Nope. Data can still be intercepted and stored in encrypted form. See edit.
Encryption doesn't mean the transmission is immune to being intercepted and stored.
Last edited:
Poll: Investigatory Powers Bill or "Snoopers' Charter" has been approved
- Thread starter thebennyboy
- Start date
Encryption doesn't mean the transmission is immune to being intercepted and stored.
If they have intelligence on you, and you're signed up to a major ISP, they can use something known as "Lawful intercept" that's been around for quite a long time, (that was sufficient and not such a bad system in my view)
Basically, on the ISP's broadband gateway router in the exchange or data centre, they can identify your individual session - then copy and paste all of the data at the hardware level - going to and from your connection, into a tunnel - which terminates in GCHQ, where they get 100% of what's going in and out of your line.
I actually always thought this wasn't a bad system, it requires warrants to execute and seems legit, but done in the dark to both the end user and the ISP, the system is designed as such so that the ISP cannot find out or see who is being intercepted by "the man"
Yes and I'm completely happy for the government to know that I'm connecting to a VPN in Switzerland. It's just my private internet activity I don't want them to know about, and that's safely encrypted.
Yeah if they think it's worth the cost and the risk - Every time they exploit a weakness in a system to get access they risk that exploit being discovered and patched, so they can no longer use it. There's no doubt in my mind they are sitting on dozens of vulnerabilities we know nothing about, but they'll be very careful about using them because they want to continue to use those vulnerablities for as long as possible. I'm not important enough for them to justify that on tbh.
No, it really isn't. Using a VPN is a very easy way to stop your data being gathered up in the dragnet. Your comments about security services being able to go above and beyond normal efforts when confronted with VPN use and other methods of anti-surveillance are correct to an extent - They CAN do that but for reasons I already explained most people are not and will not be targeted to that extent. For most people the threat model is simply preventing their ISP storing Internet Connection Records. Using a VPN works very well in achieving that.
Soldato
- Joined
- 19 Jun 2012
- Posts
- 5,482
^^ your pron browsing is safe!
*claps*
*claps*
A VPN will prevent that. What this is about is just capturing data as it's being transmitted from a computer. That is unavoidable you can't access the internet without transmitting data. The point is to make any captured data worthless to anyone intercepting it.
Associate
- Joined
- 1 Mar 2004
- Posts
- 2,014
- Location
- Warwickshire
But in the case of someone connecting via a VPN, wouldn't that just give them a bunch (perhaps many terabytes) of encrypted traffic to analyse? I don't know the in's & outs of how easy typical VPN traffic is to decrypt but surely it'd only be worth doing if you were some sort of high profile target ;terrorist etc.
Under this legislation the raw data won't be recorded by ISPs in the same way. For the average user wanting to keep their privacy after the snoopers charter goes live, a VPN will do that.
Soldato
- Joined
- 19 Jun 2012
- Posts
- 5,482
[ignorance]
I am under the impression decryption is like any code - if you have the key to unlock it, then translating the information isnt that hard or time consuming.
Perhaps it isn't a case of having to 'break' into anything. Perhaps they just use their key that they acquired from the VPN, or the individual / organisation that the VPN bought their encryption systems from?
[/ignorance]
I am under the impression decryption is like any code - if you have the key to unlock it, then translating the information isnt that hard or time consuming.
Perhaps it isn't a case of having to 'break' into anything. Perhaps they just use their key that they acquired from the VPN, or the individual / organisation that the VPN bought their encryption systems from?
[/ignorance]
The data itself is safe if it's encrypted, however - as China has demonstrated, there are some quite sophisticated methods of detecting to a certain extent what people are up to in general, by analysing traffic patterns - even if your connection was encrypted, it's quite easy to tell if someone is downloading files, (P2P or directly) or whether they're doing a voice call or something.
I can imagine that if everyone moves to VPNs, the means to bolster this sort of telemetry and analysis will be increased, as will the effort to be able to crack/circumvent the algorithms,
(I design and build ISP networks, I know what VPNs are, however I also know there's a hell of a lot of work going on in the background by the government, so whilst I agree - right now, if you use a VPN you're safe, I'm not 100% sure how things will play out in the future, or whether this will remain the case
)Not sure if this is relevant to the encryption discussion:
http://www.theregister.co.uk/2016/11/30/investigatory_powers_act_backdoors/
http://www.theregister.co.uk/2016/11/30/investigatory_powers_act_backdoors/
Thing is, if it's only ever going to be used for what they said it is then it's not so bad. The government are only looking for specific things (the big threats) and don't care about the rest. They don't have the time or manpower to care about the little things.
The danger is them deciding to start selling the data off to corporations, who will almost certainly abuse it.
A properly secured VPN looks like normal https traffic went sent over port 443. It's very hard to filter and detect and even then you can't see the actual data, only the encrypted stuff inside the SSL layer. China spent a LOT of money trying to stop people using VPNs and even then many still get through. Most of the best VPN services use OpenVPN and theres no "back doors" to that.
The danger is them deciding to start selling the data off to corporations, who will almost certainly abuse it.
A properly secured VPN looks like normal https traffic went sent over port 443. It's very hard to filter and detect and even then you can't see the actual data, only the encrypted stuff inside the SSL layer. China spent a LOT of money trying to stop people using VPNs and even then many still get through. Most of the best VPN services use OpenVPN and theres no "back doors" to that.
Last edited:
Yes that's pretty easy so keeping the private key (the key to decrypt) secure is essential. The VPN I use hasn't "bought" an encryption system from anyone, they use open source freely available algorithms that have been tested and searched for any weaknesses for years. And with them being offshore they will just refuse any kind of request for data that doesn't come from a Swiss judge. And a record of my OCUK browsing habits just doesn't merit that kind of effort.
There are plugins for the Tor network that let you disguise the traffic as something "non suspicious" like a Skype call. I don't know much about the technical side of that as I've never had any reason to look into it, but apparently people make heavy use of it in China.
It's absolutely relevant and I'm glad you raised it, as I read that article and legislation when it was written.
It's obvious from the article, that if a company has software that provides an encryption service, the government can lawfully force them to provide a means to un-encrypt the data if requested,
What's not clear is exactly how far this extends, presumably it could only apply to UK based companies, or foreign companies operating in the UK (such as google/FB) so if you used a standard VPN provider in the middle of Mexico - it shouldn't make any difference.
The question is - how much further do they push the legislation, do they start to consider the possibility of blocking VPNs, because that much more possible than breaking encryption right now, and bearing in mind how easy this legislation went through, combined with most people not seeming to care, it wouldn't surprise me..
Yeah, but the general consensus is that Tor isn't that safe anymore, you have to be very careful, as egress nodes can easily be tapped.
It's very relevant. It's still worth using encryption - You just need to make sure it hasn't been weakened. So you want to use open source encryption, where the source code has been checked for backdoors, and don't use anything from UK based companies. They will be required to backdoor their systems if given a technical capability notice and they will also be prevented from telling you.
Associate
- Joined
- 1 Mar 2004
- Posts
- 2,014
- Location
- Warwickshire
I think we just have to hope that the rise in corporate VPN use (which I assume couldn't be isolated/allowed easily) would mean that would never happen.
There seems to be a general government direction of teleworking = good, less commuter traffic, less pollution etc etc, with the investment in superfast broadband roll-out to match, which if the UK is to remain competitive globally needs to increase further, & would be at odds with such policy.
A threat to all that would certainly hit the headlines more & make people start caring.
You think? I think it far more likely people would only start to give a damn if it interrupted their mindless TV viewing of an evening.
As soon as the first story of blackmail or an ex leaking embarrassing internet history happens then the general public will start to care.
Until something happens where people go "o crap that could have been me" it's going to be "I have nothing to hide. Please install my telescreen as long as it's free and 55"+".
Until something happens where people go "o crap that could have been me" it's going to be "I have nothing to hide. Please install my telescreen as long as it's free and 55"+".
By then, the law will have been so entrenched that the next set of measures will be in parliament waiting to get tacit approval. Only an absolutely massive loss of data would make people think, it would probably require that all of the banks are robbed... though that would probably mean the country is broke.