browser checker. Don't worry about the Encrypted SNI part, we'll get to that.
    https://www.cloudflare.com/ssl/encrypted-sni/

    If you don't have encrypted DNS, you can likely enable it easily. Here is a tutorial for Windows 11. Android supports it natively, look here at Configure 1.1.1.1 Manually. If you can't enable encrypted DNS on your OS, you can almost certainly do it in your browser - Cloudflare has a nice tutorial on it.

    Does a VPN Fix This? Yes, a good VPN will tunnel your DNS queries. However, some VPN providers have had problems with their apps "leaking" DNS queries - that is, sending the queries directly to the DNS servers instead of sending them over the encrypted tunnel. So it's not bulletproof.


    What Can Your ISP See? Part 3: Metadata
    What Is It? Metadata is all of the little bits of information surrounding your connection. The protocol and port (e.g., are you requesting a website or making a phone call?), the destination IP address (do we know what service this IP provides? Is it, for example, registered to Google?) and, most importantly, the secure connection setup details.

    Back in the day, connections used to be straightforward: I request a connection to a remote server, like Google.com. That request establishes a connection to a single machine sitting inside Google's datacenters somewhere. Simple.

    The architecture of the internet has changed, though. Now we have tons of shared helper services (colloquially often called "load balancers" but that's inaccurate and the details are beyond the scope of this post) trying to make it easier to connect to things you need. If I am on the west coast of the US, a helper service is going to make sure that I get connected to Google's west coast datacenter. If one set of Google services are really busy, a helper service will make sure I get routed to another set.

    Now, most of the internet operates through some kind of helper service or another. Joe's Midtown House o' Hoagies website sits alongside ten thousand other small business websites - Joe didn't buy his own server, he's renting a small amount of time from a big company's servers who share the load with everyone else.

    So the internet protocols were modified to add a field in your connection called "Server Name Indication." This allows you to say, "hey, I'd like to connect to IP address 1.2.3.4, but just so you know, the actual website I'm trying to reach is joeshoagiehouse.com."

    Why does this matter? Because your secure, encrypted connection should, in theory, prevent outsiders from collecting information about you - but it actually contains the clear text name of the domain you're trying to visit. So despite making sure that you've read Part 1 and 2 here, and you're using secure websites and secure DNS, your ISP can still scoop up the fact that you're visiting pornhub.com. Oops.

    What Can I Do About It? The new, improved protocols are already being used in the wild. If you're using Firefox, you can enable DNS over HTTPS and your browser should just start using the new protocols. Chrome is supposed to be using it by default as well.

    You can check on this test page to see if you have "ECH" (encrypted client hello) enabled.

    Unfortunately, this only works for remote servers that support the new protocol (called TLS 1.3). So over time, we will see more and more of the internet implement these important privacy guards, but right now you can't count on it across the board.

    Does a VPN Fix This? Yes, a VPN will hide this information if the above test returns a negative result, or if you want this protection for sites that don't currently support TLS 1.3.


    Up next: should you bother with a VPN and why or why not?

    edit: consolidated separate posts into one and hid behind spoilers to make it easier to read.
     
    #6 Binary, Feb 25, 2024
    Last edited: Feb 26, 2024
  7. Juice

    Juice
    Expand Collapse
    Moderately Gender Fluid

    Reputation:
    1,382
    Joined:
    Oct 19, 2009
    Messages:
    13,397
    Location:
    Boston
    When I used to have to give trainings at work, I used to explain it this way to the laymen:
    • HTTP = Walking down a street being able to look through people's windows and see what they are doing inside their house.
    • HTTPS = Walking down the same street, but the shades are drawn in the windows. You know someone is home, but you have no idea what they're doing.
    You know, until someone (outside of the NSA) cracks TLS 1.2.
     
  8. Nettdata

    Nettdata
    Expand Collapse
    Mr. Toast

    Reputation:
    2,863
    Joined:
    Feb 14, 2006
    Messages:
    25,737
    Solid info.
     
  9. Nettdata

    Nettdata
    Expand Collapse
    Mr. Toast

    Reputation:
    2,863
    Joined:
    Feb 14, 2006
    Messages:
    25,737
    A postcard vs a letter in an envelope.
     
  10. Binary

    Binary
    Expand Collapse
    Emotionally Jaded

    Reputation:
    383
    Joined:
    Oct 21, 2009
    Messages:
    4,062
    Interestingly, HTTPS leaks some pretty important info... Addressing in Part 3 but traveling today so I haven't gotten to typing it up.
     
  11. Nettdata

    Nettdata
    Expand Collapse
    Mr. Toast

    Reputation:
    2,863
    Joined:
    Feb 14, 2006
    Messages:
    25,737
    Yep. It’s no magic bullet.
     
  12. Juice

    Juice
    Expand Collapse
    Moderately Gender Fluid

    Reputation:
    1,382
    Joined:
    Oct 19, 2009
    Messages:
    13,397
    Location:
    Boston
    Sure... but these were people that didn't know anything about security, so I wasn't exactly going to go into outdated cipher suites, browser leaks, MITM attacks and shitty cert management/HSTS. It was essentially exercise in me explaining to them why they failed SOC 2.
     
  13. Nettdata

    Nettdata
    Expand Collapse
    Mr. Toast

    Reputation:
    2,863
    Joined:
    Feb 14, 2006
    Messages:
    25,737
    Interestingly enough, my ISP is blocking DNS over HTTPS. Why? Because that data is worth money to them.
     
  14. Binary

    Binary
    Expand Collapse
    Emotionally Jaded

    Reputation:
    383
    Joined:
    Oct 21, 2009
    Messages:
    4,062
    They're blocking DNS over HTTPS, or DNS over TLS?

    DNS over TLS is readily identifiable, DNS over HTTPS uses 443 and they'd have to do meaningful work to block it - unless they are simply blocking a few of the most well known global NS servers like Cloudflare.

    If you've only tried Cloudflare, you can try hitting up some of the other DNS-over-HTTPS-supporting servers on the internet like:

    OpenDNS: 208.67.222.222 / 208.67.220.220
    Google: 8.8.8.8 / 8.8.4.4
    Quad9: 9.9.9.9 / 149.112.112.112
    AdGuard: 94.140.14.140 / 94.140.14.141
     
  15. Nettdata

    Nettdata
    Expand Collapse
    Mr. Toast

    Reputation:
    2,863
    Joined:
    Feb 14, 2006
    Messages:
    25,737
    I should clarify that their default DNS entries in their DHCP router configs are their own servers, and those servers are not resolving the known/used servers over https (as in Firefox cannot reach their default DNS over HTTPS hosts). I can connect into a VPN and it works, but when I use their default configs, it won't.
     
  16. Binary

    Binary
    Expand Collapse
    Emotionally Jaded

    Reputation:
    383
    Joined:
    Oct 21, 2009
    Messages:
    4,062
    So your setup is: ISP hands your router their DNS server > your local devices use your router as their DNS server? That's usually the default.

    What happens if you override the ISP's DNS server settings - either on your router (set your router's DNS servers manually) or on the client devices?
     
  17. Nettdata

    Nettdata
    Expand Collapse
    Mr. Toast

    Reputation:
    2,863
    Joined:
    Feb 14, 2006
    Messages:
    25,737
    I can totally get it to work by specifying my own DNS.

    My point is that the ISP is hiding or disabling that feature with their default settings.

    I didn’t mean to imply I couldn’t get it to work, just saying that the ISP is not helping the cause.
     
  18. Juice

    Juice
    Expand Collapse
    Moderately Gender Fluid

    Reputation:
    1,382
    Joined:
    Oct 19, 2009
    Messages:
    13,397
    Location:
    Boston
    Great write-ups @Binary. Been following along as well. Apparently OpenDNS doesn't actually support IPv6? Lame.
     
  19. Binary

    Binary
    Expand Collapse
    Emotionally Jaded

    Reputation:
    383
    Joined:
    Oct 21, 2009
    Messages:
    4,062
    Ahhh... I misunderstood. Thought you were relying on a VPN to provide you with this service - just wanted to make sure you checked to see if the VPN was actually necessary.

    @Juice OpenDNS has supported IPv6 for... I don't know. A long time now. Many years.

    https://support.opendns.com/hc/en-us/articles/227986667-Does-OpenDNS-Support-IPv6
     
  20. Nettdata

    Nettdata
    Expand Collapse
    Mr. Toast

    Reputation:
    2,863
    Joined:
    Feb 14, 2006
    Messages:
    25,737
    Nah, I'm getting old and didn't articulate my words properly.