Compulsory Routers in your country
Heiki "Repentinus" Ojasild
repentinus at fsfe.org
Thu Jan 16 15:44:44 UTC 2014
On 16/01/14 15:30, Max Mehl wrote:
> Yes, you're completely right.
> After the NSA leaks, the usage of Tor/VPN increased heavily and people started
> to secure their online privacy and security in different ways. But
> paradoxically less people care about their basic network security. One can
> also use plain HTTP instead of sophisticated anonymisation techniques if his
> "inner circle" is compromised.
> The leaks before the end of 2013 stated that NSA successfully redirected
> network traffic to shadow servers with cloned content if the hardware is
> backdoored/insecure. So if your router isn't secure, your traffic is neither,
> no matter which tools you use - Man-in-the-middle says hello.
With proper certificate management practices, there is zero difference
whether your router compromised by the NSA or your ISP's servers
compromised by the NSA attempt to snoop on you. The endpoints need to do
the encryption, not some intermediary device.
Of course, compromised routers have implications beyond those of
compromised ISP servers for LAN traffic, but assuming the use of strong
cryptography, those have more to do with effectively having no firewall
against certain agencies. If this concerns you and your ISP does not
permit you to use your own router, you can always do ISP router @ home →
your router and firewall @ home → LAN. However, chances are that NSA
knows a vulnerability or two in your router, so you probably need a
better plan if you are seriously worried about this. (Of course,
breaking into non-backdoored routers on massive scale is most likely
impossible, as some very clever people would probably spot the attacks
and patch the attack vectors.) If you simply wish to stop making it easy
for the NSA to snoop on your local traffic and your ISP is being a
douche, just put your own router after the ISP's.
--
Heiki "Repentinus" Ojasild
FSFE Fellowship Representative
mailto:repentinus at fsfe.org
xmpp:repentinus at jabber.fsfe.org
http://blogs.fsfe.org/repentinus/
More information about the Discussion
mailing list