Yohan Yukiya Sese Cuneta 사요한🦣
A common misconception is that 443 (HTTPS) & #DoT #DoH can prevent ISPs from monitoring and modifying your requests. Nope. They have a tool they use to redirect _and_ fake certificates (and the user is none the wiser) so they can monitor it.
Use a #VPN.
Yohan Yukiya Sese Cuneta 사요한🦣
@argv_minus_one They can, they have a tool to do that, and a VPN can save you from that tool they're using.
argv minus one
The only way your ISP can do that is if you installed their malware on your computer. A VPN isn't going to save you from that.
Yohan Yukiya Sese Cuneta 사요한🦣
“It looks like your ISP is using gear from Palo Alto networks to intercept your SSL traffic based on the common name in the SSL certificate.” https://github.com/DNSCrypt/dnscrypt-proxy/discussions/1790#discussioncomment-1052610
They use it to monitor for CSAEM.
https://im.youronly.one/techmagus/philippines-isp-hijack-connection-2021206/
If you have a VPN enabled, their tool can no longer hijack your requests.
^_^
Yohan Yukiya Sese Cuneta 사요한🦣
> the “the user is none the wiser” part here is misleading,
Haha, true. That was way way over of a statement. ^_^ Apologies.
> deliberately ignore an invalid TLS
Which is most non-techie user. They just click without reading… (and annoying when they ask you about something).
> that's when your ISP was able to decrypt your traffic
Which is the point, it is possible and they can and will. It's why a VPN is important, it's the only solution that can stop them. ^_^
D.J. Ramones
@youronlyone the “the user is none the wiser” part here is misleading, I think. The example you linked to in your replies show that you had to deliberately ignore an invalid TLS (SSL) certificate before you received the “modified” request.
It’s true that using HTTPS and encrypted DNS without a VPN means ISPs can still monitor your traffic—but they will only get the IP address and the encrypted traffic. Sometimes the domain name, etc., still leaks, I admit I'm not expert in that part, but it's an exaggeration to say that they can modify your HTTPS-encrypted traffic so long as you stick to valid certificates. (Or, as another reply suggested, unless your device is compromised, say by having its trusted certificates store maliciously modified.)
When you ignored the invalid certificate warning, that's when your ISP was able to decrypt your traffic, basically telling them “sure, you can communicate with me as if you were the server I was expecting”. The government warning said as much.
Yohan Yukiya Sese Cuneta 사요한🦣
@argv_minus_one Generally, yes, but if it came as an order from the government, it complicates everything.
If you complain about it, they'll tell you, “what are you so afraid of? Hiding something?” And they start to specifically monitor you (though of course they don't admit it).
argv minus one
On a personal note, I would take extreme offense if my ISP attempted to do this. I consider it a cybercriminal attack on my systems' security.
argv minus one
Once again, this only works if you have installed (malicious) software from your ISP on your computer. Otherwise, your browser will detect the interception and show a certificate error.
However, if your ISP is doing that, then *all* websites will show a certificate error, and will be inaccessible. To fix that without compromising your security, you must switch to a different ISP that actually respects your security, remove the intercepting device, or, yeah, use a VPN.
Yohan Yukiya Sese Cuneta 사요한🦣
> Anyway, apparently this is a thing in the Philippines, whose government is basically organized crime
Hahaha, I can't deny that one, as much as I want to. LOL.
Although, foreigners who live here sometimes say their own government is worse. I guess it all comes down to how much is the political system used for the benefit of politicians and their allies?
If so, then yes, that's definitely true with our country, and possibly other Asia-Pacific countries. The corruption is just… crazy.
We don't even have standardized measurements outside of the government. I mean, a simple thing like that? Only government agencies were mandated to use SI and Metric. It's why it's so confusing purchasing drinks (for example), because everyone use either Imperial or Metric; and they have their own measurement for “small”, “medium”, and “large”.
> I'm afraid of them slipping further malware into my machine through their HTTPS interception, stealing my credit card number, etc. Or them getting compromised by criminals who then use their interception system to do that.
I think that is already happening, but the NBI's lack of sophisticated tools or at least hiring talented security experts (they don't have a budget), is preventing them to solve cases properly.
Our government even is floating the idea of creating a digital “great wall”. And we can't even tell Facebook to do this and that, instead Facebook is the one telling the government what they can and cannot do. /facepalm (I really hate we can't do something similar to the US and EU, re: Meta.)
argv minus one
I'm afraid of them slipping further malware into my machine through their HTTPS interception, stealing my credit card number, etc. Or them getting compromised by criminals who then use their interception system to do that.
Anyway, apparently this is a thing in the Philippines, whose government is basically organized crime, from what I've heard, so I guess this is on-brand.
Yohan Yukiya Sese Cuneta 사요한🦣
@argv_minus_one Yep, apparently inspired by it. For now, some politicians are just floating the idea… trying to gauge the reaction of everyone.
As for the budget, good luck. Haha. They'll probably get the ISPs, and other private entities, involved… since it's doubtful they'll get enough government budget to set it up.
(It took us two decades to pass a law mandating shared cell towers, and to put a ceiling to how many cell towers telcos can operate [and definitely not shared towers]; it took a President like Duterte to get that law passed.)
Then again, if the relationship between the Philippines and China did not sour after President Marcos Jr took over, China will probably help and fund the Philippines' great firewall.
argv minus one
Like the Chinese Great Firewall? Do they have *any idea* how much that would cost? 🤦♂️
Yohan Yukiya Sese Cuneta 사요한🦣
@djramones No worries. It was indeed very broad and inaccurate (and emotional LOL).
I wish more people are like them, when they see a warning, especially digital and something they're not knowledgeable about, they'll stop instead of clicking buttons. Less issues and headaches later. ^_^
D.J. Ramones
> Which is the point, it is possible and they can and will. It's why a VPN is important, it's the only solution that can stop them. ^_^
I kinda still disagree—because ISPs won't really be able to send the modified content if the user doesn't ignore the warnings. And to be fair I know of non-techie users who get sufficiently scared of warnings like the one for invalid certs to not just click on 'ignore'.
But yeah, it's also true that others aren't as careful, and that VPNs could give them an added layer of protection or privacy. I don't mean to invalidate your advocacy of VPNs 😅 I was just surprised at the implied claim that ISPs can tamper with encrypted HTTP traffic.
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.