dslreports logo
site
spacer

spacer
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


view:
topics flat nest 
Comments on news posted 2014-05-16 12:16:45: Aside from noting that streaming video users consume more bandwidth and Netflix now unsurprisingly accounts for a solid third of all Internet traffic, Sandvine's report this week also suggested a solid spike in encrypted traffic in both the U.S. ..


TuxRaiderPen

join:2009-09-19

What are you snooping at... move along....

said by "Karl Bode :
Europe saw encrypted traffic jump from 1.47% to 6.10% in one year, with the U.S. seeing a bump from 2.29% early last year to 3.80% this year.
Notice the HUGE JUMP in the EU v. the US!

This mirrors my own data.. Many clients were not in the least bit upset, or care at all about this, and this included an accountant for one. They just didn't care. While I am going around changing things...

said by "Karl Bode :
The one-two punch of Snowden revelations prompting more secure behavior -
CHECK! I require all domains be SSL now. I don't host any domain with out it.

Along with all email servers set to for encrypted connections only. So if your email'ng me or my clients, you better support an encrypted connection otherwise we won't be getting your mail.

said by "Karl Bode :
- and an increased use of VPN and proxy services to dodge anti-piracy efforts
VPN connected to rotating places to surf and connect to various things. Along with the above. And the use of my own private proxies too. I could be in just about one of 30 places at any given time.
--
1311393600 - Back to Black.....Black....Black....

Want health care? Get a job! No to ACA! No to USNHS or USHIP or anything like them!
Job = Benefits = Health care, simple.


noobieOCC

@74.115.237.x
Nice, but why do you need to encrypt everything? You deal with defense contracts? HIPA? Financial records (whom the govt already knows where and how much). Some people just get too paranoid for their own good. Wanna be and stay secure? Get off the grid.


Probitas

@206.248.154.x

Good

Government should have to work at spying, it should not come easy, otherwise I wouldn't classify it as spying behavior, I'd say it was just free information.


motoracer

join:2003-09-15
united state

How secure...

How secure are VPNs from prying eyes? I've used Astrill for over a year, but I don't truly know how secure it is.


battleop

join:2005-09-28
00000
reply to TuxRaiderPen

Re: What are you snooping at... move along....

"Many clients were not in the least bit upset, or care at all about this, and this included an accountant for one. They just didn't care. While I am going around changing things."

Same here. They just don't care.

Most people don't know (or care) that VoIP traffic is in the clear and it can be easily captured and played back with wireshark. To combat this earlier this year we began to run GRE tunnels over IPSEC to encrypt our customer's voice between their offnet location and our network. Maybe 1 customer actually cared that we did this. The rest didn't care or understand why we were doing it.
--
I do not, have not, and will not work for AT&T/Comcast/Verizon/Charter or similar sized company.


battleop

join:2005-09-28
00000
reply to motoracer

Re: How secure...

I'm sure it's possible to break the encryption but is the effort worth the reward? If I want to read your email is it worth the effort to break into your VPN to catch it between you and your mail server or is it easier to go else where and catch your email traffic between mail servers?
--
I do not, have not, and will not work for AT&T/Comcast/Verizon/Charter or similar sized company.


tshirt
Premium
join:2004-07-11
Snohomish, WA
kudos:5
reply to noobieOCC

Re: What are you snooping at... move along....

said by noobieOCC :

Financial records (whom the govt already knows where and how much).

Which/who's /how many govt's and/other profit seeking groups MIGHT make a difference though.


caedmon

@67.1.141.x
reply to battleop

Re: How secure...

quote:
If I want to read your email is it worth the effort to break into your VPN to catch it between you and your mail server or is it easier to go else where and catch your email traffic between mail servers?
Hence the need for encrypted email. If I encrypt my email then I do not need a secure channel to get it to you since it will be encrypted end-to-end. Of course you may attack the endpoints and get to the message before encryption or when the recipient is reading the message.

Skippy25

join:2000-09-13
Hazelwood, MO
reply to battleop
I am not a security expert by any means, but I am pretty sure that it can't be broken without physical access to one of the encrypted ends once that connection is made.


battleop

join:2005-09-28
00000
reply to caedmon
It's really to late to do universal server-server encryption. There are thousands of different mail servers out there. It would be nearly impossible to get everyone to agree on a standard and then implement it.
--
I do not, have not, and will not work for AT&T/Comcast/Verizon/Charter or similar sized company.


battleop

join:2005-09-28
00000
reply to Skippy25
It can be done with a man in the middle attack but it goes back to the effort to reward payback plus there are often other points of failure where you can get information you want.
--
I do not, have not, and will not work for AT&T/Comcast/Verizon/Charter or similar sized company.

ptbarnett

join:2002-09-30
Lewisville, TX
reply to battleop
said by battleop:

It would be nearly impossible to get everyone to agree on a standard and then implement it.

The standard already exists (SMTP TLS). And all the modern mail transfer agents (sendmail, Postfix, etc.) already support it.

All you have to do is enable it. When another MTA connects to your mail server, it will ask if you support TLS, and negotiates the connection if you do.

Look in the headers of a random email message in your inbox, and you may find something like this:

Received: from xxx.example.com ([123.345.789.000])
by mx.google.com with ESMTPS id asdfsdfsfsjkldf.2014.05.16.10.56.47
for battleop@gmail.com
(version=TLSv1.1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
Fri, 16 May 2014 10:56:48 -0700 (PDT)


If the sender's email server supports TLS and sends to a Google email server, it will be encrypted. It's been that way for a while.


battleop

join:2005-09-28
00000
I didn't realize it was universally accepted now. I've not done full time email server admin in about 5-6 years and at that time running TLS on some mail servers would cause strange delivery problems.
--
I do not, have not, and will not work for AT&T/Comcast/Verizon/Charter or similar sized company.

TuxRaiderPen

join:2009-09-19
reply to ptbarnett
said by ptbarnett:
All you have to do is enable it. When another MTA connects to your mail server, it will ask if you support TLS, and negotiates the connection if you do.
Ahhh..but there is the rub... FEW actually ENABLE IT. Trust me... I've had tons of howling over this...it is widely DISABLED.

We refuse any non secure email now.. too bad... it is either sent on a secure connetion or go away!
--
1311393600 - Back to Black.....Black....Black....

Want health care? Get a job! No to ACA! No to USNHS or USHIP or anything like them!
Job = Benefits = Health care, simple.

TuxRaiderPen

join:2009-09-19
reply to noobieOCC

Re: What are you snooping at... move along....

quote:
Nice, but why do you need to encrypt everything? You deal with defense contracts? HIPA? Financial records (whom the govt already knows where and how much). Some people just get too paranoid for their own good. Wanna be and stay secure?
Your response is typical of that I received. It doesn't matter whether I deal with any thing that might need it by law. The point of the matter is that agencies are hoovering it up. Regardless of the need, legality, etc...

It is all encrypted and they can now put all those computers to work out in UT to break it.

There are legal steps and procedures to do this kind of snooping, the program as it exists now lacks any legality excepting that which the government may manufacture at will as needed to cover their asses, oversight, especially oversight.

Your response was the typical US response.

Those who were not receptive to my changes, were sent packing.

Just like the email that stopped coming once only secure connections were accepted. Too bad, set up your servers properly.

More is coming.. roll out of encrypted file systems from server down to desktops and laptops. Encrypted email at the program level meaing it will be encrypted when sent on a secure channel.

The changes I can force quickly and easily like SSL only on http, secure email connections were the quick easy low hanging fruit... more needs to be done, and is in progress.

Again.. nearly a 2:1 rise verus a nearly unoticeable rise.. and you now know how this slipped past most Americans, myself included.

The US will be taking the fallout for this for decades to come on many fronts costing many US companies lots of $$$$. Already has.

A recent EU court decision on privcay shows just how much more privacy there is valued than in the US.

quote:
Get off the grid
Typical, but that is not possible unless your some kind of tree hugger zealot, and have a real life.
--
1311393600 - Back to Black.....Black....Black....

Want health care? Get a job! No to ACA! No to USNHS or USHIP or anything like them!
Job = Benefits = Health care, simple.

ptbarnett

join:2002-09-30
Lewisville, TX
reply to TuxRaiderPen

Re: How secure...

said by TuxRaiderPen:

Ahhh..but there is the rub... FEW actually ENABLE IT. Trust me... I've had tons of howling over this...it is widely DISABLED.

I already showed how Google Mail has SMTP TLS enabled.

And here, you can see how sending email from a Yahoo account to a Gmail account uses TLS:

Received: from nm31.bullet.mail.ne1.yahoo.com (nm31.bullet.mail.ne1.yahoo.com. [98.138.229.24])
by mx.google.com with ESMTPS id asdfasff.21.2014.05.16.14.19.56
for TuxRaiderPen@gmail.com
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Fri, 16 May 2014 14:19:56 -0700 (PDT)

I am sure a lot of smaller mail servers haven't bothered to enable TLS. But, the big email providers, accounting for a very large portion of email address, have enabled TLS.

Kearnstd
Space Elf
Premium
join:2002-01-22
Mullica Hill, NJ
kudos:1
reply to battleop
This is why I always compare network and data security to physical security. The idea is not to prevent access but to make the effort needed worth more than the reward gained from getting access.
--
[65 Arcanist]Filan(High Elf) Zone: Broadband Reports

15444104
Premium
join:2012-06-11
reply to Probitas

Re: Good

Exactly, every effort should be made to inhibit, frustrate, and
prevent access since in the USA it essentially VIOLATES
our 4th Amendment Constitutional Rights! If the Founding Fathers had the technology we do today they would have DEFINITELY made it unconstitutional under the 4th Amendment to search electronic communications and data.


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC
reply to ptbarnett

Re: How secure...

said by ptbarnett:

I am sure a lot of smaller mail servers haven't bothered to enable TLS. But, the big email providers, accounting for a very large portion of email address, have enabled TLS.

Probably among the smallest ISPs in the U.S.:
Received: from [192.168.102.222] (reki.aosake.net [173.228.7.217])
        (authenticated bits=0)
        by d.mail.sonic.net (8.14.4/8.14.4) with ESMTP id s3K2BnPK031067
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT)
        for <**********@pacbell.net>; Sat, 19 Apr 2014 19:11:50 -0700
 

Almost certainly the largest:
Received: from FamilyPC ([24.20.126.137])
        by omta12.emeryville.ca.mail.comcast.net with comcast
        id ALxH1n00D57wvhC8YLxHpy; Sun, 05 Jan 2014 20:57:18 +0000
 

I need to find out if my Comcast correspondent is using SSL, because I thought Comcast allowed it.

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum

ptbarnett

join:2002-09-30
Lewisville, TX

Received: from FamilyPC ([24.20.126.137])
by omta12.emeryville.ca.mail.comcast.net with comcast
id ALxH1n00D57wvhC8YLxHpy; Sun, 05 Jan 2014 20:57:18 +0000

This looks like the initial submission of a message from a PC mail client to Comcast's mail server. If they haven't configured their mail client to use SSL/TLS, it won't do so -- even if Comcast supports it.

As a consequence, they may also be exposing their account password, if Comcast requires it when accepting email from a customer.

I use Mozilla Thunderbird. It configures itself to use SSL by default, at least when connecting to Google Mail. I believe that Outlook Express supports it, but I don't think it's by default.

WhatNow
Premium
join:2009-05-06
Charlotte, NC
Reviews:
·Time Warner Cable
reply to TuxRaiderPen

Re: What are you snooping at... move along....

Forget what the government is doing to spy on you stop the ad people from knowing more about your life then you do if you put it out on the internet in any form.

Wired.co.uk / Andy Greenberg had an article on how the apps like Secret and Whisper are not a anonymous as they think.

WhatNow
Premium
join:2009-05-06
Charlotte, NC
reply to battleop

Re: How secure...

Until it everything is encrypted the spy services tend to take notice of the encrypted accounts because it stands out from the crowd.


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC
reply to ptbarnett
said by ptbarnett:

I use Mozilla Thunderbird. It configures itself to use SSL by default, at least when connecting to Google Mail. I believe that Outlook Express supports it, but I don't think it's by default.

I am pretty sure the client has to be configured to use SSL; even T-Bird. I notice that the recent versions will automagically set up SSL for most of the "well-known" services; but I have to use the "manual override" to set up AT&T (Yahoo!) and my ISP accounts.

My Comcast correspondent is using MS Outlook 14.0; and probably defaulting to port 25.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


ImpldConsent
Under Siege
Premium
join:2001-03-04
Mcdonough, GA
Reviews:
·AT&T U-Verse
·magicjack.com

...which is why

I contribute to the encrypted traffic via Tor Project ... and if I really wanna be stealth, then its Tails. I rarely require either one, but the tools are there if needed.
--
That's "MISTER" Kafir to you Mr. Munafiq


tc1uscg

join:2005-03-09
Clinton Township, MI
reply to noobieOCC

Re: What are you snooping at... move along....

Just send a bunch of random text/numbers/lets/special characters and make sure it's encrypted. Runs the spooks crazy.