1 recommendation |
Simple solution» encrypted.google.com/I also recommend firefox users try HTTPS-Everywhere |
|
hayabusa3303Over 200 mph Premium Member join:2005-06-29 Florence, SC
1 recommendation |
hummThey want to track us, make a buck and cap us to death and charge us up the ass if we go over? Keep up the good work ISP's. Your business model is slowly going to crap. |
|
mleland Premium Member join:2002-12-17 Westwood, CA |
mleland
Premium Member
2011-Aug-5 11:17 am
Wire tap laws?Just imagine if the old phone company didn't have to follow wire tapping laws. It is clearly WAY past time for a MAJOR update to the wire tapping(privacy) laws.
Yes I know all about warrant-less wire tapping.... We are talking about a private company here using that data for profit without any notification or consent... not the gov't for criminal activity. |
|
|
firephotoTruth and reality matters Premium Member join:2003-03-18 Brewster, WA
1 recommendation |
Don't use ISP DNSUse a public DNS server and don't fall for the tricks from the ISP that make you think you need to use their DNS. |
|
|
Questions answered in this thread...I'm one of the Netalyzr developers, and will attempt to answer questions in this thread. I may have intermittent connectivity, so please be patient. |
|
SkellBasherYes Sorto, I'll take my Prozac join:2000-10-22 Niagara Falls, NY 1 edit |
Paxfire is shadyAlthough I'm not at one of the ISPs listed, we use Paxfire appliances for DNS redirection for our customers. (I hate it, but my objections were overruled by our owner.)
Even though we ONLY use them for NXDOMAIN redirection, we've caught them performing this search hijacking in the past. The first time, they told me that they were requested to make the change by an individual that hadn't worked for us in 3 years. I raised hell about it, and they reverted it. Since then, I've been watching for it, and they've made 'configuration mistakes' to turn this back on more than a few times.
I very much suspect that they're intentionally turning this on without ISP knowledge to increase revenues, reverting it when they get caught.
EDIT: I wasn't running a check for Bing, since it's almost never used. I decided to look, and sure enough, they were proxying Bing without our consent.
Shady shady... can't wait to get rid of them. |
|
|
to mleland
Re: Wire tap laws?The legal complaint specifically concerns the wiretap act amongst other complaints. |
|
|
to nweaver
Re: Questions answered in this thread...Will changing DNS servers fix this problem?
Verizon is not on the current list of ISPs, but there's no assurance they won't try to tap that revenue stream in the future. |
|
kaila join:2000-10-11 Lincolnshire, IL |
to DataRiker
Re: Simple solutionNot sure about this, but couldn't SSL still be vulnerable to man-in-the-middle type attacks if ISP's are proxying the traffic. |
|
|
No.
SSL uses endpoint mutual authentication. |
|
|
to hayabusa3303
Re: hummKeep up the good work ISP's. Your business model is quickly going to crap.
FTFY |
|
|
to SkellBasher
Re: Paxfire is shadyseen it happen more then once. with this company |
|
tobyTroy Mcclure join:2001-11-13 Seattle, WA |
to DataRiker
Re: Simple solutionThanks, great software to use, just installed it. Coming back to this site redirected it to secure.dslreports.com |
|
|
|
to firephoto
Re: Don't use ISP DNSMy TWC provided router seems to be missing (by design) the option to choose my own DNS server. Any suggestions as to how I can get around this? |
|
NetFixerFrom My Cold Dead Hands Premium Member join:2004-06-24 The Boro Netgear CM500 Pace 5268AC TRENDnet TEW-829DRU
|
to birdfeedr
Re: Questions answered in this thread...said by birdfeedr:Will changing DNS servers fix this problem?... Not using your ISP's DNS servers will only help with NXDOMAIN redirection. It will not stop packet inspection that redirects traffic based on the search engine (that you think you are using) and/or the search terms being used. |
|
openbox9 Premium Member join:2004-01-26 71144 |
to hayabusa3303
Re: hummActually, the business model is improving. It's the consumers' approval of the business model that is deteriorating. |
|
openbox9 |
to byteme
Re: Don't use ISP DNSIdentify the DNS server addresses on your local computer(s)...or use a different router |
|
|
to birdfeedr
Re: Questions answered in this thread...YES, changing DNS fixes this problem.
THIS particular tampering was based on changing DNS results from the recursive resolver, so using a third-party DNS (eg, Google Public DNS) fixes the problem. |
|
dcurrey Premium Member join:2004-06-29 Mason, OH |
to byteme
Re: Don't use ISP DNSChange DNS in your computers. See » store.opendns.com/setup/ ··· omputer/ to setup with open dns You could just change servers to 4.2.2.1 and 4.2.2.2 for level 3. 8.8.8.8 and 8.8.4.4 for google. Think I have them right. |
|
openbox9 Premium Member join:2004-01-26 71144 |
to SkellBasher
Re: Paxfire is shadySo external companies have access to devices on your network to make configuration changes? Wow. |
|
SkellBasherYes Sorto, I'll take my Prozac join:2000-10-22 Niagara Falls, NY |
That's how they're setup, yes, inline with the DNS servers.
It's a terrible solution, and one that I objected to mightily. However, I was overruled by people who sign my checks. |
|
openbox9 Premium Member join:2004-01-26 71144 |
openbox9
Premium Member
2011-Aug-5 1:16 pm
I can't believe any knowledgeable network security officer would go for something like that. |
|
|
to firephoto
side note: Profile your DNS serversOn a side note: profile your DNS servers you plan to use. I use opendns for the extra features like anti-phishing help, but choosing ones that perform better than your ISP's will help. This utility from SecurityNow podcaster Steve Gibson can help: » www.grc.com/dns/benchmark.htm |
|
InfinityDev |
to kaila
Re: Simple solutionYes, if ISPs are inserted into the SSL certificate chain. Most ISPs don't do this but censored countries and many corporate networks, for example, do this. When in the certificate chain they can proxy SSL traffic silently and eavesdrop on the traffic going through the connection. "Steve explains why and how world governments are able to legally compel their national SSL Certificate Authorities to issue Intermediate CA certificates which allow agencies of those governments to surreptitiously intercept, decrypt, and monitor secured SSL connections of any and all kinds." » www.grc.com/sn/sn-243.htm |
|
SkellBasherYes Sorto, I'll take my Prozac join:2000-10-22 Niagara Falls, NY |
to openbox9
Re: Paxfire is shadyI laid out the (significant) risks. The owner overruled me, and said to do it anyways. My only option to not put this in place was to quit, and that wasn't an option.
I made significant network changes because of this to ensure that the remainder of the network was protected, and the only things they could reach were walled off from everything else. I also have things setup in such a way that if they do anything I don't like, I can disconnect their equipment within seconds, and move us back to 'clean' DNS infrastructure. I've done this a few times, and Paxfire starts screaming instantly because revenues stop.
It sucks, but unless the bank lets me skip a few mortgage payments, it's what I have to do. |
|
Matt3All noise, no signal. Premium Member join:2003-07-20 Jamestown, NC |
to DataRiker
Re: Simple solutionThis is done at the DNS layer, SSL doesn't matter. |
|
Matt3 |
to firephoto
Re: Don't use ISP DNSsaid by firephoto:Use a public DNS server and don't fall for the tricks from the ISP that make you think you need to use their DNS. Excellent suggestion for stopping this type of hijacking. |
|
zefie join:2007-07-18 Hudson, NY 1 edit |
to DataRiker
Re: Simple solutionJust installed it. Irony is this site fails it. At least for me.
secure.dslreports.com uses an invalid security certificate.
The certificate is not trusted because no issuer chain was provided.
(Error code: sec_error_unknown_issuer)
Edit: Oddly only Firefox (v5.0.1, fresh install) is doing it. |
|
|
to birdfeedr
Re: Questions answered in this thread... |
|
|
to InfinityDev
Re: Simple solutionThere is a solution though. It's called TOR and it allows encrypted traffic to proxy servers through which you can browse the regular internet. I'm not aware of any exploit against TOR at this time that would allow man-in-the middle as it doesn't use the SSL chain of trust. Though there is speculation that if a government provided a proxy node they could potentially identify some users. The probability is extremely low that this would succeed due to the onion routing, though it is technically possible. The only issue to deal with is that TOR is slow (because of the onion routing). TOR has been a documented resource in allowing people in oppressive totalitarian regimes to bypass the censorship regimes and provide real information flow.
The beauty of TOR over generalized proxy's is that the traffic is routed through multiple proxies before source and destination, thus shielding both sides from oppressive government (or ISP in this case) action. |
|