[prev in list] [next in list] [prev in thread] [next in thread]
List: stunnel-users
Subject: [stunnel-users] Re: How do I hide my browsing?
From: Thomas Ward via stunnel-users <stunnel-users () stunnel ! org>
Date: 2023-10-21 19:20:21
Message-ID: 763e7e78-1404-4258-89d6-0c823e27feba () thomas-ward ! net
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
This will be my final post on this, any other discussions on this topic
need to be taken elsewhere. Because of the breadth of this discussion,
I'm pulling examples into place
In the United States, which is my jurisdiction, there is *legal
precedent* in the courts that states that, in summary, "There is zero
expectation of privacy for any activities on any network you do not
control." This comes up regularly in the courts where people are fired
or punished under their workplace policies for sending an email from
work email or using work resources (network, etc.) for personal uses and
it in turn results in some kind of punishments - either at the workplace
or legal repercussions or otherwise. In every such case, *the law and
legal precedent* states that you have zero expectation of privacy on any
network you connect to.
Case in point. I have a network at my home that is enterprise-grade
with how I've set it up. Controls on content, access to the Internet
and resources, etc. I have a section of my network for guests to
connect to that is isolated from my core network, and allows access to
(limited) bandwidth for Internet access. However, because *I* run the
network, the expectation is that if you or someone else is connected to
my network that the users of my network understand - whether explicitly
told or otherwise - that "Thomas controls this network, my use of this
network is at his leisure, and he has a right to monitor the activity
going on in the network in order to prevent behaviors or activity that
they do not permit." Therefore, I have a right to monitor my network
for activity, connection of devices, etc. and prohibit activities on my
network. Additionally, since my home network is provided by Comcast and
Verizon (I have dual ISP links for failover, etc.), both Comcast and
Verizon have the right to monitor the activity traversing their
corresponding network links (Verizon can't monitor Comcast's traffic and
vice versa, but I can monitor the activity on the network links on my
network for both).
Another case. I won't name specifics, but at my employer's network, I
am the IT Security guy. The network is locked down to prohibit
connection to certain types of content by filtration, and we prohibit
certain activities on our network. We additionally monitor all attempts
to access things that are *NOT* permitted for various network segments,
and in turn audit that data to determine if there are breaches,
employees trying to do corporate espionage, etc. Additionally, we use
an IDS/IPS solution that checks traffic as well to identify whether it
falls into certain categories of threats and in turn blocks those
threats from being used on the network. This includes VPN providers
outside our network, because we do not permit people inside our network
to use external VPN services. *Because users of our network are bound by
contract to the terms of use and by using our network implicitly agree
to all terms of network use, they implicitly accept that their activity
may be monitored.* We detected a user on our network doing personal
research on corporate resources in a way that violated the network use
policies that all employees and guests abide by in our environment.
That user was denied access to the network, and later was fired because
they were an employee abusing resources.
Let's look at a Cloud Service provider. I had a VPS at a VPS provider.
It was discovered by them that there was malicious activity going on due
to a breached site that was on one of those VPSes. They locked down the
VPS after receiving abuse reports and correlated the reported abuse with
network activity logs on their end, and because they run the network
even though the VPS was mine, their terms of contract and service
indicate they have the right to monitor activity for abuse of service.
Your ISP is the same way, like i briefly mentioned above. When you sign
up for Internet service from an ISP (home, business, mobile, etc.), the
provider must disclose acceptable use policies. ISPs have rules against
running malware, phishing sites, etc. in a lot of cases and some
proactively scan and monitor the network activity for clear signs of
abuse. *The ISP reserves the right as your provider of network services
to monitor your activity in accordance with their published terms of
service and use.* All of those Terms of Service indicate they may
monitor your activity. Because your home network is actually provided
by the ISP, the ISP has the right to monitor your traffic for TOS
violations.
*Even VPN providers, etc. are not exempt from this.* VPN providers have
terms of use as well, and while VPN providers typically aren't
monitoring your traffic on the provider, they reserve the right to if
they truly believe you're causing trouble on the network. ANY provider
of network services is entitled to monitor traffic on their respective
links.
As such, there is no expectation of privacy on any given network you
connect to.
Thomas
On 10/21/23 01:22, Jason Long wrote:
> Hello,
> Thanks again.
> You said "Unless you yourself manage/control the network you're connected to, there \
> is ZERO expectation of privacy on the connection you're using. Even if you use \
> your home network, there's no expectation that the ISP *won't* observe your \
> traffic.", Can you tell me more?
>
>
>
>
>
> On Saturday, October 21, 2023 at 08:43:11 AM GMT+3:30, Thomas \
> Ward<teward@thomas-ward.net> wrote:
>
>
>
>
>
> I reiterate my original statements:
>
> > Stunnel is not a VPN, so no it can't "hide your browsing". Hiding your browsing \
> > needs more than just stunnel because of how DNS and other components for browsing \
> > work.
> So no, STunnel will not help you.
>
> Tor is not a guarantee of a solution. Nor is a VPN.
>
> UNFORTUNATELY, though "how to hide browsing" is beyond the scope of this list.
>
> And I'm sorry to say, but as an IT Security professional myself, I must disclose to \
> you this little nugget of knowledge: There is no such thing as "illegally looking \
> at users' traffic" when using someone else's network. Whether they're harvesting \
> credentials or not, it is NOT illegal for the network management people to look at \
> the traffic of those who use their network - it's an implicit "You're at the \
> provider's whims and choices".
> Even in a corporate environment, there is no implication of security and privacy. \
> Case in point: I am the primary sysadmin of my employer's network and security \
> operations. Our firewall and other content filtration components decode traffic at \
> the border BEFORE sending out to the Internet for requests. Theoretically, between \
> the point of decryption and reencryption to go out the door, I could have nastyness \
> in the firewall or other systems to harvest passwords, sniff activity, etc. The \
> workplace has policies such as "Acceptable Use" and also the "You are consenting to \
> activity on the work network being monitored." because, well, corporate security is \
> a thing.
> Unless you yourself manage/control the network you're connected to, there is ZERO \
> expectation of privacy on the connection you're using. Even if you use your home \
> network, there's no expectation that the ISP *won't* observe your traffic.
>
>
>
> Thomas
>
>
>
>
> On 10/21/23 01:07, Jason Long wrote:
>
>
> > Hello,
> > Thank you so much for replies.
> > First of all, I don't want to do anything illegal. I feel that the person who is \
> > in charge of managing the Fortinet and FortiGate devices is illegally looking at \
> > the users' traffic, and because I don't have access to the device, I can't prove \
> > it. If I use a VPN or Tor, can he\she still look at my traffic? Can Stunnel help \
> > me?
> >
> >
> >
> >
> >
> > On Friday, October 20, 2023 at 10:52:22 PM GMT+3:30, Eberhard<flash@vicsmba.com> \
> > wrote:
> >
> >
> >
> >
> >
> > Exactly! If people could get around the Forti products that easily they would \
> > not have the reputation they have! Eric
> >
> >
> > VICS, LLC
> > Eric S Eberhard
> > 2933 W Middle Verde Rd
> > Camp Verde, AZ 86322
> >
> > 928-567-3727 (land line)
> > 928-301-7537 (cell phone)
> >
> > http://www.vicsmba.com
> > https://www.facebook.com/groups/286143052248115
> >
> >
> > From: Thomas Ward via stunnel-users<stunnel-users@stunnel.org>
> > Sent: Friday, October 20, 2023 6:11 AM
> > To: Jason Long<hack3rcon@yahoo.com>; Stewart Anderson via \
> > Stunnel-users<stunnel-users@stunnel.org>
> > Subject: [stunnel-users] Re: How do I hide my browsing?
> >
> > Stunnel is not a VPN, so no it can't "hide your browsing". Hiding your browsing \
> > needs more than just stunnel because of how DNS and other components for browsing \
> > work.
> > Question 2 is beyond the scope of stunnel's list to answer.
> >
> > This said: If you have to ask how to hide your browsing that means you're \
> > violating your network's use policies, and with Fortinet and Fortigate in line it \
> > sounds like you're on a workplace network. Just don't use your workplace network \
> > for whatever shady stuff you're concerned about them finding you doing.
> >
> >
> > Sent from my Galaxy
> >
> >
> >
> > -------- Original message --------
> > From: Jason Long via stunnel-users<stunnel-users@stunnel.org>
> > Date: 10/20/23 09:05 (GMT-05:00)
> > To: Stewart Anderson via Stunnel-users<stunnel-users@stunnel.org>
> > Subject: [stunnel-users] How do I hide my browsing?
> >
> > Hello,
> > In an internal network, they monitor web browsing through firewalls (Fortinet and \
> > FortiGate). I have two questions:
> > 1- Can I use Stunnel to hide my browsing?
> >
> > 2- Can they capture usernames and passwords for email and other websites?
> >
> > Thank you.
> >
> >
[Attachment #5 (text/html)]
<!DOCTYPE html><html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<p>This will be my final post on this, any other discussions on this
topic need to be taken elsewhere. Because of the breadth of this
discussion, I'm pulling examples into place <br>
</p>
<p>In the United States, which is my jurisdiction, there is <b>legal
precedent</b> in the courts that states that, in summary, "There
is zero expectation of privacy for any activities on any network
you do not control." This comes up regularly in the courts where
people are fired or punished under their workplace policies for
sending an email from work email or using work resources (network,
etc.) for personal uses and it in turn results in some kind of
punishments - either at the workplace or legal repercussions or
otherwise. In every such case, <b>the law and legal precedent</b>
states that you have zero expectation of privacy on any network
you connect to.</p>
<p>Case in point. I have a network at my home that is
enterprise-grade with how I've set it up. Controls on content,
access to the Internet and resources, etc. I have a section of my
network for guests to connect to that is isolated from my core
network, and allows access to (limited) bandwidth for Internet
access. However, because <b>I</b> run the network, the
expectation is that if you or someone else is connected to my
network that the users of my network understand - whether
explicitly told or otherwise - that "Thomas controls this network,
my use of this network is at his leisure, and he has a right to
monitor the activity going on in the network in order to prevent
behaviors or activity that they do not permit." Therefore, I have
a right to monitor my network for activity, connection of devices,
etc. and prohibit activities on my network. Additionally, since
my home network is provided by Comcast and Verizon (I have dual
ISP links for failover, etc.), both Comcast and Verizon have the
right to monitor the activity traversing their corresponding
network links (Verizon can't monitor Comcast's traffic and vice
versa, but I can monitor the activity on the network links on my
network for both).<br>
</p>
<p>Another case. I won't name specifics, but at my employer's
network, I am the IT Security guy. The network is locked down to
prohibit connection to certain types of content by filtration, and
we prohibit certain activities on our network. We additionally
monitor all attempts to access things that are <b>NOT</b>
permitted for various network segments, and in turn audit that
data to determine if there are breaches, employees trying to do
corporate espionage, etc. Additionally, we use an IDS/IPS
solution that checks traffic as well to identify whether it falls
into certain categories of threats and in turn blocks those
threats from being used on the network. This includes VPN
providers outside our network, because we do not permit people
inside our network to use external VPN services. <b>Because
users of our network are bound by contract to the terms of use
and by using our network implicitly agree to all terms of
network use, they implicitly accept that their activity may be
monitored.</b> We detected a user on our network doing personal
research on corporate resources in a way that violated the network
use policies that all employees and guests abide by in our
environment. That user was denied access to the network, and
later was fired because they were an employee abusing resources.<br>
</p>
<p>Let's look at a Cloud Service provider. I had a VPS at a VPS
provider. It was discovered by them that there was malicious
activity going on due to a breached site that was on one of those
VPSes. They locked down the VPS after receiving abuse reports and
correlated the reported abuse with network activity logs on their
end, and because they run the network even though the VPS was
mine, their terms of contract and service indicate they have the
right to monitor activity for abuse of service.</p>
<p>Your ISP is the same way, like i briefly mentioned above. When
you sign up for Internet service from an ISP (home, business,
mobile, etc.), the provider must disclose acceptable use
policies. ISPs have rules against running malware, phishing
sites, etc. in a lot of cases and some proactively scan and
monitor the network activity for clear signs of abuse. <b>The
ISP reserves the right as your provider of network services to
monitor your activity in accordance with their published terms
of service and use.</b> All of those Terms of Service indicate
they may monitor your activity. Because your home network is
actually provided by the ISP, the ISP has the right to monitor
your traffic for TOS violations.</p>
<p><b>Even VPN providers, etc. are not exempt from this.</b> VPN
providers have terms of use as well, and while VPN providers
typically aren't monitoring your traffic on the provider, they
reserve the right to if they truly believe you're causing trouble
on the network. ANY provider of network services is entitled to
monitor traffic on their respective links.</p>
<p>As such, there is no expectation of privacy on any given network
you connect to.</p>
<p><br>
</p>
<p>Thomas<br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 10/21/23 01:22, Jason Long wrote:<br>
</div>
<blockquote type="cite" cite="mid:298312326.343468.1697865754058@mail.yahoo.com">
<pre class="moz-quote-pre" wrap="">Hello,
Thanks again.
You said "Unless you yourself manage/control the network you're connected to, \
there is ZERO expectation of privacy on the connection you're using. Even if \
you use your home network, there's no expectation that the ISP *won't* observe your \
traffic.", Can you tell me more?
On Saturday, October 21, 2023 at 08:43:11 AM GMT+3:30, Thomas Ward <a \
class="moz-txt-link-rfc2396E" \
href="mailto:teward@thomas-ward.net"><teward@thomas-ward.net></a> wrote:
I reiterate my original statements:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">Stunnel is not a VPN, so no it can't \
"hide your browsing". Hiding your browsing needs more than just \
stunnel because of how DNS and other components for browsing work. </pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
So no, STunnel will not help you.
Tor is not a guarantee of a solution. Nor is a VPN.
UNFORTUNATELY, though "how to hide browsing" is beyond the scope of this \
list.
And I'm sorry to say, but as an IT Security professional myself, I must disclose to \
you this little nugget of knowledge: There is no such thing as "illegally \
looking at users' traffic" when using someone else's network. Whether \
they're harvesting credentials or not, it is NOT illegal for the network management \
people to look at the traffic of those who use their network - it's an implicit \
"You're at the provider's whims and choices".
Even in a corporate environment, there is no implication of security and \
privacy. Case in point: I am the primary sysadmin of my employer's network and \
security operations. Our firewall and other content filtration components \
decode traffic at the border BEFORE sending out to the Internet for requests. \
Theoretically, between the point of decryption and reencryption to go out the door, I \
could have nastyness in the firewall or other systems to harvest passwords, sniff \
activity, etc. The workplace has policies such as "Acceptable Use" \
and also the "You are consenting to activity on the work network being \
monitored." because, well, corporate security is a thing.
Unless you yourself manage/control the network you're connected to, there is ZERO \
expectation of privacy on the connection you're using. Even if you use your \
home network, there's no expectation that the ISP *won't* observe your traffic.
Thomas
On 10/21/23 01:07, Jason Long wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap=""> Hello,
Thank you so much for replies.
First of all, I don't want to do anything illegal. I feel that the person \
who is in charge of managing the Fortinet and FortiGate devices is illegally looking \
at the users' traffic, and because I don't have access to the device, I can't \
prove it. If I use a VPN or Tor, can he\she still look at my traffic? Can \
Stunnel help me?
On Friday, October 20, 2023 at 10:52:22 PM GMT+3:30, Eberhard <a \
class="moz-txt-link-rfc2396E" \
href="mailto:flash@vicsmba.com"><flash@vicsmba.com></a> wrote:
Exactly! If people could get around the Forti products that easily they would \
not have the reputation they have! Eric
VICS, LLC
Eric S Eberhard
2933 W Middle Verde Rd
Camp Verde, AZ 86322
928-567-3727 (land \
line) 928-301-7537 \
(cell phone)
<a class="moz-txt-link-freetext" \
href="http://www.vicsmba.com">http://www.vicsmba.com</a> <a \
class="moz-txt-link-freetext" \
href="https://www.facebook.com/groups/286143052248115">https://www.facebook.com/groups/286143052248115</a>
From: Thomas Ward via stunnel-users <a class="moz-txt-link-rfc2396E" \
href="mailto:stunnel-users@stunnel.org"><stunnel-users@stunnel.org></a> \
Sent: Friday, October 20, 2023 6:11 AM
To: Jason Long <a class="moz-txt-link-rfc2396E" \
href="mailto:hack3rcon@yahoo.com"><hack3rcon@yahoo.com></a>; Stewart Anderson \
via Stunnel-users <a class="moz-txt-link-rfc2396E" \
href="mailto:stunnel-users@stunnel.org"><stunnel-users@stunnel.org></a>
Subject: [stunnel-users] Re: How do I hide my browsing?
Stunnel is not a VPN, so no it can't "hide your browsing". Hiding \
your browsing needs more than just stunnel because of how DNS and other components \
for browsing work.
Question 2 is beyond the scope of stunnel's list to answer.
This said: If you have to ask how to hide your browsing that means you're violating \
your network's use policies, and with Fortinet and Fortigate in line it sounds like \
you're on a workplace network. Just don't use your workplace network for \
whatever shady stuff you're concerned about them finding you doing.
Sent from my Galaxy
-------- Original message --------
From: Jason Long via stunnel-users <a class="moz-txt-link-rfc2396E" \
href="mailto:stunnel-users@stunnel.org"><stunnel-users@stunnel.org></a> \
Date: 10/20/23 09:05 (GMT-05:00)
To: Stewart Anderson via Stunnel-users <a class="moz-txt-link-rfc2396E" \
href="mailto:stunnel-users@stunnel.org"><stunnel-users@stunnel.org></a> \
Subject: [stunnel-users] How do I hide my browsing?
Hello,
In an internal network, they monitor web browsing through firewalls (Fortinet and \
FortiGate). I have two questions:
1- Can I use Stunnel to hide my browsing?
2- Can they capture usernames and passwords for email and other websites?
Thank you.
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
</pre>
</blockquote>
</body>
</html>
_______________________________________________
stunnel-users mailing list -- stunnel-users@stunnel.org
To unsubscribe send an email to stunnel-users-leave@stunnel.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic