First off, this is not a privacy rant; it’s about understanding how folks you might not expect could see your Internet traffic: emails, web browsing, file transfers, etc., and why encryption can help.
In the United States, when you send a letter or package through the Post Office, FedEx, UPS etc. to another address here in the United States, we all know that a number of employees get to see the tracking information for the item: who sent it and who is going to receive it. We also know that letters and packages which raise suspicion are subject to opening and inspection.
What we don’t expect is if you are sending a bottle of perfume to your Aunt Tilly in Peoria for her birthday, that someone in China, Russia or someplace else will get to open the package and sniff the perfume before sending it on to your Aunt Tilly. But on the Internet, that happens more often than you might expect. On the Internet, your “package” frequently takes a more circuitous route than you might believe — indeed, a lot of folks like it that way and nation states frequently abuse the system to get a peek at others’ Internet traffic.
Here’s How It’s Supposed To Work:
The “glue” that holds the Internet together is BGP (“Border Gateway Protocol”); BGP determines the route data packets take to get from here to there. Geeks like us often use a tool called “traceroute” to show how data packets go from one router to the next. A “trace route” looks likes a set of driving directions from Google Maps or MapQuest: a list of “turns” onto different “roads” in Internet-speak translates to the “next hop” to a different “router”.
Your Internet Service Provider makes a number of BGP “announcements” (as do Internet backbone and major data center providers) to ensure Internet traffic is routed efficiently and/or at least cost. One large data center provider we know told us they alone make hundreds of thousands of changes to BGP every day to make sure their customers’ traffic is routed without delay. Think of mashing up Waze with your car’s mapping software to proactively route you around traffic jams and you’ve got the idea.
So What’s The Problem?
Alas, the founders of our Internet were a trusting lot, and so there’s not a lot of verification of BGP change requests. That’s how companies like Dyn/Renesys make money: they plant BGP listeners in data centers across the country and analyze changes to BGP in near real-time. When they see something wonky, they notify their customers who are it seems mostly ISPs, Internet backbone providers, government agencies, and anybody else who owns a lot of IP addresses and prominent web sites and is concerned where their traffic is being routed.
Many times, the wonkiness is human error: a typo or other unintentional misconfiguration. Sometimes, the wonkiness is just wrong, as pointed out in a recent blog post where Dyn/Renesys discovered that some intra-Russia traffic was being routed to China Telecom routers in Germany. The first paragraph of the blog post is for lay and technical readers alike; thereafter the article gets pretty technical. At the end though are links to well-known thought pieces for better securing Internet routing.
What Can I Do?
If the content of your emails, web browsing, file sharing and other things you do on the Internet is not something you mind being known to someone outside of this country, you need do nothing except presume that your Stuff, like Aunt Tilly’s perfume, could be sniffed by anyone inside and outside of this country without your knowledge.
Alternatively, you can take a page from the Book of HIPAA, where healthcare regulations require patient data to be encrypted both “at rest” (i.e. on disk or tape) and “in flight” (i.e. when being rendered in over a link to a web browser), and focus on tools to at least get your data encrypted “in flight”.
With email for example, you can choose to use a service provider who can configure your email server to do only encrypted connections to other email servers, or to use an end-to-end encryption service. Just because your email’s web browser does https doesn’t mean the email is encrypted all the way to the intended recipient.
There’s a reasonableness test here: The grocery list my wife sends me to pick up on the way home I wouldn’t mind being read by anyone; indeed, if we all at more kale… (but I digress!). Nonetheless, if you are the senior marketing officer for a company in a highly competitive industry sending sensitive emails at a trade show across the hotel wireless, wouldn’t it be nice to know that your competitors at the show sniffing the wireless can’t read your emails?
If you’d like to discuss your options, please give us a call at (207) 772-5678 and ask for our Chief Security Officer, Chris Falk.
L. Mark Stone
General Manager, Managed and Private/Hybrid Cloud Services
A Division of OTT Communications
The information provided in this blog is intended for informational and educational purposes only. The views expressed herein are those of Mr. Stone and do not necessarily reflect those of Reliable Networks, OTT Communications or Otelco Inc. The contents of this site are not intended as advice for any purpose and are subject to change without notice. We make no warranties of any kind regarding the accuracy or completeness of any information on this site, and we make no representations regarding whether such information is up-to-date or applicable to any particular situation. All copyrights are reserved by Mr. Stone. Any portion of the material on this site may be used for personal or educational purposes provided appropriate attribution is given to Mr. Stone and this blog.