European telcos want the right to perform "deep packet inspection" on our data

#1

Originally published at: https://boingboing.net/2019/05/15/dpi-nein.html

1 Like
#2

VPN reason number … ah, who’s counting anyway…

2 Likes
#3

How is this different from ‘postal service wants the right to read all of your mail’ or ‘telco wants the right to record all of your calls’?

5 Likes
#4

I think Jack Handey put it well when he said:

“Consider the daffodil. And while you’re doing that, I’ll be over here, looking through your data packets stuff.”

3 Likes
#5

Yep, this. If there was a way for your electricity provider to discover what you are using those pressurized electrons for, that would also be a thing they’d like to do.

I believe it’s true, but can we confirm that VPN’d packets will be impermeable to DPI? My take is that the encryption would have to be broken first, which is a whole topic in itself, but I like and want to believe that VPN will be a force against all this intrusion for the foreseeable future.

3 Likes
#6

This seems like a lot of FUD. DPI isn’t magic. It can’t decrypt your data (you need some sort of MITM for this). What it can do is see what sites you visit and try to guess what kind of traffic it is based on ports and other characteristics. These are things that any router or firewall will do to some degree. Use encryption and VPNs if you’re really paranoid.

I’m actually kind of surprised this didn’t end with some sort of “lifetime” subscription offer though the store.

1 Like
#7

They will know you’re connecting to a VPN but as long as you’re using good encryption all they will see is a channel between you and your VPN provider. That said they could just as easily deprioritize VPN traffic over other traffic.

2 Likes
#8

The way to break VPN is a Man in the Middle attack. Many corporations will use a proxy to perform a MITM on all encrypted traffic.

1 Like
#9

Just assume everything is tracked when you’re on a corporate network. That said VPN is typically immune to MITM because of how the traffic is encrypted.

1 Like
#10

Most client based VPNs are little more then a TLS connection. When local certificate authorities are added and corporate certs are installed on a machine, it’s trivial.

1 Like
#11

True that.

It’s bad enough that my electron provider can estimate how much pressure is required to meet the electron consumption budget of a typical house in my statistical sample, which accounts for my lack of a home indoor garden.

1 Like
#12

Help me understand. If I am using a standalone VPN client that I was provided by my independent, third party VPN provider, is that pretty secure? AFAIK and presumably, it would come with its own certificates, not using the one that’s installed via my OS (like the keychain on Mac OS, or… whatever on Windows).

#13

It depends. Generally all someone can see is the encrypted blobs flying around but can’t do anything with them without the private key. Even more so if you’re using pre-shared keys without relying on a PKI. If you’re on a guest Wi-Fi you’re probably pretty safe.

@anotherone’s point is if you have a corporate managed device on the corporate network, assume everything you do is duly monitored even if you think it’s encrypted unless you take special steps to ensure you’re safe. (And even then a motivated IT staff can detect your shenanigans and just kick you off the network.)

1 Like
#14

Here’s your biggest clue - go visit a VPN provider website where they answer your question. Almost all of them say “Yes and no”, “it greatly reduces your chances”, or something similar. Once your machine explicitly trusts the proxy, it’s game over. On a corporate network, that’s easy to do. The endpoint client thinks it is connected via VPN but it’s not. It’s connected to the proxy and the proxy is decrypting the traffic for DPI.

#15

@ficuswhisperer @anotherone: Yes, on a corporate network, or using the corporate VPN, definitely assume that they can easily see your traffic. I just want some level of assurance that my encrypted blobs are really hard to get at until they are spit out into the wide open internet ocean at the VPN provider’s point of presence.

I think that @anotherone is saying that it depends on the implementation. And what the VPN provider is doing. And if you trust them.

#16

Because your legislator(to the degree he cares) probably understands that reading mail or tapping phones are viscerally Orwellian; but just glazes over and acquiesces when people start emitting nerd words that imply doing exactly the same thing to the (generally even more informative) internet links but sound serious and technical?

#17

It depends on your attacker and their objective. The problem is, virtually all popular attempts at Internet encryption are weakened by the “Efficiency” attack. That is, almost all of our encrypted links, still attempt to avoid lag and unnecessary traffic. This means almost all current Internet encryption yields it’s secrets to traffic analysis.

It is almost impossible to disguise WHEN you start and stop using the Internet. The only way to avoid leaking this info would look like an invariant, constant bit rate, encrypted tunnel to some location that is inaccessible to your attackers. But, we don’t have that because it would quickly blow past our data-caps. Or, if the data-rate was so low that it stayed under our data-cap, using it would be slow and laggy as hell.

WHEN doesn’t sound like much, but there are a lot of people who would pay to know the when, what days, and how long of your Internet life.

Next, because almost all of our encrypted links are efficient, that is, they are responsive, and have real-time variability in the data-rates, modern traffic analysis can expose the nature of the encrypted traffic.

One way to do a Traffic Analysis attack is to bring up a VPN and then carefully measure how the data-rate changes over time as you connect to the 1000 or so most signigicant Internet destinations. Once you know those signature patterns, you can detect them as they pass through almost any encrypted tunnel. Of course you have to update your recorded signatures as the Internet changes, but once a day is probably good enough.

This kind of traffic analysis is easily automated. It is probably within reach of many governments and corporations.

The countermeasure is bring up an invariant, constant bit rate, encrypted tunnel to somewhere beyond the reach of your attackers. But, even if we don’t mind leaking the WHEN of our Internet access, the price of this kind of service is quite high. Normal VPN service has economy of scale. The more customers, the cheaper to service each, and the greater percentage of profit. But invariant connections scale linerly. 1 customer uses X bandwidth. 1000 customers use 1000 X bandwidth. Most servers and providers don’t want to offer this service. There is less incentive to grow.

I made a video that demonstrates Traffic Analysis for my students. It is available at: https://www.youtube.com/watch?v=sc81fG04F-o

Defeating Traffic Analysis is so hard, that it is much easier to do as ficuswhisperer suggests and use a guest network somewhere. It is usually enough to break the link back to you.

Personally, I have looked for years for a Linux tool that would work with SSH to create an invariant, constant bit rate connection. I have never found it. If anybody knows of something like this, please speak up.

3 Likes
#18

Yes, opaque CBR traffic is the gold standard but as you say, expensive. I wonder how much benefit you could squeeze out of jittering latency on a per-packet basis. Admittedly it would have negative performance consequences, but omelette,eggs, etc.

#19

On your home or private network, using a VPN provider is about trust and implementation. Your VPN provider can see all of your encrypted blobs if they want to and there is no way to know if your VPN provider isn’t a business run and operated by some nations security agency, private data mining interests, or some other bad actor. It’s a trust relationship and it’s hard to know who to trust. Even if find someone you trust, you have to be concerned about implementation. A poorly implemented VPN isn’t very secure.

#20

I don’t get the obsession with scanning network traffic considering if a criminal wants to do something they’ll likely use end to end encryption. Even if they deduce from traffic what might happen it’s doubtful it’ll be reliable enough to stop whatever was being planned.