this post was submitted on 02 Oct 2024

37 points (100.0% liked)

Privacy

789 readers

2 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

Chat rooms

[Matrix/Element]Dead
Discord

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS

Can a VPN read my traffic to know what I'm doing? (lemmy.autism.place)

submitted 1 month ago by ASDraptor@lemmy.autism.place to c/privacy@lemmy.ml

28 comments fedilink hide all child comments

https://torrentfreak.com/italy-approves-piracy-shield-vpn-dns-proposal-risk-of-prison-for-isps-intact-241001/

As title. Italy is decided to pass a law that basically creates a chinese-type firewall in the country. The question is simple: even if I'm not doing anything illegal, my VPN provider will have to know what am I doing to report it in case it's illegal, or face jail.

So how could my traffic remain private in this scenario?

Can a VPN provider with no logs policy be held accountable of anything? Can it actually know what I'm doing?

you are viewing a single comment's thread
view the rest of the comments

[–] shortwavesurfer@lemmy.zip 14 points 1 month ago (2 children)

If it truly keeps no logs, then it cannot tell what you are doing. But otherwise, a VPN provider can indeed tell what you're doing because you are only shifting the trust from your internet service provider to your VPN provider. I would highly recommend something like IVPN or Mullvad and only pay for it in Monero. That way, even if logs are kept, you are just a number account to them and they do not have a name for you.

[–] ShortN0te@lemmy.ml 6 points 1 month ago (2 children)

a VPN provider can indeed tell what you're doing

New to me that https is broken

[–] shortwavesurfer@lemmy.zip 7 points 1 month ago (1 children)

HTTPS doesn't stop them from knowing what you visited. It just stops them from knowing what you did while you were there. VVPN provider can still see that you visited Google, but they cannot see what you asked for Google to do for you.

[–] ShortN0te@lemmy.ml 6 points 1 month ago

Yes. Not claimed otherwise. OC claimed that they see what you are doing which is wrong.

[–] delirious_owl@discuss.online 4 points 1 month ago (1 children)

You can read more about this learning about X.509.

Its the PKI thats broken, namely the root stores. Has been unreliable for many, many years. This is why packages are signed.

[–] ShortN0te@lemmy.ml 2 points 1 month ago (2 children)

You can read more about this learning about X.509.

Its the PKI thats broken, namely the root stores. Has been unreliable for many, many years. This is why packages are signed.

So you are basically saying that root CAs are unreliable or compromised?

The great thing is, that you can decide on your own which CAs you trust. Also please proof that those are actively malicious.

And no. That is not the reason that packages are signed, i am guessing you mean packages like on linux, packages contained in the installation repository. The reason is, that you build another chain of trust. Why would i trust a CA which issues certificates for domains with code distribution. That's not their job.

[–] mox@lemmy.sdf.org 2 points 1 month ago* (last edited 1 month ago) (1 children)

So you are basically saying that root CAs are unreliable or compromised?

Not exactly. They are pointing out that HTTPS assumes all is well if it sees a certificate from any "trusted" certificate authority. Browsers typically trust dozens of CAs (nearly 80 for Firefox) from jurisdictions all over the world. Anyone with sufficient access to any of them can forge a certificate. That access might come from a hack, a rogue employee, government pressure, a bug, improperly handled backups, or various other means. It can happen, has happened, and will happen again.

HTTPS is kind of mostly good enough for general use, since exploits are not so common as to make it useless, but if a government sees it as an obstacle, all bets are off. It is not comparable to a trustworthy VPN hosted outside of the government's reach.

Also, HTTPS doesn't cover all traffic like a properly configured VPN does. Even where it is used and not compromised, it's not difficult for a well positioned snooper (like an internet provider that has to answer to government) to follow your traffic on the net and deduce what you're doing.

[–] ShortN0te@lemmy.ml 1 points 1 month ago (1 children)

Not exactly. They are pointing out that HTTPS assumes all is well if it sees a certificate from any "trusted" certificate authority. Browsers typically trust dozens of CAs (nearly 80 for Firefox) from jurisdictions all over the world. Anyone with sufficient access to any of them can forge a certificate.

Great thing, that you can remove them and only trust those you trust.

Also, HTTPS doesn't cover all traffic like a properly configured VPN does.

Pls explain what https is not covered? The SNI on tbe first visit? A VPN just moves the "exit point" of your traffic. Now the Datacentef and VPN provider sees what you ISP saw.

it's not difficult for a well positioned snooper (like an internet provider that has to answer to government) to follow your traffic on the net and deduce what you're doing.

No. I never said otherwise. But they cannot spy on the traffic. And since the SNI is not encrypted anyway they do not even nerd to "follow the traffic". But what sites you are visiting and what you are doing on them are 2 different things.

[–] delirious_owl@discuss.online 1 points 1 month ago* (last edited 1 month ago) (1 children)

Lol OK. Every US company has to legally provide their private keys (or a subordinate CA) to the US government if asked, due to NSL laws. We have examples of the US doing this historically, only because some companies broke the law and spoke out publicly.

So go ahead and remove all CAs issued from US companies. Verisign, cloudflare, akamai, Microsoft, Amazon, etc.

Now 80% of the Internet is broke.

[–] ShortN0te@lemmy.ml 1 points 1 month ago

And? If you cannot trust then you should not use them when you want to do something that is private and should not get looked on.
And if there were signs of misuse of the trust, then they would get removed.

It is actually really easy to monitor thanks to CT.

[–] delirious_owl@discuss.online 1 points 1 month ago (1 children)

Yes, there is countless examples of root CAs containing compromised CAs. Also the private keys live on the server, hot. That's why we sign with release keys that are not stored on the publishing infr

[–] ShortN0te@lemmy.ml 1 points 1 month ago (1 children)

Yes, there is countless examples of root CAs containing compromised CAs.

Then pls proof that? Link to a recent article maybe?

[–] emuspawn@orbiting.observer 3 points 1 month ago (2 children)

https://www.theregister.com/2024/07/31/digicert_certificates_extension/

[–] delirious_owl@discuss.online 2 points 1 month ago

DigiCert isn't the only one. There's a bunch of others. Just google "Mozilla CA removed" or "google CA removed"

Here's a couple more examples, but this sort of thing happens all the time, because X.509 is just a terrible design that breaks https

https://bugzilla.mozilla.org/show_bug.cgi?id=1567114

https://www.eff.org/deeplinks/2019/02/cyber-mercenary-groups-shouldnt-be-trusted-your-browser-or-anywhere-else

[–] ShortN0te@lemmy.ml 1 points 1 month ago

Yes, there is countless examples of root CAs containing compromised CAs.

This incidence with digicert is not about a compromised CA it is about a flaw in their validation system. That is not what you claimed. Such flaws happen from time to time, lets encrypt had an issue a while back too.

[–] HelixDab2@lemm.ee 1 points 1 month ago (1 children)

I'm curious how hard it would be for a typical user to chain VPNs together so that my traffic went sequentially through VPNs. In theory it seems like VPN #1 would know that it was connected to my home and VPN #2, so it couldn't tell where data was originating. VPN #2 could see the site that was being accessed and VPN #1, but not me.

I have no idea if it actually works this way in practice through.

[–] shortwavesurfer@lemmy.zip 2 points 1 month ago* (last edited 1 month ago)

What you are describing is the tor network.

You connect to a guard node which knows who you are
The Guard node connects to a middle relay node, and that middle relay only knows who the Guard is, but does not know who you are.
If you are going to the standard internet, the relay node connects to an exit node, which knows who the relay operator is, but does not know who the guard node is and does not know who you are.
The exit node connects to Facebook, Google, Amazon, etc. and only knows that the traffic goes back to the relay node when Amazon or whatever it responds. And then the entire thing goes in reverse back to you.

Now, if you are going to a hidden service and not out to the standard internet, it does this process twice and so you get six hops in between yourself and the hidden service instead of the three to the standard internet.