The Serpent

// Cursing the Internet since 1998

Simple steps to making your online life a little less, snooper-friendly

Posted November 29, 2016 Infosec

There’s a lot of talk in the UK about the new “Snoopers Charter” that’s threatening to destroy the very fabric of the Internet (again). As I get older, I find myself worrying less and less about things like this, for two reasons:

  1. The Internet has survived countless attacks in privacy since it was born
  2. It’s always been relatively easy to protect against these intrusive laws

Luckily for us law moves at a much slower pace than technology, so when these laws finally come into practice (actual enforcement is another matter!) there’s already 101 ways that they are redundant, and this one is no exception.

So let’s look at some real user-friendly ways to ensure you can remain private at the click of a few buttons. Remember, if you end up on a GCHQ target list, you’re going to get hacked one way or another – that hasn’t changed since World War II, so let’s not get too worked up over this, shall we?

VPN’s baby – there’s a reason you’re hearing a lot about them

You’ve probably heard folks screaming ‘VPN!’ usually in a smug like fashion that doesn’t really tell you much. VPN stands for Virtual Private Network (not much help there, I know). A VPN is a service – it allows you to encrypt your traffic, send it to someone else (a trusted provider), and then they access the big bad internet on your behalf, returning the contents to you, encrypted of course.

This is a good solution in a couple of ways, most important being that the data you exchange between the VPN provider and yourself is encrypted. Even for governments, brute forcing this encryption is hard work – so you can be sure your ISP isn’t seeing it (and therefore can’t record it).

The downside to VPN’s is that you better trust the provider who’s handling your traffic. This is where reputation comes into play. If they are the kind of provider who hands over traffic at the mere whiff of a subpoena, you may as well just hand your data over to the government yourself. On the other hand, if they are based outside of the UK, complicated legal battles can actually be a good thing for once.

There’s a few good ones to choose from, but if you’re going for pure simplicity – check out the Opera web browser. It has a VPN service built right into it. It’s free and unlimited and based in the nicest place on Earth – Canada. The VPN itself is provided by SurfEasy, and at the click of a button, can be enabled for all your browsing traffic.

Getting technical – DNS and TLS still leak data

Whoever provides your VPN, once you’ve got it set up and enabled, your data is being nicely encrypted and safe from prying governments\ISP’s\Food Standard Agencies. Yet there are still a couple of other ways your ISP could collect logs (there’s no mention if they are doing this yet, but it make sense they would) – Using your DNS queries and TLS handshakes.

DNS – The Internet’s phone book

If you’re lucky, your VPN provider is protecting your DNS traffic. But not all of them do, so you better check this fact before handing over any money. If they do not protect DNS traffic, you’re announcing the hostname of every site you visit to your ISP before visiting.

DNS allows your computer to locate the actual IP address of the website you’re wanting to get to. Before visiting, it sends a loud unencrypted “HEY, WHATS THE ADDRESS OF FARTFETISHPORN.NET?” packet through your ISP to a DNS server. Even if the VPN takes over to protect the actual traffic to the site, hasn’t the damage already been done?

Unfortunately protecting DNS traffic is a little harder – it’s a really old protocol, and all the attention lately has been on protecting the other end (the phone book entries), not the people performing lookups. So your best bet is either:

  1. Make sure your VPN provider encrypts DNS traffic
  2. Use a service such as DNSCrypt

The second option usually requires a client to be installed on your device, but once done – you can access the Internet phone book without the ISP looking in.

TLS – Good enough?

Realistically, when the government asks an ISP to “record the sites you visit”, this actually translates to “record all the PLAINTEXT requests we can see”. This is because your ISP can’t man-in-the-middle your encrypted traffic without forcing you to install a certificate on your device (FYI don’t install any ‘certificate updates’ from your ISP in coming years!). So surely sites using TLS are nice and safe right?

Not quite – When TLS starts negotiating the cipher suites, hash algorithms and all the other mathematical wizardry it does on a daily basis, it actually announces the certificates common name right there in plain text. ISP’s can easily scope this up to get the domain name you’ve requested, but no more (e.g. they can see you went to ‘www.facebook.com’, but not ‘www.facebook.com/playboy’).

There’s no great solution to this right now except to use a VPN service, but it may be fixed in the upcoming TLS1.3 draft. For now, you’ll just have to make sure you’re using a VPN service that’s trusted, and encrypts DNS traffic, a combination that will also secure your TLS handshakes and everything else.

So VPN’s are a good thing – just make sure you pick wisely.

Private Internet Access
US based company. Cheap, reliable and have a multinational presence. Have a history of fighting legal requests for customer data.

ProtonVPN
Swiss based service from the folks who brought us ProtonMail. Excellent service with multiple tiers ranging from free to premium. Built in Tor support and public transparency reports.

Simple steps to making your online life a little less, snooper-friendly
Posted November 29, 2016
Written by John Payne