this post was submitted on 21 Aug 2023
403 points (99.5% liked)
Europe
8485 readers
1 users here now
News/Interesting Stories/Beautiful Pictures from Europe ๐ช๐บ
(Current banner: Thunder mountain, Germany, ๐ฉ๐ช ) Feel free to post submissions for banner pictures
Rules
(This list is obviously incomplete, but it will get expanded when necessary)
- Be nice to each other (e.g. No direct insults against each other);
- No racism, antisemitism, dehumanisation of minorities or glorification of National Socialism allowed;
- No posts linking to mis-information funded by foreign states or billionaires.
Also check out [email protected]
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Switching DNS does jack squat for your privacy. Any telecom worth their salt can read all DNS requests no matter which DNS you talk to. They only don't filter content on alternative DNSes because they don't care about filtering/blocking in general unless forced to by law.
Using a VPN doesn't add privacy, it just swapps out who is monitoring your traffic. Many VPN services are actually owned/run by secret services or cooperate with them (like NordVPN). Others are directly run by criminals who use them to steal data or inject malware. Also, VPN providers also have ISPs that reside in countries. In the very best case it's not your ISP spying on you, but the VPN's ISP. In the worst case, you now have an ISP and a VPN provider spying on you.
Your own router/modem again does nothing at all for your privacy.
That's what I mean: people think they are doing privacy enhancing things, but actually what they are doing isn't helping at all.
As someone who knows a bit more about privacy in networking than watching the sponsored bits in YouTube videos, I agree with the examples you posed, but there are other technologies to fix your DNS leaking to your ISP. One of them being DNS over HTTPS. It's default in Firefox, and pretty hard to crack just like any other HTTPS query. All your ISP can know is that you're potentially making a DNS query. Another option is a local DNS server cache. Choose some domains you wanna be able to access, and diligently update your local cache using HTTPS from existing DNS servers every fortnight. Your DNS queries will never escape your LAN.
DoH is an actual improvement, that's true. But at the same time it's a meaningless one, since the ISP can just do a reverse DNS lookup of the IPs you are contacting, and there isn't really an option to hide the IP, unless you are using TOR or a VPN, but TOR sucks in real-world usage (and can also not really be trusted) and VPNs have been discussed before.
I worked on the "evil" side for ~7 years, in a company that made internet monitoring devices. Originally I was told it's only for debugging ISP network problems, but after a few years, when I was trusted enough in the company, they told me that a significant portion of our customers are actually secret services all around the world.
The foreign ones usually wouldn't just say that they are secret service, but they'd buy through other companies, which lead to some weird requests. For example, one time a small little British bakery asked for network monitoring equipment for their business. But they wanted the solution to be able to handle ~100 TBit/s, which was at that time roughly the total bandwidth of the whole UK plus some margin.
Some secret services, though, talked to us completely openly.
I've been at one ISP quite a few times at the department that handled secret service requests. I asked that guy what they do with our products, and he showed me the full suite that they are using. He entered a random phone number into the system, and an overview over the last year's activities of that guy showed up. It had a list with timestamps of every site he accessed. It had all emails (of his ISP account and also emails that were sent unencryped) and SMS that that guy sent and received. It had a full movement profile of that guy for the whole last year, including his visits to other countries. The system allowed the operator to easily find contacts of that guy, even through the movement profile. So you could e.g. list all users that were close to that user at a given time, or all users that are frequently close to that guy.
Tbh, it was a little shocking and eyeopening.
Well yeah, you cannot completely cut deduction off the table. Not even in the real world. The fact though that the internet makes it easier is of course true. Even Tor is vulnerable to deduction-based MITM attacks using nodes that log activity. Nowadays though I think it matters less and less what you access, since everything in the internet has been reduced to a handful of huge websites (fucking SEO). If you're in one of them, I doubt DNS info are going to be much of any use, apart from them having accessed Facebook, or YouTube. When I'm doing stuff I want hidden though, tor and DoH are a must.
Well, centralized services make it easier, not harder. Now secret services can just call up their contact at Facebook or any of the other services and they can not only monitor metadata but get content as well.