Encrypted Traffic No Longer Safe From Throttling 268
coderrr writes "New research could allow ISPs to selectively block or slow down your encrypted traffic even if they cannot snoop on your transmitted data. Italian researchers have found a way to categorize the type of traffic that is hidden inside an encrypted SSH session to around 90% accuracy. They are achieving this by analyzing packet sizes and inter-packet intervals instead of looking at the content itself. Challenges remain for ISPs to implement this technology, but it's clear that encrypting your traffic inside an SSH session or VPN connection is not a solution to protect net neutrality."
Non-timing critical? (Score:3, Interesting)
If the application is not time-critical, introducing random jitter would go some way to subverting this, no?
Re:They can already throttle encrypted traffic. (Score:5, Interesting)
You'd think that's how they're doing it, but it doesn't seem to be the case. Rogers customer here, and my SFTP (FTP over SSH) connections go at full-tilt, while BitTorrent has slowed down to a crawl (0-1 KB/sec) on my connection in the past (yes, using the latest uTorrent/Azureus Vuze client, with standard BT MSE/PE encryption enabled).
I don't know what's going on, but I suspect they've already figured out something that these Italian guys are researching now, and they've been able to identify BitTorrent from other encrypted traffic.
Re:Would have happened anyway. (Score:5, Interesting)
Actually, encrypted or not, the way the Sandvine (I think that was the name?) system used by Comcast worked was it just did a traffic analysis - If your upload connection was more than X% saturated for N seconds, the Sandvine appliance would start spoofed RST injection to kill off connections. The only way around this would be a full blown VPN that used an encrypted transport layer. (Encrypted BitTorrent, SSH, and nearly all encrypted protocols except the various VPN systems are an encrypted application stream over an unencrypted TCP session. Even some VPNs use an unencrypted TCP session to tunnel through, making them vulnerable to RST injection.)
The security hole will soon get fixed (Score:5, Interesting)
And in the next (or two) release of SSH implementations, this weakness will, no doubt, be fixed.
Professional cryptographers have known for decades that you don't just switch on your transmitter when you want to send a secret message - no matter how well encrypted it is. The mere fact of traffic is frequently a sizeable tell-tale itself. Instead, you keep your transmitter on 24*7 sending encrypted garbage, with the ability to interleave genuine messages when the need arises. I'm sure that in a short time, the SSH people will remove the ability to profile the transmission to glean anything usable from it.
Re:Why bother? (Score:5, Interesting)
Re:Would have happened anyway. (Score:4, Interesting)
1. Not always true, depends on your provider. Having had various consumer and business packages in the past, most ISPs only push you to a business package if you:
a. Want a static IP
b. Want to run any kind of server
2. In the age of 20mbps consumer connections there is no need for someone who just needs legitimate heavier usage of the connection to not use it. I transfer 100's of gigs a month to and from datacenters around the country for my job. Granted I can get my company to help subsidize that but if I found out my ISP was throttling me I would more than likely take my business elsewhere. I would rather have my company pay for an expensive business package with another provider than give more money to a provider that actively wants to screw me over.
Contractors have an even bigger problem as they don't get their connections subsidized (trust me the tax refund isn't much).
So far my ISP has been pretty good, I called about bandwidth issues once or twice and when asked if I was downloading movies I explained to them what I do. When the rep realizes your just another guy trying to do his job you get all sorts of help.
net neutrality (Score:2, Interesting)
Re:Look, this is a dead end. (Score:5, Interesting)
Actually, strange you should suggest this, I was working on a small and rather generic package to tunnel data between hosts in this very way, constant rate/constant packet size tunneling, with empty data filled with random noise, and with non-packet-aligned encrypted data overlayed when there is data to actually send. I was going to call it tstunnel. Yes, it is somewhat of an extreme response to an extreme problem.
Re:Non-timing critical? (Score:5, Interesting)
> introducing random jitter would go some way to subverting this, no?
Exactly. I took a few minutes to glance over the paper. Their feature
extraction stage consists of two predictable attributes: packet size
and time between packets. Modifying the traffic sent at the
application layer (SSH itself does not even need to be touched) can
trivially ambiguate the extracted features so as to throw off the
classification attempt. This is simply a road bump; as soon as it gets
into use, application-layer proxies will pop up to circumvent it.
They also seemed to have inventented their own home-brew statistical
analysis. I was disappointed that they did not go into detail as to
why they largely ignored the entire field of Machine Learning
(NaiveBayes? Perceptron? kNN? Why not try using these?) when coming up
with their classification model.
Re:They can already throttle encrypted traffic. (Score:2, Interesting)
That's interesting, that might be how they're doing it. I heard from some folk who claim success by encrypting the tracker communications only, by sending them over a VPN [secureix.com].
Re:The security hole will soon get fixed (Score:4, Interesting)
Re:Why bother? (Score:4, Interesting)
My ISP already throttles my connection by price. I've currently got 256/768 as that suits my needs. If they were to start throttling any more of my net access (I'm paying for unlimited at 256/768) I'd have their asses in court in a hurry for false advertising and violation of contract, which I have kept the hard copy of from the day I signed up for service.
I was one of the first adopters to get broadband when it became available 6 years ago in my area and according to the original contract (have hardcopy on file) they planned offering tierred service with it being a simple change in minimum speeds and thus not requiring a new contract. I also informed them that I'm worse then a squeaky wheel, I'm like a brake that's gone metal to metal since I'm semi-retired and disabled with plenty of time on my hands to pursue things every time they try to change my contract without consent.
Re:Why bother? (Score:5, Interesting)
2) Those plugins that do "fetch ahead" tend to stick to fetching from the same few sites - they may make lots of connections but they are to the same few sites (ad webserver, content webserver, icon/widget server etc), and they stop at some point - otherwise your browser would be downloading the entire internet (and AFAIK they don't do that). And really they definitely don't upload much.
Personally I think the US ISPs are scumbags not because they throttle, but because it seems they took USD 200 billion and promised to deliver 45Mbps up/down.
But after taking that 200 billion, more than ten years later their users have still only got DSL and cable, and they're getting throttled.
Too bad most of the users don't appear to know how screwed they really got. They should ask for the ISPs to build the infrastructure NOW.
But I suppose given a big enough crime, you are more likely to get away with it
Cheat one person of money and it's jail time. Cheat 10 people and it's longer jail time. Cheat 100000 people, and you become a rich CEO and the board gives you a big fat bonus.
Kill one person you get a life sentence or death row. Kill 20 people, people start asking for you to be executed. Get thousands of people killed, who knows you might get elected president
A Few Misunderstandings for Many (Score:4, Interesting)
Okay, before everyone starts their throttling engines for war please remember the following:
A: ISP's are not throttling data because of bandwidth, they are throttling because of latency. If you do not understand the difference, here is a simple way to look at it
A router can handle a million packets a second let say. Wether the packet is a size of 10 or a size of 1000 it still can only handle a million packets. Bandwidth is how many seats on the bus (or if all the buses had the same number of seats, how many lanes on the road), latency is how fast the bus is going. A router it a toll gate. Too many buses, regardless of how many seats, will bog down the toll gate. P2P is very chatty in the number of packets and depending on how it sliced the data, lots of big chunks, or a whole hella lot of small chunks. Either way the guy working the toll gate is going to go postal at some point.
B: Encryption, your rights online, data type, freedom, and all of that supurious crap we like to toss around means nothing when: "You sign a contract." While I am not a lawyer I am an informed customer (I read the small print). When you sign up for Internet service, regardless of what you feel, or in fact what your rights are, you can and do sign most of those away when you sign up for a commerical service. If they say that you cannot encrypt your P2P traffic and you do; thus losing your service... that is more then acceptable under most nations idea of contract law. You have no right to privacy if you sign a contract that gives them the right to look.
Keeping A & B in mind please feel free to march forward with your discussions but, the most important thing to remember, is point A. Telling people there is plenty of bandwidth has LITTLE IF ANYTHING to do with throttling as far as I can tell. I watched 3 hearing on CSPAN and not one rep from the big three telecoms mentioned BANDWIDTH as a reason, but I did hear 18 engineers talk about routers, MTU initiated fragments, and total packets per second capacities on core routers, and I did keep count of bandwidth vs. latency.
Bandwidth Mentioned: 34 times
Latency: 400+ times (I ran out of chicken scratch space on the page and gave up...)
Now I admit I did doze off after 30 minutes of an engineer trying to explain to a senate committee the difference between TCP and UDP but I am human after all.
Now certainly there is some complexity in latency and bandwidth in how they are related and from what I have heard fiber does take care of a lot of the latency issues (signal to noise ratio seemed to be a big talking point from some AT&T engiee who looked like Dracula) so feel free to toss that into the discussions.
But seriously, this whole filtering stuff has nothing to do with bandwith, so please, please, please, stop with the bad 3rd party reporting. We have already seen on /. that the ISPs aren't hurting for bandwidth.
Getting accurate information from the mainstream press on Internet filtering is like asking a caveman to fix your car... all he's gonna do is smash it with a rock.
Re:Why would they do it? (Score:4, Interesting)
No, it's not. But it could be a defense with the FCC/Congress or other regulatory agencies. Just wait until some Congresscritter can't VPN back into his office because of a policy like this -- that's when attention will start being paid to these issues.
Kind of like how nobody in power gave a shit about the Gestapo^WTSA until some Congressman/Senator had to take HIS shoes off or found HIMSELF on the no fly list.
Re:Correction... (Score:4, Interesting)
The ultimate solution would be to ban last-mile owners from providing any services at all. No voice, no video, no data. They exist to provide copper and/or fiber to subscriber premises, and to operate central offices as colocation facilities. That's all. Nothing else.
Then, anyone who wants to provide services, simply colocates their head end equipment at the central offices in areas where they wish to provide service. At that point it doesn't matter whether they're offering video, voice, data, local or long distance, Internet or private lines, it just doesn't matter because the central office is shared between as many providers as will fit in the building.
We need to separate the last mile land-use monopoly from the services being provided. There should be no such thing as an ILEC.
"Go ahead... make my day!" (Score:3, Interesting)
You'd think those ISPs *cough* Shaw Cable *cough* would have learned the lesson by now. That lesson should have been wastin... I mean spending, MILLIONS and MILLIONS on products like Sandvine to try to throttle bittorrent only to find out a few months later people were bypassing it with encryption.
So now some Italians can identify prediction based on packet size etc... watch ISPs spend many more Millions implementing this, then the torrent client software guys simply change 10 lines of code, recompile and voila... Millions down the drain for ISPs!
So go ahead, make my day! Just don't try to pass off those costs in your monthly bills to me.
Adeptus
Illegal? (Score:3, Interesting)
Workaround... (Score:2, Interesting)
I wonder if doing
ifconfig ppp0 mtu 73
Would bypass that shaping?
Maybe Rude protocols are the cure (Score:3, Interesting)
I worked on implementing Error correction codes over IP some time back http://www.ecip.com/ [ecip.com]
This is what we would call part of a family of Rude protocols that would do reverse Throttling.
All of these ISP are counting on TCP being polite, but it's also counting on the network being passive or at least polite as well.
In our case we originally implemented ECIP and SPAK when we had a 100KBPS video stream and 99KBPS gave us nothing but garbage. Since video is all or nothing. http://www.videotechnology.com/jessem/all_or_nothing.html [videotechnology.com]
But with ISP taking a hostile approach, application writers could also start talking a more aggressive approach in a sort of arms race.
I know everyone has been afraid of this, but I feel that this is indeed a necessary step if some sort if truce is to be reached between USERS and their ISP's. Right now we are really fighting over our rights on how we can use the "last mile" since it's all now been consolidated into the hands of only a few companies. We have already lost our ability to choose and market freedom.
Threat to national security anyone? (Score:1, Interesting)
I know ISP's can be lousy with tech support, or terrible when it comes to hiding their connections to politicians... but can anyone really look at this and tell me what the real problem is here? In America, the best products usually replace the old and out dated... Not so with the broadband market. Why? Should we not have networks that allow our governments quick access to outside sources? Forget the Federal Government for a second and think about the local governments running off of podunk ISP's out in the boonies. Now let's say you have a county tax system that's trying to send records to a backup server at a datacenter hundreds of miles away. Without a reliable, heavy connection running encrypted packets, SSH or whatever (not an expert... just trying to keep up), it would seem that local governmental institutions would only be further pushed into unsecured networks. Common!? We should be screaming out to all the IT staff out there that these attempts will lead to more identity theft, more security breaches! It seems that the security of the less tech savy has become somewhat of a joke with microsoft security updates that crash 9/10 computers, zero day virii that will never be patched, local priv escalation that almost never gets detected in office environments... Sheesh! What next, Y2k+8+x where x is the number of years until we all are completely replaced by russian teenagers and chinese military agents?
On a serious note though... Can we stop compromising service in the name of money? Our future, and our children's(probably not the children, more like our elderly) futures depend on the developement of stong infrastructure. Please don't think I'm foolish in choosing the obvious side of this debate. I can see it from the other side as well. ISP's don't want to pay for what they think should come out of customer's pocket... Well that would be fine with an industry like electricity (pay for what you use), but honestly, when was the last time someone stole your financial records through your 110V? For the very providers to be hacking the customers just seems unamerican, dishonest, and greedy. Are we not entitled to privacy on our own home network? Are we not protected by innocent until proven guilty? I want higher bandwidth yes. Do I want to have my porno torrents packet sniffed because there may or may not be copywritten ass in a scene or two? Hell no. Sorry, I said serious... The only serious thing I have is serious delerium... Reading a story like this in 2008? (Walks off mumbling, cursing under breath in a futile attemt to locate alcohol and networking cable)
Re:Look, this is a dead end. (Score:5, Interesting)