this post was submitted on 16 Mar 2024
757 points (98.5% liked)
Technology
59284 readers
4937 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
The TLS handshake will generally -- through there are some ways to avoid this, and people are banging on it -- expose hostnames in the clear. So even if the IP address that you're talking to serves multiple virtual hosts, your ISP is likely to know who it is that you're talking to.
https://en.wikipedia.org/wiki/Server_Name_Indication
Even if your browser is using DNS-over-HTTP, which it may or may not be doing, most software doesn't, so outside of your browser, DNS is generally visible.
Some protocols still are not encrypted; I was looking at MUDs the other day, and few of them support encrypted connections. The networks that I'm most worried about are random WiFi access points, and VPNs solve that well.
The network provider can still see which addresses and ports someone is connecting to and to where the traffic goes, and how much traffic is sent.
Some network providers blacklist material -- as is the case in OP's article. For example, one of my first experiences on the Threadiverse was kbin sending me to a random discussion on policy that Ada (the lemmy.blahaj.zone admin) was having with some gay user who lived somewhere in the Middle East. Lemmy.blahaj.zone had been blocked in that country -- the country presumably didn't like something related to the server having LGBT content. The Threadiverse is semi-resillient to that -- they could still connect to a federated server and see comments. But it meant that images on lemmy.blahaj.zone were blocked in that country.
For another contemporary example, Russia has cracked down on politics online. Can't block access to content without killing off VPNs, and they went after those too.
For people who maintain a long-running IP address, it's possible to cross-correlate logs from various services. So, okay, let's say that a given IP address has been logged downloading BitTorrent content. That same IP address is linked to, at various times, use of an app where a particular unique phone ID has shown up, or maybe that a user has logged into some account service on, which is linked to personal information. Even a party who is not someone's ISP can cross-correlate logs using the IP. A VPN doesn't absolutely avoid that, but it makes it harder.
Without a VPN, anyone can get at least a rough geographical location of a user by geolocating their IP address. IPv4 scarcity has made this harder than it once was, reduced geography/address correlation, but I expect that IPv6 will make it easier.
People don't need to write their network software securely. Your cool multiplayer network game may-or-may not be encrypted and may-or-may-not be resillient to modified network traffic. If there are buffer overflows in how Quake or whatever handles network traffic, I'd rather not let the network provider be an attack vector. This has been exploited before, and while a typical ISP probably isn't generally a real risk, I'd trust random WiFi networks a lot less. A VPN will get cleartext traffic off their network.
Probably more, but that's some off-the-cuff.
My isp uses cg-nat, and many others do too, so source ip is hidden from most except for my isp, which I have a contract agreement with.
As someone that manages networks and security, you know what piques my interest? When I see hosts using vpn. I look up the host using the service, the service in use, and see what other interesting things are happening.