ISP Snooping — 2
I am looking into ways to avoid ISP snooping. For my online usage I identified four notable challenges with thwarting an ISP.
- DNS queries
- RSS feeds
- My blog
Protecting email is a mess.
By default email is transferred and stored in plain text. Using SSL/TLS prevents viewing the contents of an email during transport, but does not encrypt the meta data (headers and subject line). A snoopy ISP could learn much about a person with only the meta data.
SSL/TLS is good only for first hop and thereafter only temporarily. Unless encrypted at the source the packets are encrypted and decrypted at each hop. Without source side encryption such as PGP, emails at rest on a server are plain text. Encryption is possible but challenging to use.
Webmail interfaces using HTTPS prevent an ISP from snooping the contents but emails remain at rest on that provider’s servers. Many email providers do not encrypt emails. Using webmail with an email account provided by the ISP allows the ISP to snoop content if the mails are stored in plain text.
I seldom use ISP DNS servers, but that does not prevent an ISP from sniffing queries to other DNS servers.
Happily all of my RSS feeds connect using HTTPS. Unhappily, each feed request reveals my habits because the top level domain name is revealed.
At my blog I use an online alias. My blog content is “safe for work.” I'm not that interesting, but conversely there is no reason for anybody outside my circle of trust to know this information. I update the site only through SSH, but the SSH connection reveals the destination IP address. A snoopy ISP could learn that I visit the site often and surmise that I am the owner of the site.
For other people there is the concern of operating a controversial blog or web site.
Other potential concerns include using my laptop. I'm not an internet cafe person, but sometimes I take my laptop with me when I travel. Mostly when visiting family. While using the laptop in that manner avoids a privacy invasive ISP, using the laptop in that manner introduces its own set of privacy and security challenges.
Another concern is future remote employment. Many employers require using a company virtual private network (VPN) to access the infrastructure. Many companies use common online portals such as Github. I would want to prevent a privacy invasive ISP from being able to snoop that access.
Another concern is visitors to the house. Controlling how other people access the internet is a challenge. While an IP address is not evidence of who was behind a connection, ISP subscription agreements are adhesive and written to protect the ISP.
I have a good grasp of my internet habits, such as web sites and forums I visit regularly, DNS query exposure, and those plain text emails. Although, for example, an ISP could see that I visit reddit, discerning deeper details about my identity and which subreddits I visit requires significant fingerprinting efforts.