Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Current state of online privacy in the UK
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Current state of online privacy in the UK

jhjh Member

Privacy is something I care about and take steps to protect. We all know it's very bad in the UK and getting worse. I try keep on top of changes in legislation and adjust my behaviour accordingly.

I must have missed something though. I don't normally pay attention to access logs but having recently put our site behind Incapsula, there is a nice list of all of the bots that access it. My ISP has a bot that is crawling pages on the site that are not indexed by search engines and could only have been known by monitoring my web traffic.

The whole site is also HTTPS-only, so my understanding of HTTPS would lead me to believe that they're proxying all of my HTTPS traffic to get the URIs (and maybe other stuff). I couldn't find much information about this online other than one purpose seems to be checking which sites David Cameron thinks are offensive and adding them to a blacklist.

«1

Comments

  • It's called spying. Or your ISP just so happened to find your website.

    Whichever comes first.

    Either way, they're ignoring the robots.txt since well, it's your ISP. Just block the ranges after you've gathered enough IPs doing it.

  • Your ISP can't just transparently proxy your HTTPS traffic unless you install some trusted root cert in your CA.

  • talktalk did (and possibly still does) collect all url's and follows you

    Thanked by 1linuxthefish
  • Affectionately known as "StalkStalk". Their system comes in two main parts:

    Deep packet inspection,
    DNS hijacking

    Neither should be able to inspect HTTPS traffic as @rds100 says

  • jhadley said: My ISP has a bot that is crawling pages on the site that are not indexed by search engines and could only have been known by monitoring my web traffic.

    Is that TalkTalk? They're doing it for security, checking the site for viruses etc. You should be able to disable that in your TalkTalk account if you wish.

  • @kcaj said:
    Is that TalkTalk? They're doing it for security, checking the site for viruses etc. You should be able to disable that in your TalkTalk account if you wish.

    Iirc you can disable the actual blocking of malicious pages, but not opt out from the stalking.

  • wychwych Member

    StalkTalks by default addon does this, I had it disabled when I signed up.

    Thanked by 1GM2015
  • jhjh Member

    Yes it's TalkTalk. I've still not gone through the list completely but Orange seems to be doing the same thing.

    Regarding the CA comment - as I understand it, you trust your browser to pick CAs and the browser trusts CAs not to issue random certificates, so it can happen - it just requires some cooperation. Correct me if I'm wrong.

  • jhadley said: Yes it's TalkTalk. I've still not gone through the list completely but Orange seems to be doing the same thing.

    Switch to SSE :) cheaper an no spying/blocking of tpb etc

  • @TarZZ92 said:

    I've been considering them, what's their traffic management like?

  • alegeek said: I've been considering them, what's their traffic management like?

    for me. non existing, for friends and others it would seem restrictive. you can also request a free STATIC ip as a bonus :).

  • perennateperennate Member, Host Rep
    edited August 2015

    jhadley said: Regarding the CA comment - as I understand it, you trust your browser to pick CAs and the browser trusts CAs not to issue random certificates, so it can happen - it just requires some cooperation. Correct me if I'm wrong.

    Sure, but the more likely explanation is that it found those URLs from links (maybe internal, maybe external). If governments start pressuring CA's to forge certificates, then those CA's get removed from browsers; Mozilla/Google/Microsoft don't take that lightly.

  • @TarZZ92 said:

    So long as things like Netflix and Amazon Prime would run during peak hours, my household would be happy :)

  • alegeek said: So long as things like Netflix and Amazon Prime would run during peak hours, my household would be happy :)

    yes :)

    both copper dsl services are okay (the 24Mb and 80Mb)

  • @jhadley said:
    David Cameron

    The UK effort against world privacy goes much deeper than David Cameron.

    Your ISPs probably have deep packet inspection.

  • alegeek said: So long as things like Netflix and Amazon Prime would run during peak hours, my household would be happy :)

    eh, thats mainly a problem of the ISPs that say they are too large for peering.... UPC notably in central EU, Virgin in UK.

  • jhjh Member
    edited August 2015

    perennate said: f governments start pressuring CA's to forge certificates, then those CA's get removed from browsers; Mozilla/Google/Microsoft don't take that lightly.

    I'm not convinced by this.

    kerouac said: The UK effort against world privacy goes much deeper than David Cameron.

    Censorship and snooping are present throughout our culture. This worries me though as I somehow had no idea it was happening.

    TarZZ92 said: Switch to SSE :) cheaper an no spying/blocking of tpb etc

    I live in a serviced apartment so I don't get to choose the ISP unfortunately. They have a deal with someone who have a deal with someone else who have a deal with TalkTalk. I found a decent VPN service though - lots of nice privacy/security features, reasonable prices and good speeds. It's just annoying that I have to use it at home for almost everything now :/

  • @jhadley said:
    I live in a serviced apartment so I don't get to choose the ISP unfortunately. They have a deal with someone who have a deal with someone else who have a deal with TalkTalk. I found a decent VPN service though - lots of nice privacy/security features, reasonable prices and good speeds. It's just annoying that I have to use it at home for almost everything now :/

    Setup your own. Much more secure.

  • @jhadley said:
    I live in a serviced apartment so I don't get to choose the ISP unfortunately. They have a deal with someone who have a deal with someone else who have a deal with TalkTalk. I found a decent VPN service though - lots of nice privacy/security features, reasonable prices and good speeds. It's just annoying that I have to use it at home for almost everything now :/

    Get your own vpn and set your router to access it automatically.

  • KwiceroLTDKwiceroLTD Member
    edited August 2015

    @jhadley I once was in your situation with not choosing ISP, I simply went and paid for a VPN at CyberGhost ( https://cyberghostvpn.com/ (note: no affiliate link was included)), and it did the charm.

  • MaouniqueMaounique Host Rep, Veteran

    OTOH, since residential ISP speeds are crap anyway in UK, a KS for 100 Mbps best effort should do to setup a fully encrypted tunnel.
    If you feel ultra paranoid, get another and setup yourself a Tor bridge to route everything through it.

  • jhjh Member

    Maounique said: OTOH, since residential ISP speeds are crap anyway in UK, a KS for 100 Mbps best effort should do to setup a fully encrypted tunnel.

    Nomad said: Get your own vpn and set your router to access it automatically.

    TinyTunnel_Tom said: Setup your own. Much more secure.

    I've tried two different servers already, one of which has quality routing and a gigabit connection, and both slowed the connection down significantly. It may be a configuration issue or that TalkTalk throttle encrypted traffic. I get the feeling spending hours will only reinforce the fact that TalkTalk is at the bottom of it.

    I know someone who did some interesting investigation into VPN services and also know that most make completely false claims about security, logging, handing over data etc. I finally found one that seems to be trustworthy, fast, secure, doesn't ask for my name, paid with BTC, open sources most of their stuff etc.

  • @jhadley said:

    What configuration were you setting up? PPTP?

  • jhjh Member

    KwiceroLTD said: What configuration were you setting up? PPTP?

    OpenVPN

  • @jhadley said:
    OpenVPN

    Well that's your issue, configure PPTP and drop it into the router, you'll get better speeds.

  • jhjh Member

    KwiceroLTD said: Well that's your issue, configure PPTP and drop it into the router, you'll get better speeds.

    Yeah except then it won't just be my ISP snooping.

  • Is it possible your ISP found the page(s) by someone visiting http://mysite.com/secret/secure/page.html and getting a HTTPS redirect? That's the most likely way they'd see the page URL.

    I doubt that they are doing man-in-the-middle on people's HTTPS traffic routinely - people would spot it. Since you are accessing your own servers, you should be able to verify that the certificate your browser is presented with is the same one you installed on your server.

  • NekkiNekki Veteran

    KwiceroLTD said: Well that's your issue, configure PPTP and drop it into the router, you'll get better speeds.

    PPTP is a bit on the wank side, to be fair.

  • MaouniqueMaounique Host Rep, Veteran
    edited August 2015

    try softether, it is resource intensive, but an atom might manage it.
    Some slowing down will occur, it is unavoidable, but if your link is already bad, wont be much of a difference, only if you have more than 30 mbps which is the threshold in UK for "broadband", you will feel the difference seriously.

  • @KwiceroLTD said:
    Well that's your issue, configure PPTP and drop it into the router, you'll get better speeds.

    PPTP is very, very insecure and can be cracked extremely easily. OpenVPN isn't, and can't.

    I'm unsure if the ISP in question here is residential or business, but for a home ISP I would strongly recommend tunnelling via a VPN, then statically routing all of your traffic over the tunnel and out the other side.

    If encrypted traffic throttling is a pain, you could always try obfuscating the traffic by running the VPN on a high/non-standard port - just make sure you don't pick a port associated with P2P traffic.

Sign In or Register to comment.