Upcoming rule will allow ISPs to sell your internet history. What could you do about it?

Discussion in 'Home Theater PC (HTPC) & Media Servers' started by BoredSysAdmin, Mar 14, 2017.

  1. BoredSysAdmin Audioholic Overlord

    BoredSysAdmin
    Joined:
    Aug 21, 2007
    Messages:
    11,253
    Likes Received:
    3,606
    Location:
    New Joisey
    https://arstechnica.com/tech-policy...rate-impending-death-of-online-privacy-rules/
    What can you do? Well, easiest option would to use VPN service, like PIA - https://www.privateinternetaccess.com/
    This is the best option, but it's not free - something like $3.3/month on annual plan.

    Is there a free option?

    Glad you've asked: You may be asking me - BSA, wait, aren't all https:// sites are already encrypted? Well, yes they are, but before you get to them (even you weren't lazy and typed https://www.address.com/ in your browser - you still must use DNS service to resolve their actual IP address.
    So let's say you are mr smarty pants and changed default DNS servers (ie: Provided by your dear and beloved ISP) to public ones proved by Google,Level3 OpenDNS or someone else. Ok - you're already in better shape, but keep in mind that DNS requests are NOT encrypted and your noisy ISP still can and will capture this info to be sold to highest bidder(s)

    But is there another option: Yes, but for now it's kinda a bit techy - the solution to close clear text DNS requests and is called DnsCrypt and you'd be looking for Client (not server) software, like DnsCrypt proxy.
    Probably easiest one I found is this one:
    https://simplednscrypt.org/
    But there are lots of other options: https://dnscrypt.org/
    One of more interesting options to me is the fact DnsCrypt is included in Tomato/AdvancedTomato firmware. It also happens that I now have a spare asus router which is compatible for it. Going to give it a shot.
    btw: OpenDNS supports DNSCrypt and there is whole bunch of other secure dns providers as well.
    Last edited: Mar 14, 2017
    • Informative Informative x 3
    • Like Like x 1
    • Agree Agree x 1
  2. BoredSysAdmin Audioholic Overlord

    BoredSysAdmin
    Joined:
    Aug 21, 2007
    Messages:
    11,253
    Likes Received:
    3,606
    Location:
    New Joisey
    I should mention (more like warn) of one more, but no so great, option: There is a Yandex Browser which has DNSCrypt built-in. Ok it sound fairly convenient, but if you don't know who's Yandex is - it's one of the largest if not the largest Yahoo equivalents in Russia and just guess who controls it:
    http://www.lse.co.uk/internetNews.a...Russias_Yandex_sells_golden_share_to_Sberbank

    Sberbank is not just state-controlled bank. It's function is more akin the Federal Reserve in US.

    https://sputniknews.com/business/20...Joins-Board-of-Russian-Internet-Giant-Yandex/

    I don't think that even DNSCrypt will give you any privacy from data gathering by the Russians.
  3. panteragstk Audioholic General

    panteragstk
    Joined:
    Aug 14, 2012
    Messages:
    1,194
    Likes Received:
    275
    I guess you could always use Tor?
  4. BoredSysAdmin Audioholic Overlord

    BoredSysAdmin
    Joined:
    Aug 21, 2007
    Messages:
    11,253
    Likes Received:
    3,606
    Location:
    New Joisey
    Sure, but tor is very slow.
  5. rojo Audioholic Samurai

    rojo
    Joined:
    Feb 19, 2014
    Messages:
    2,250
    Likes Received:
    854
    Location:
    Johnson City, TN
    Thanks for this tip BSA! I just pointed my router to OpenDNS and enabled DNSCrypt (dnscrypt-proxy "cisco" resolver). Also, contrary to a boatload of advice in Google searches not to, I've got DNSSEC enabled as well, and nothing seems broken. It seems that Cisco added support for DNSSEC at some point after they acquired OpenDNS. In fact, they also mention DNSSEC on their DNSCrypt info page. FWIW, AdvancedTomato also includes a DDNS client for OpenDNS, and can auto populate the DNS server fields when this is enabled.
    rojo,
  6. BoredSysAdmin Audioholic Overlord

    BoredSysAdmin
    Joined:
    Aug 21, 2007
    Messages:
    11,253
    Likes Received:
    3,606
    Location:
    New Joisey
    Dnssec is not something most consumers should be worried about. It's meant to authenticate a domain name publicly. But dnscrypt is important to better protect your internet history.
  7. rojo Audioholic Samurai

    rojo
    Joined:
    Feb 19, 2014
    Messages:
    2,250
    Likes Received:
    854
    Location:
    Johnson City, TN
    True, but there's no harm in enabling DNSSEC at the client (router) side. It can prevent DNS cache poisoning, and Cisco offers it at the cost of the effort needed to check a check box. Just sayin', anyone curious as to whether to enable DNSSEC while you're messing with the DNSCrypt settings, go ahead. The only potential drawback of DNSSEC is DNS amplification attacks, but that's on Cisco to handle regardless of whether the client has the setting enabled.

    Also, make sure the router syncs its time with an NTP server. If the router's configured date / time is incorrect, it could cause the security certificate to be deemed as invalid and cause problems with DNSSEC.
    rojo,
  8. panteragstk Audioholic General

    panteragstk
    Joined:
    Aug 14, 2012
    Messages:
    1,194
    Likes Received:
    275
    Did that slow things down at all for you? When I used Advanced Tomato the more I asked it to do, the slower my internet speeds got. Moving to Sophos resolved that, but I still really liked the Tomato interface.
  9. BoredSysAdmin Audioholic Overlord

    BoredSysAdmin
    Joined:
    Aug 21, 2007
    Messages:
    11,253
    Likes Received:
    3,606
    Location:
    New Joisey
    what hardware you used for Adv Tomato?
  10. rojo Audioholic Samurai

    rojo
    Joined:
    Feb 19, 2014
    Messages:
    2,250
    Likes Received:
    854
    Location:
    Johnson City, TN
    Not at all, but my router (an Asus RT-AC68U) is pretty modern with plenty of horsepower. In any case, DNS stuff is pretty low overhead. The DNScrypt and DNSSEC stuff adds a burden comparable to loading a webpage over https versus http. It ought to be transparent even on modest hardware I suspect. And indeed, if you had your router blocking some web traffic for ad filtering or similar, using OpenDNS could allow you to offload some of that responsibility onto Cisco's DNS servers.
    Last edited: Mar 17, 2017
    rojo,
  11. BoredSysAdmin Audioholic Overlord

    BoredSysAdmin
    Joined:
    Aug 21, 2007
    Messages:
    11,253
    Likes Received:
    3,606
    Location:
    New Joisey
    Yes, 68 has modern processor which offers more horsepower than my 66U, but for DNSCrypt I guess impact would low. However in previous f/w version I did notice large performance from if QoS enabled. Haven't played with it for a while.
    For centeral ad blocking another option is pi-hole.
  12. BoredSysAdmin Audioholic Overlord

    BoredSysAdmin
    Joined:
    Aug 21, 2007
    Messages:
    11,253
    Likes Received:
    3,606
    Location:
    New Joisey
  13. Bucknekked Audioholic Chief

    Bucknekked
    Joined:
    Dec 18, 2016
    Messages:
    839
    Likes Received:
    342
    BSA
    After reading the link, do I take it to mean that latest CITA filing seeks to eliminate rules for ISPs relating to how they treat sensitive customer data? In effect, eliminating the rules takes the FCC oversite away and therefore the ISPs could do whatever they wish with browsing and app use data? Is that the gist of what is in the works?
  14. panteragstk Audioholic General

    panteragstk
    Joined:
    Aug 14, 2012
    Messages:
    1,194
    Likes Received:
    275
    I used it on an old RT-N66U. Worked great until my ISP upped my connection to 300mbps. Never got more than 200 out of it.
  15. BoredSysAdmin Audioholic Overlord

    BoredSysAdmin
    Joined:
    Aug 21, 2007
    Messages:
    11,253
    Likes Received:
    3,606
    Location:
    New Joisey
    Basically yes. Last year FCC issues privacy rules for ISPs. Current head of FCC (ex-VZW lawyer) is looking to cancel these. Same goes for net neutrality, but later I really hope they won't succeed.
    It's gonna be bigger shitstorm than SOPA ever was.
  16. rojo Audioholic Samurai

    rojo
    Joined:
    Feb 19, 2014
    Messages:
    2,250
    Likes Received:
    854
    Location:
    Johnson City, TN
    It's funny seeing a wireless N router being called old. :) My previous router was a Linksys WRT54G v2. It never died, but when I decided to cut cable TV a few months ago it was finally time to upgrade.

    Anyway, "Never got more than 200 out of it" sounds like a first world problem if I ever heard one. Are you hosting a colo in your house?

    Hey @BoredSysAdmin are there any lifetime subscription VPN services worth a damn? I see a bunch on Stack Social all the time, but I can't really see how any of them could be sustainable.

    Eh, it's probably a moot point anyway. I started looking into selective routing over VPN, to allow my Rokus and VoIP devices to connect natively through my ISP, but all the solutions I found are in some form of Elvish. I can't read them.

    It'll be easier just to write my congressmen letters asking them to protect my privacy.
    rojo,
  17. panteragstk Audioholic General

    panteragstk
    Joined:
    Aug 14, 2012
    Messages:
    1,194
    Likes Received:
    275
    lol. You are correct in your first would assessment of my "problem". I look at it as if I'm paying for a specific speed, I better get that speed.

    I will say though, I use PIA and Newshosting VPN and they are both great. Very cheap and I know that what I'm doing remains private. Well worth the money considering you can tell the VPN to be wherever you want to be.
  18. BoredSysAdmin Audioholic Overlord

    BoredSysAdmin
    Joined:
    Aug 21, 2007
    Messages:
    11,253
    Likes Received:
    3,606
    Location:
    New Joisey
    Bad news:
    a) the rule was apparently confirmed by congress and will take effect starting 12/2017
    https://arstechnica.com/information...an-sell-your-web-history-and-how-to-stop-them
    b) TIL: that https initial handshake does include domain name in clear text. This is not related to dns request :(
    https://security.stackexchange.com/...-requests-include-the-host-name-in-clear-text

    The Good news is that smart people aware of this issue and working towards solution:
    https://www.ietf.org/proceedings/interim/2014/07/20/tls/slides/slides-interim-2014-tls-2-6.pdf

    So DNSCrypt fixes one issue, but not fully plugging data leak. For super concerned, vpn is seems to be only option for now as tor is way too slow.
  19. BoredSysAdmin Audioholic Overlord

    BoredSysAdmin
    Joined:
    Aug 21, 2007
    Messages:
    11,253
    Likes Received:
    3,606
    Location:
    New Joisey
    One more option worth mentioning: Opera (the internet browser, maybe you heard about it?) Development version has "vpn" built-in. It won't cover dns requests, but it will actually hide your internet browsing if turned on (apparently newer builds it's not on by default)

    Did I mentioned that it's free?
  20. rojo Audioholic Samurai

    rojo
    Joined:
    Feb 19, 2014
    Messages:
    2,250
    Likes Received:
    854
    Location:
    Johnson City, TN
    Just signed up for a lifetime subscription to Windscribe VPN through Stack Social. With 15% off coupon code I paid $67.15. Seems to be a reputable company that I hope will stick around for a while. If not, then I'll still be pleased if I get 2 or 3 years for what I paid. The company was founded in 2015. According to speedtest.net I get transfer speeds around 13M down / 6M up connecting through a US-East concentrator in Virginia.

    My router is handling the OpenVPN client. I added routing policies via the AdvancedTomato GUI for the VPN only to be applied to half my IPs in a range I reserve for the PCs, phones, and tablets in my house. My Roku boxes, my thermostat, Wii, AVR, etc. will continue routing natively through my ISP.

    AdvancedTomato made this easier than it would've been using Tomato or DD-WRT I think. I was prepared to commit a shell script to nvram to tweak the routing table on ifup / down, but it turns out I was able to configure everything completely through the GUI. Only tricky parts were that "Create NAT on tunnel" needed to be check marked (not mentioned in Windscribe's Tomato setup guide), and I had to add "route-noexec" below Windscribe's directed custom configs for the routing policies not to be ignored.

    IPleak.net shows absolutely zero trace of my home ISP. I had to set myself a calendar reminder to have Windscribe's support staff renew my license in ten years, assuming they're still around then.

    I feel good about this, and I think my family won't even notice the protection I've put in place for them. Thanks for the heads up @BoredSysAdmin!
    Last edited: Apr 1, 2017
    rojo,

Share This Page

  • RBHsound.com
  • BlueJeansCable.com
  • SVS Sound Subwoofers
  • Experience the Martin Logan Montis
  • CEDIA