Recommend me a VPN. So many to choose from!

[OVERKILL]

I would note that the TLS handshakes still include the hostname, like an HTTP Host header, it's called SNI. ESNI/Encrypted SNI isn't prolific yet. So, your provider can also glean the visited website hostname from the 443/TLS SNI, even if you've encrypted your DNS traffic.

View attachment 287958

Good point! Though, as I noted, it's highly unlikely anybody is sniffing the traffic on the DOCSIS network unless they've been given reason to. DNS queries can be easily logged (and used to drive targeted ads and track browsing habits, if desired) by the ISP at the DNS server level, which is a fair bit easier and doesn't involve traffic inspection. @wwillson works for an ISP so I'd be curious to know if they are doing any form of traffic inspection on their consumer clients.

An example that kind of undermines my own above statement (LOL! ): I know Cogeco here in Ontario tracks for specific port traffic and IP's to identify botnets and zombie clients and they also scan unencrypted torrent traffic to catch movies/music being pirated, so clearly with them, there is some traffic inspection taking place, though I suspect it's more "triggers/rules" based and not DPI.

Like DoH/DoT, I think we'll see ECH become common due to the obvious privacy blindspot SNI presents. My understanding is that they were having a hard time standardizing it, which is why it took so long to address?

 

[wwillson]

I'd be curious to know if they are doing any form of traffic inspection on their consumer clients.

We do inspect for known bots nets and will give a customer a chance to clean the nefarious application(s) from their home network before the port is shutdown. On the commercial side is it well known that we log application port and protocol to detect anomalies in volumetric traffic. We can detect when new exploits are being tested and warn commercial clients of the exploit. For instance, a zero day web server attack is being tested and perfected against Nginx. We will see it by looking for unusual amounts of port 80 or port 443 traffic (yeah there is more to it than that), then tell commercial clients to expect an attack against a the Nginx web server in the future.

 

[goblin]

I use Amplifi Teleport to get into my home router from elsewhere. Helps with Hulu, they are quite touchy with where I log in from.

I wish they had an app for Windows or Mac, but so far - iOS and Android only.
I have a Teleport hardware AP device that was amazing, but it's no longer made, and I can no longer force it to connect. It tries, but eventually fails the pairing no matter how many times I'll reset it and what the tech support would advise. Which is a pitty, used to work great and was a great concept.

 

[rijndael]

, it's highly unlikely anybody is sniffing the traffic on the DOCSIS network unless they've been given reason to.

It’s not done on the DOCSIS side, you do it on the Ethernet infrastructure. Depending on the provider, and their infrastructure, you can get it from analytics in carrier class DDOS equipment.

Either way, I’d trust my local ISP more than I trust VPN providers. Not that I have a lot of trust for either. I do use a VPN when I’m out (but not always), but I VPN back to my home network.

 

[wwillson]

It’s not done on the DOCSIS side, you do it on the routed Ethernet infrastructure. Depending on the provider, and their infrastructure, you can get it from analytics in carrier class DDOS equipment.

I think @OVERKILL meant a regular Joe couldn't easily sniff the DOCSIS network. Once the traffic hits the carrier's access and core all bets are off. All US tier 1 providers have space in major POPs for those guys to inspect traffic.

 

[OVERKILL]

I think @OVERKILL meant a regular Joe couldn't easily sniff the DOCSIS network. Once the traffic hits the carrier's access and core all bets are off. All US tier 1 providers have space in major POPs for those guys to inspect traffic.

Yes, that's what I was saying

 

[BMWTurboDzl]

VPN's are a scam. I can see some use-cases where you're trying to access geo-fenced material (ie - you're in country A but you need to be in country B to access something). But if that's not why you are using it, you need to be aware that most/many VPN's are using your IP to route traffic from other users, and a lot of times those users are bots, and bots do a lot of things on the net. Send spam, port scan, probe, scrape and hack web servers.

As I scan the logs of my own web server, I constantly see examples of residential IP's in G-7 countries that are used by bots to access my site. I know they are bots by (a) the user-agent they use, (b) the files they are trying to access, (c) their IP checks out in third-party data bases (like spur.us). I've come across starlink IP's that were part of 14 different vpn networks!

There is even a term that is used in the industry - "ethically sourced residential IP's". In other words, when you sign up to use their service, they tell you that your IP will be used as part of a network where other users will have access to your internet connect. Who those users are - they won't elaborate, but some of them will be paying to access the internet through your IP to perform bot-like activity. This phenomena is talked about in some web-master forums.

Are these companies turning user IPs into TOR nodes?

 

[Nessism1]

This thread is off the rails. Dude asks about VPN, and before you know it, you guys throwing around acronyms and discussing things that only an IT person would understand.

 

[BobsArmory]

For me, after using commercial and corporate vpns for many years. I have found that Proton (paid) and Mullvad are the A listers in the market for the every day user. They both have a good history. I currently use Proton on every device all day every day but I wouldn't dis anybody that uses Mullvad. Why do I use it? I don't want my ISP, hotel, grocery store, coffee shop or Airport Wifi. and others watching every connection I make and selling that information. Plus they do filter many ads and malware. But don't be fooled that when you are surfing the internet that you can be safe from certain governmental 3 letter agencies when you use a vpn. It's a tool that has advantages and a few drawbacks.

 

[SumGuy]

Are these companies turning user IPs into TOR nodes?

yes

Operators of internet-facing services that don't always know from which IP's their legitimate users will hit them from will firstly create a blocking list of all known data-center IP's. So black hats reacted by creating networks of infected home/SOHO devices that can do many things (spam, DDos, etc) but also be a VPN (a relay) from residential IP space. But planting malware is unpredictable and takes a lot of effort. Why not just get home/soho users to install your malware instead? Get them to think they need to be using a VPN for bogus ******** reasons. Now you've got a residential-based VPN network that you can rent.

If you want to go down this rabbit hole, here are some keywords to search for: Code 200 UAB and Oxylabs.