What should I be wary of regarding my ISP?

Got a new ISP. The service man seemed to configure my internet through his own personal phone. I am able access the admin settings of my internet but I really don’t know what to do with everything I’m seeing. I’d like to know what you guys do to secure your own internet.

I use vpn with Dns over tls

1 Like

In general, your internet is “secure” as in “your ISP can’t see what you do on specific websites, what you write into forms, or your passwords.” So, as long as you use HTTPS (or other encrypted protocols), your internet is “secure.”

1 Like

When it comes to privacy would it require me to take on other precautions? Or, is it all the same.

  • The ISP knows your identify: You likely can’t change this.
  • The ISP knows when you use the internet: You likely can’t change this.
  • The ISP knows the amount of network traffic that you upload and download: You could add some artificial extra traffic, but why should you do this?
  • The ISP knows to which IP addresses you connect: You can use the Tor Browser (then, the ISP knows that you connect to the Tor network), or a VPN service provider (then, the VPN service provider learns everything as it is a new central entity in your network traffic).
  • The ISP (likely) knows which domains you access: You can switch to another DNS resolver. However, it always comes down to “the DNS resolver could log all of your DNS queries.”

This list is not intended to be exhaustive.

1 Like

We still have to use esni or ech to prevent dpi

The “TLS Encrypted Client Hello” is still a draft and there is more to consider: https://tlswg.org/draft-ietf-tls-esni/draft-ietf-tls-esni.html#name-related-privacy-leaks. Keep in mind that ECH will be very likely TLS 1.3 only, while many web/application/mail/… servers still don’t support it (or maybe you use a TLS 1.2 client).

Even with a non-ISP DNS resolver, ECH everywhere, and all of these countermeasures, the ISP still sees the IP address of the server. If there is only one domain name behind this IP address, identifying the server’s identity is trivial.

1 Like

I started learning about DNS today. Got myself NextDNS and I’m kinda obsessed. If it isn’t too much trouble, could you explain what esni, ech and dpi are?

  • ESNI: Encrypted Server Name Indication was an attempt to encrypt the SNI extension of TLS. However, there is more than only unencrypted SNI in TLS, so it became part of the ECH proposal. ESNI is dead.
  • ECH: Encrypted Client Hello is the current attempt to encrypt the complete Client Hello in TLS 1.3 handshakes. It is still a draft, it requires TLS 1.3 and server + client support in order to work. So, you very likely can’t use it at the moment. And as written before, it won’t be a magic bullet that removes all possible privacy leaks.
  • DPI: Deep packet inspection is just a generic term for looking into network traffic. Instead of only looking at general traffic information like IP addresses and ports, you look into all network layers that are present in a packet. This is unrelated to ESNI/ECH.

For completeness:

  • SNI: Server Name Indication is a TLS extension that is needed as soon as the server provides multiple domain names behind the same IP address and port. In this case, the server needs to know to which domain name your client wants to connect. Your client submits the domain name in the SNI extension, which is sent in cleartext. ECH encrypts the full Client Hello, which contains the SNI data. On the other hand, if a single domain name maps to a single IP address and port, no SNI is needed (but an eavesdropper knows immediately to which domain you connect due to the IP address and port).

And if you are completely new to TLS 1.3, look at https://tls13.ulfheim.net/.

1 Like

The ISP knows when you use the internet: You likely can’t change this.
The ISP knows the amount of network traffic that you upload and download: You could add some artificial extra traffic, but why should you do this?

The latter helps with the former? Even better if we all ran Tor nodes?

This may be an option for you, but there are people who only own a smartphone to access the internet or have limited/expensive data traffic.

It can be used to block or slow down the speed of specific websites or leaving the logs of visited websites

Which is the reason this is a threat to net neutrality

This may be an option for you, but there are people who only own a smartphone to access the internet or have limited/expensive data traffic.

In context here we’re talking about someone who can afford ISP at home. If you can afford a smartphone, you can afford a rapsberry pi…

The Raspberry Pi might not be available in every country and its price depends on your location. It isn’t the same everywhere. In certain countries, you get very cheap (and insecure) Chinese smartphones, but no Raspberry Pi.

In many developing countries, you don’t have an “ISP at home,” especially in rural areas. There, people only have their cheap smartphones with a SIM card and a mobile carrier.

If one was incredibly paranoid I bet you could use a VPN on your home router then set up a i2P router on a machine in the house that is always running and that would generate constant traffic so it might be hard to tell when the user was using the internet… possibly?

To answer OP’s question your internet traffic is generally “secure” due to encryption with things like https but the meta data is not. Think about this: Are you worried about your ISP and potentially your Government having logs of your meta data? If this is not a worry carry on and enjoy the internet. If this is a worry then think about using things like Tor or a VPN to give much less meta data. At that point they know you are using the internet, via Tor or your VPN provider, but not other meta data. Tor is my preferred option.

The OP is about an ISP, not cell-service-only in rural countries. Is “ISP” used differently?

"Cheap single board computers that could run FreedomBox" was shortened to “raspberry pi.” Surely they can be found almost everywhere with participants on this forum.

The recommended “Pioneer” hardware is from Bulgaria. Or at least designed and sold from there.