Yes, we scan
-
I'm looking for a way to crypto every data streamed/transmitted to/from Internet (due the real problems with super high espionage from U.S.).
The problem is everything I'm looking into only works in base of two-way only, like VPN, IPSec, etc.
There is no alternative for this aside simple SSL (like https, ssh, etc) ?
Fernando
-
I'm looking for a way to crypto every data streamed/transmitted to/from Internet
Where are you sending this encrypted stream? Where is it going to be de-crypted?
I think you may have described what you're trying to achieve incorrectly or are trying to achieve something that's not possible.In any encryption system there must be two parties, an encryptor and a decryptor, not having such renders the information pointless. ;)
Steve
-
If your providers offer encryption you can set your system to use it, many mail servers offer secure connections, the "HTTPS Anywhere" FireFox extension is helpful for the web and a lot of stuff can be sent via SSH but as Steve said it has to be available to you from the destination, you can't just enable it from your end.
-
I figured it.
So is up to IETF to do something, otherwise the Internet we have today will die or we'll need an Internet2 where crypto is mandatory for anything/everything.
-
If you're worried about (US) government "lawful"-interception (and not e.g. some cybercriminal at a hotel's Wifi hotspot attempting to steal CC data with a Mitm-attack) what good would "HTTPS-everywhere" be, as long as the great majority of "ordinary" people will use a handful of sites (google, facebook, microsoft, skype, yahoo, etc) to create and process information ?
Not to mention that as long as a government can strong-arm Root-CAs to cooperate, they can "spoof" and impersonate any site (unless you check the SHA1/MD5 fingerprints of the SSL certificate)
-
Also encryption does no good when the government or crook has their tap inside the security at the other end. Encrypt your facebook, Google or whatever traffic and it is safe on the Internet but once it reaches them and they get served with subpoenas from the FISA court they have to hand over your data while being prohibited from telling you about it.
Even if they don't get the data your connection information can tell a lot about you and your contacts, traffic analysis and meta-data analysis are goldmines of information if tapped and massaged properly.
-
Yes and by encyrpting everything in and out of your network you are just drawing attention to yourself. Whatever algorithm is analysing your traffic patterns at the NSA you can be sure it will flag you for further analysis if it can't see any traffic. You need a sacrificial family member/house mate/colleague whos traffic you send in plain text to register some 'normal' use. ;)
Steve
-
Not to mention that as long as a government can strong-arm Root-CAs to cooperate, they can "spoof" and impersonate any site (unless you check the SHA1/MD5 fingerprints of the SSL certificate)
Now wait a second , I am confused with your statement. I understand YES you are correct. They could " Spoof " and impersonate a site..
Correct me if I am wrong but my understanding of this does not mean they can decrypt the SSL packets going across the line with that same 'spoofed' certificate. It will not be the same as the cert you have on your machine, it can't be as it was generated with your key file and You do not provide the .KEY file to your registrar and without that file the cert is useless… so Unless the feds have hacked into my machine and stole my entire ssl files and now have my SSL packets they ain't getting shit across the line. but if they did then YES they can now decrypt it..all my sites are TLS 1.0, AES with 128 bit encryption (High); RSA with 2048 bit exchange. I'm pretty sure that's damn secure.
-
If you and a few friends are operating a chat server, then a solid firewall and good crypto will help. Or, if you own your own phone servers and you guys all use that. In those scenarios where you OWN the servers and the clients are trusted, you could encrypt everything going in and out between the server and all clients and keep everyone inside a VPN 24/7 and so long as you generated all the crypt yourself and passes the certs out to your friends in person, you would probably be fine.
However, the problems you face are that SSL doesn't help when the OWNERS of the servers you are probably using (like facebook, public email, public phone, etc) are either freely handing over the contents of their servers to the government or being forced too (according to news).
Basically, to have any privacy you would need to own your own services and preferably those services would be non-logging.
-
Not to mention that as long as a government can strong-arm Root-CAs to cooperate, they can "spoof" and impersonate any site (unless you check the SHA1/MD5 fingerprints of the SSL certificate)
Now wait a second , I am confused with your statement. I understand YES you are correct. They could " Spoof " and impersonate a site..
Correct me if I am wrong but my understanding of this does not mean they can decrypt the SSL packets going across the line with that same 'spoofed' certificate. It will not be the same as the cert you have on your machine, it can't be as it was generated with your key file and You do not provide the .KEY file to your registrar and without that file the cert is useless… so Unless the feds have hacked into my machine and stole my entire ssl files and now have my SSL packets they ain't getting shit across the line. but if they did then YES they can now decrypt it..all my sites are TLS 1.0, AES with 128 bit encryption (High); RSA with 2048 bit exchange. I'm pretty sure that's damn secure.
Yes, they will be able to view your (plain-text) traffic. It's effectively a successful MiTM attack (note: the same way people in this very forum discuss using Squid to transparently monitor/filter SSL traffic). The only way you could tell would be to compare SSL key fingerprints (e.g. the popular PUTTY ssh-client does this by default and alerts you that that a server you've connected before has changed its ssl key)
As kejianshi wrote "to have any privacy you would need to own your own services".
-
If you and a few friends are operating a chat server, then a solid firewall and good crypto will help. Or, if you own your own phone servers and you guys all use that. In those scenarios where you OWN the servers and the clients are trusted, you could encrypt everything going in and out between the server and all clients and keep everyone inside a VPN 24/7 and so long as you generated all the crypt yourself and passes the certs out to your friends in person, you would probably be fine.
However, the problems you face are that SSL doesn't help when the OWNERS of the servers you are probably using (like facebook, public email, public phone, etc) are either freely handing over the contents of their servers to the government or being forced too (according to news).
Basically, to have any privacy you would need to own your own services and preferably those services would be non-logging.
i can agree with this
-
Yup. The most transparent administration ever. They openly spy and collect personal data on everyone (not just those of suspicion). What more transparency could one possibly ask or hope for?
Did you really think their idea of transparency was to be open and honest with you?
Faceebook - Just Say No!
Cloud Storage - Just Say No!
Cloud Backup - Just Say No!
Twitter - Just Say No!
Social Media - Just Say No!If you really want to do something to put a stop to all this government intrusion you'll have to get enough people to stop using tech services and devices to impact the industry corporations financially. Then they will push back on the government. Until then they will continue being the governments right hand.
Social Media was not designed and implemented for you. It is for the government to collect information.
-
There are basically only two entities who go to great lengths for secure communications:
Governments and criminal organizations (if there is a difference).
However, I would argue that everyone should, but good luck getting all your buddies to use secure xmpp chat behind a vpn when facebook and skype are so "cool". It must be the "smilies".
In the end your issue will not be "can I build a secure infrastructure on the cheap behind a pfsense box that does the job?".
Thats the easier part.In the end your problem will be "How do I get all my buddies and pals to use the stuff when we communicate?".
-
-
Not encryption but if what you are after is anonymity check out TOR: https://www.torproject.org/
It relays your connection between several servers before getting to you so you can't be tracked, there are a few things that will reveal you though. See here: https://www.torproject.org/download/download.html.en#Warning
This is an interesting little project if your interested in this kind of stuff: http://learn.adafruit.com/onion-pi/overview
I'd like to see a package or something for pfsense to add this functionality.
-
This attached comic seems to explain things…
http://www.foxtrot.com/2013/06/06302013/
-
Thats way too spot on for me to laugh… But I may cry.
-
I saw something on data retention, can't find it now but apparently unencrypted data can only kept for a short time period, encrypted data can be kept forever.
TOR is interesting but the fact that you are going there is very obvious. As to tracking your traffic from the entry point onwards, well that is a complicated subject but I'd not make the assumption that the TOR folks have defeated the NSA traffic analysis folks and computer trackers. Certainly not enough faith there for me to take the risk of doing anything illegal over TOR.
Public WiFi from random locations (avoiding security cameras and witnesses) from a clean machine to a public drop of some sort is still your best bet.
-
Data retention: Don't believe anything you hear. I am sure that everything is being kept forever to the extent that it is possible no matter what a lying government rep tells us. I figure they do whatever they can deny.
On TOR: TOR uses entry and exit nodes and the traffic is split amongst the nodes and is usually hopped across 3 nodes. The nodes are biased based on speed. The faster connections usually end up assigned as exit nodes and entry nodes. The main nodes. To defeat TOR you would need to own these exit nodes and all the nodes in between. I can see where this might be possible if you payed a bunch of money to own a bunch of high speed nodes. I have mapped these nodes in the past. The highest concentrations with highest speeds seem to be located around Washington DC area and the Beijing area some years ago.
I suppose you could set up a a set of MIX servers and spread them across Venezuela, Cuba, Iran and Moscow? $$$
-
I'm not sure you would need to own entry or exit nodes for traffic analysis if you owned or had access via FISA warrant to the routers that the nodes are connected to.
No reason to keep most stuff, suck it in, scan it and store the bits you are interested in an a "research" database and dump the original data. You have what you need on file and can skip the expense and hassle of storing the nonproductive stuff.
