Upcoming rule will allow ISPs to sell your internet history. What could you do about it?

BoredSysAdmin

BoredSysAdmin

Audioholic Slumlord
https://arstechnica.com/tech-policy/2017/03/ad-industry-lobbyists-celebrate-impending-death-of-online-privacy-rules/
What can you do? Well, easiest option would to use VPN service, like PIA - https://www.privateinternetaccess.com/
This is the best option, but it's not free - something like $3.3/month on annual plan.

Is there a free option?

Glad you've asked: You may be asking me - BSA, wait, aren't all https:// sites are already encrypted? Well, yes they are, but before you get to them (even you weren't lazy and typed https://www.address.com/ in your browser - you still must use DNS service to resolve their actual IP address.
So let's say you are mr smarty pants and changed default DNS servers (ie: Provided by your dear and beloved ISP) to public ones proved by Google,Level3 OpenDNS or someone else. Ok - you're already in better shape, but keep in mind that DNS requests are NOT encrypted and your noisy ISP still can and will capture this info to be sold to highest bidder(s)

But is there another option: Yes, but for now it's kinda a bit techy - the solution to close clear text DNS requests and is called DnsCrypt and you'd be looking for Client (not server) software, like DnsCrypt proxy.
Probably easiest one I found is this one:
https://simplednscrypt.org/
But there are lots of other options: https://dnscrypt.org/
One of more interesting options to me is the fact DnsCrypt is included in Tomato/AdvancedTomato firmware. It also happens that I now have a spare asus router which is compatible for it. Going to give it a shot.
btw: OpenDNS supports DNSCrypt and there is whole bunch of other secure dns providers as well.
 
Last edited:
BoredSysAdmin

BoredSysAdmin

Audioholic Slumlord
I should mention (more like warn) of one more, but no so great, option: There is a Yandex Browser which has DNSCrypt built-in. Ok it sound fairly convenient, but if you don't know who's Yandex is - it's one of the largest if not the largest Yahoo equivalents in Russia and just guess who controls it:
http://www.lse.co.uk/internetNews.asp?ArticleCode=lw237f3ds3lmney&ArticleHeadline=Russias_Yandex_sells_golden_share_to_Sberbank

Sberbank is not just state-controlled bank. It's function is more akin the Federal Reserve in US.

https://sputniknews.com/business/20140527190172587-Sberbank-Chief-Joins-Board-of-Russian-Internet-Giant-Yandex/

I don't think that even DNSCrypt will give you any privacy from data gathering by the Russians.
 
panteragstk

panteragstk

Audioholic Warlord
I should mention (more like warn) of one more, but no so great, option: There is a Yandex Browser which has DNSCrypt built-in. Ok it sound fairly convenient, but if you don't know who's Yandex is - it's one of the largest if not the largest Yahoo equivalents in Russia and just guess who controls it:
http://www.lse.co.uk/internetNews.asp?ArticleCode=lw237f3ds3lmney&ArticleHeadline=Russias_Yandex_sells_golden_share_to_Sberbank

Sberbank is not just state-controlled bank. It's function is more akin the Federal Reserve in US.

https://sputniknews.com/business/20140527190172587-Sberbank-Chief-Joins-Board-of-Russian-Internet-Giant-Yandex/

I don't think that even DNSCrypt will give you any privacy from data gathering by the Russians.
I guess you could always use Tor?
 
rojo

rojo

Audioholic Samurai
One of more interesting options to me is the fact DnsCrypt is included in Tomato/AdvancedTomato firmware. It also happens that I now have a spare asus router which is compatible for it. Going to give it a shot.
btw: OpenDNS supports DNSCrypt and there is whole bunch of other secure dns providers as well.
Thanks for this tip BSA! I just pointed my router to OpenDNS and enabled DNSCrypt (dnscrypt-proxy "cisco" resolver). Also, contrary to a boatload of advice in Google searches not to, I've got DNSSEC enabled as well, and nothing seems broken. It seems that Cisco added support for DNSSEC at some point after they acquired OpenDNS. In fact, they also mention DNSSEC on their DNSCrypt info page. FWIW, AdvancedTomato also includes a DDNS client for OpenDNS, and can auto populate the DNS server fields when this is enabled.
 
BoredSysAdmin

BoredSysAdmin

Audioholic Slumlord
Dnssec is not something most consumers should be worried about. It's meant to authenticate a domain name publicly. But dnscrypt is important to better protect your internet history.
 
rojo

rojo

Audioholic Samurai
Dnssec is not something most consumers should be worried about. It's meant to authenticate a domain name publicly. But dnscrypt is important to better protect your internet history.
True, but there's no harm in enabling DNSSEC at the client (router) side. It can prevent DNS cache poisoning, and Cisco offers it at the cost of the effort needed to check a check box. Just sayin', anyone curious as to whether to enable DNSSEC while you're messing with the DNSCrypt settings, go ahead. The only potential drawback of DNSSEC is DNS amplification attacks, but that's on Cisco to handle regardless of whether the client has the setting enabled.

Also, make sure the router syncs its time with an NTP server. If the router's configured date / time is incorrect, it could cause the security certificate to be deemed as invalid and cause problems with DNSSEC.
 
panteragstk

panteragstk

Audioholic Warlord
Thanks for this tip BSA! I just pointed my router to OpenDNS and enabled DNSCrypt (dnscrypt-proxy "cisco" resolver). Also, contrary to a boatload of advice in Google searches not to, I've got DNSSEC enabled as well, and nothing seems broken. It seems that Cisco added support for DNSSEC at some point after they acquired OpenDNS. In fact, they also mention DNSSEC on their DNSCrypt info page. FWIW, AdvancedTomato also includes a DDNS client for OpenDNS, and can auto populate the DNS server fields when this is enabled.
Did that slow things down at all for you? When I used Advanced Tomato the more I asked it to do, the slower my internet speeds got. Moving to Sophos resolved that, but I still really liked the Tomato interface.
 
BoredSysAdmin

BoredSysAdmin

Audioholic Slumlord
Did that slow things down at all for you? When I used Advanced Tomato the more I asked it to do, the slower my internet speeds got. Moving to Sophos resolved that, but I still really liked the Tomato interface.
what hardware you used for Adv Tomato?
 
rojo

rojo

Audioholic Samurai
Did that slow things down at all for you? When I used Advanced Tomato the more I asked it to do, the slower my internet speeds got. Moving to Sophos resolved that, but I still really liked the Tomato interface.
Not at all, but my router (an Asus RT-AC68U) is pretty modern with plenty of horsepower. In any case, DNS stuff is pretty low overhead. The DNScrypt and DNSSEC stuff adds a burden comparable to loading a webpage over https versus http. It ought to be transparent even on modest hardware I suspect. And indeed, if you had your router blocking some web traffic for ad filtering or similar, using OpenDNS could allow you to offload some of that responsibility onto Cisco's DNS servers.
 
Last edited:
BoredSysAdmin

BoredSysAdmin

Audioholic Slumlord
Not at all, but my router (an Asus RT-AC68U) is pretty modern with plenty of horsepower. In any case, DNS stuff is pretty low overhead. The DNScrypt and DNSSEC stuff adds a burden comparable to loading a webpage over https versus http. It ought to be transparent even on modest hardware I suspect. And indeed, if you had your router blocking some web traffic for ad filtering or similar, using OpenDNS could allow you to offload some of that responsibility onto Cisco's DNS servers.
Yes, 68 has modern processor which offers more horsepower than my 66U, but for DNSCrypt I guess impact would low. However in previous f/w version I did notice large performance from if QoS enabled. Haven't played with it for a while.
For centeral ad blocking another option is pi-hole.
 
Bucknekked

Bucknekked

Audioholic Samurai
BSA
After reading the link, do I take it to mean that latest CITA filing seeks to eliminate rules for ISPs relating to how they treat sensitive customer data? In effect, eliminating the rules takes the FCC oversite away and therefore the ISPs could do whatever they wish with browsing and app use data? Is that the gist of what is in the works?
 
BoredSysAdmin

BoredSysAdmin

Audioholic Slumlord
BSA
After reading the link, do I take it to mean that latest CITA filing seeks to eliminate rules for ISPs relating to how they treat sensitive customer data? In effect, eliminating the rules takes the FCC oversite away and therefore the ISPs could do whatever they wish with browsing and app use data? Is that the gist of what is in the works?
Basically yes. Last year FCC issues privacy rules for ISPs. Current head of FCC (ex-VZW lawyer) is looking to cancel these. Same goes for net neutrality, but later I really hope they won't succeed.
It's gonna be bigger shitstorm than SOPA ever was.
 
rojo

rojo

Audioholic Samurai
I used it on an old RT-N66U. Worked great until my ISP upped my connection to 300mbps. Never got more than 200 out of it.
It's funny seeing a wireless N router being called old. :) My previous router was a Linksys WRT54G v2. It never died, but when I decided to cut cable TV a few months ago it was finally time to upgrade.

Anyway, "Never got more than 200 out of it" sounds like a first world problem if I ever heard one. Are you hosting a colo in your house?

Hey @BoredSysAdmin are there any lifetime subscription VPN services worth a damn? I see a bunch on Stack Social all the time, but I can't really see how any of them could be sustainable.

Eh, it's probably a moot point anyway. I started looking into selective routing over VPN, to allow my Rokus and VoIP devices to connect natively through my ISP, but all the solutions I found are in some form of Elvish. I can't read them.

It'll be easier just to write my congressmen letters asking them to protect my privacy.
 
panteragstk

panteragstk

Audioholic Warlord
It's funny seeing a wireless N router being called old. :) My previous router was a Linksys WRT54G v2. It never died, but when I decided to cut cable TV a few months ago it was finally time to upgrade.

Anyway, "Never got more than 200 out of it" sounds like a first world problem if I ever heard one. Are you hosting a colo in your house?

Hey @BoredSysAdmin are there any lifetime subscription VPN services worth a damn? I see a bunch on Stack Social all the time, but I can't really see how any of them could be sustainable.

Eh, it's probably a moot point anyway. I started looking into selective routing over VPN, to allow my Rokus and VoIP devices to connect natively through my ISP, but all the solutions I found are in some form of Elvish. I can't read them.

It'll be easier just to write my congressmen letters asking them to protect my privacy.
lol. You are correct in your first would assessment of my "problem". I look at it as if I'm paying for a specific speed, I better get that speed.

I will say though, I use PIA and Newshosting VPN and they are both great. Very cheap and I know that what I'm doing remains private. Well worth the money considering you can tell the VPN to be wherever you want to be.
 
BoredSysAdmin

BoredSysAdmin

Audioholic Slumlord
Bad news:
a) the rule was apparently confirmed by congress and will take effect starting 12/2017
https://arstechnica.com/information-technology/2017/03/how-isps-can-sell-your-web-history-and-how-to-stop-them
b) TIL: that https initial handshake does include domain name in clear text. This is not related to dns request :(
https://security.stackexchange.com/questions/86723/why-do-https-requests-include-the-host-name-in-clear-text

The Good news is that smart people aware of this issue and working towards solution:
https://www.ietf.org/proceedings/interim/2014/07/20/tls/slides/slides-interim-2014-tls-2-6.pdf

So DNSCrypt fixes one issue, but not fully plugging data leak. For super concerned, vpn is seems to be only option for now as tor is way too slow.
 
BoredSysAdmin

BoredSysAdmin

Audioholic Slumlord
One more option worth mentioning: Opera (the internet browser, maybe you heard about it?) Development version has "vpn" built-in. It won't cover dns requests, but it will actually hide your internet browsing if turned on (apparently newer builds it's not on by default)

Did I mentioned that it's free?
 
rojo

rojo

Audioholic Samurai
Just signed up for a lifetime subscription to Windscribe VPN through Stack Social. With 15% off coupon code I paid $67.15. Seems to be a reputable company that I hope will stick around for a while. If not, then I'll still be pleased if I get 2 or 3 years for what I paid. The company was founded in 2015. According to speedtest.net I get transfer speeds around 13M down / 6M up connecting through a US-East concentrator in Virginia.

My router is handling the OpenVPN client. I added routing policies via the AdvancedTomato GUI for the VPN only to be applied to half my IPs in a range I reserve for the PCs, phones, and tablets in my house. My Roku boxes, my thermostat, Wii, AVR, etc. will continue routing natively through my ISP.

AdvancedTomato made this easier than it would've been using Tomato or DD-WRT I think. I was prepared to commit a shell script to nvram to tweak the routing table on ifup / down, but it turns out I was able to configure everything completely through the GUI. Only tricky parts were that "Create NAT on tunnel" needed to be check marked (not mentioned in Windscribe's Tomato setup guide), and I had to add "route-noexec" below Windscribe's directed custom configs for the routing policies not to be ignored.

IPleak.net shows absolutely zero trace of my home ISP. I had to set myself a calendar reminder to have Windscribe's support staff renew my license in ten years, assuming they're still around then.

I feel good about this, and I think my family won't even notice the protection I've put in place for them. Thanks for the heads up @BoredSysAdmin!
 
Last edited:
newsletter

  • RBHsound.com
  • BlueJeansCable.com
  • SVS Sound Subwoofers
  • Experience the Martin Logan Montis
Top