Encyclopedia of fire safety

Who follows me online. Is your ISP monitoring you? The freest internet in Estonia and Iceland

Today we will talk about what data the provider stores about the user, as well as in general about what he can know and what not. For example, can you see what sites you visit? And why is the provider monitoring users?

In general, it’s not so simple with providers, they must by law listen to user traffic - do they violate the law, what are they doing there, of course they don’t look, but they record the main data, people don’t check it for no reason mode).

  • If the user opens a certain site, is it visible to the provider?. Yes, in most cases it is the domain name that is visible, rarely just the IP address. It also records the time you accessed the site. Website content is also visible
  • What if I access the site using the secure https protocol? Then the provider sees only the name of the site or its IP address and that's all, he does not see the content, since https is a secure connection with encryption, which is why it is recommended to use it.
  • How can the provider detect that I have downloaded a movie or program via torrent? The thing is that the torrent downloader communicates with the torrent tracker via HTTP, so the provider can see everything that you downloaded (just by analyzing the page from where the .torrent file was downloaded) and when (started/finished). It is also possible to connect via HTTPS, but for some reason even the largest CIS torrent does not support such a protocol, but why is a mystery.
  • Does the provider save everything that I download? No, it's physically impossible, no hard drives would be enough. Traffic is processed on the fly, sorted and statistics are kept, which is exactly what it is stored for years.
  • Can the ISP know that I have downloaded a .torrent file? Yes, maybe that's what they are trying to track - the interaction between the torrent client and the server, they cannot analyze traffic within the torrent network, because it is very, very expensive.
  • And if I use a VPN, then the provider does not see anything? There is just such a thing that with a VPN, yes, the provider sees a mess - that is, encrypted data and analyze it, and even more so it will not decrypt it, because it is almost unrealistic. But to find out by IP servers that this is a VPN specifically for encrypting traffic - it can. This means that the user has something to hide, draw your own conclusions
  • If I use OpenVPN, will all programs work through it, including Windows updates? In theory, yes, and in general it should be so. But in practice it all depends on the settings.
  • Can ISP find out the real IP address of a certain site if I accessed it via VPN? Actually, no, but there is another point. If suddenly the VPN stops working, or if there is some kind of error, then Windows will simply start working as usual, that is, without using the VPN - just directly. To fix this, firstly, you need to configure OpenVPN itself, and secondly, use an additional firewall (I recommend Outpost Firewall), in which you can create global traffic rules.
  • That is, if the VPN is buggy, the provider will see which site I'm on? Unfortunately, yes, everything will be automatically recorded.
  • Can TOR provide anonymity? Maybe, but it is desirable to configure it a little to use IP addresses for everything except the CIS, and also that the addresses change more often, for example, every three minutes. Also, for the best effect, I advise you to use repeaters (bridges).
  • What does the provider see when I receive packets from constantly different IP areas? ISPs have a system for detecting TOR usage, but I'm not sure if this system works with relays. The fact of using TOR is also recorded and also tells the provider that this user may be hiding something
  • Does the ISP see the website address through Tor or VPN? No, just the VPN IP or Tor exit node.
  • Is the full name of the address visible to the ISP when using the HTTPS protocol? No, only the domain address is visible (that is, only site.com), the connection time and the transferred volume. But this data is not particularly useful for the provider in terms of information. If you use HTTP, then you can see everything that is transmitted - both the full address and everything that you wrote / sent in a message by mail, for example, but again, this does not apply to Gmail - traffic is encrypted there.
  • That is, if I use connection encryption, then I can already be on the list of suspects? No, not really. On the one hand, yes, but on the other hand, data encryption and even global encryption of the entire network can be used not only by some hackers or users, but also by simple organizations that are concerned about secure data transfer, which is logical, especially in the banking sector.
  • Does the provider see the fact of using I2P? He sees, but so far this type of network is little known to providers as, for example, Tor, which, due to its popularity, is attracting more and more attention from intelligence agencies. The provider sees I2P traffic as encrypted connections to different IP addresses, which indicates that the client is working with a P2P network.
  • How do I know if I'm under SORM? This abbreviation is deciphered as follows - System of technical capabilities for operational-search activities. And if you are connected to the Internet in the Russian Federation, then you are already under supervision by default. At the same time, this system is completely official and traffic must pass through it, otherwise Internet providers and telecom operators will simply cancel the license.
  • How to see all traffic on your computer the way providers see it? A traffic sniffing utility will help you with this, the best of its kind is the Wireshark analyzer.
  • Is there any way to understand that you are being followed? Today there is almost none, sometimes, perhaps with an active attack like MitM (Man in the middle). If passive surveillance is used, then it is technically unrealistic to detect it.
  • But what to do then, is it possible to somehow complicate surveillance? You can divide the Internet, that is, your connection to it, into two parts. Sit in social networks, on dating sites, watch entertainment sites, movies, do all this through a normal connection. And use an encrypted connection separately and at the same time in parallel - for example, install a virtual machine for this. Thus, you will have a more or less natural environment, so to speak, because many sites encrypt traffic, and Google in their services, and other large companies. But on the other hand, almost all entertainment sites do NOT encrypt traffic. That is, this is the norm - when a user has both open and encrypted traffic. Another thing is when the provider sees that the user's traffic is only encrypted, of course, questions may arise here.

Hope you found some helpful answers

In recent years, Internet control has been actively tightened in Russia: websites are blocked, people are judged for posts on social networks and blogs, SORM 3 has been launched, the law on “Wi-Fi by passport” has been adopted, and the “Yarovaya Package” has come into force. All these measures are taken to improve the safety of the population.

Government officials often like to mention that there is no internet freedom anywhere. But what do they mean? Let's look at the network control statistics in the world.

1. Only 46% of all people use the Internet

If you are reading this text right now, then you are lucky. After all, there are 3.5 billion people on Earth who cannot access this site and another 3.5 billion who do not want to (we are working on this). According to We Are Social, in North America and Western Europe, the share of Internet users is 85-90%, and in Africa only 29%.

In Russia in 2016, Internet penetration was 71.3% (according to internetlivestats.com). This is even a little more than in Greece, Italy and Portugal.

2. 2/3 of the world's Internet users are under government control

Freedom House is a non-governmental American organization that researches the observance of human rights in the world. Every year she publishes reports with statistics on various areas of life. Including a report on freedom on the Internet, the so-called FOTN (Freedom of the Net).

According to this report, in 2016, 64% of all Internet users in the world were subject to various forms of state control of their activity on the network. On the map (second picture in the gallery) you can see which countries fall into the category of “free”, which are “semi-free”, and which are “not free”.

3. The freest internet in Estonia and Iceland

The FOTN report provides data for 65 countries. For each state, the rating of Internet freedom in points is calculated. The lowest in Estonia and Iceland.

4. Most Internet control in China, Iran and Syria

And here are the TOP countries with the highest level of state Internet control. In 7 out of 10 states in the list, the population professes Islam. This fact really affects censorship. For example, in Iran, websites with information about women's rights, social networks and any hint of pornographic materials are banned.

5. There are nine parameters of the Freedom on the Internet rating

And now, let's see what the scores of the Freedom House rating are made up of. There are 9 main parameters:

  • Blocking social networks and applications for communication;
  • Blocking political and religious content;
  • Restriction and suppression of the development of the IT sector in the country;
  • Paid commentators on forums that participate in political discussions;
  • The recent emergence of new blocking laws;
  • The emergence of new measures to deanonymize Internet users;
  • The presence of bloggers or simply users who have been arrested for posting content on the Internet;
  • The presence of bloggers or simply Internet users who have been killed or abused (including in prison) for posting content on the Internet;
  • Technical attacks against critics of state power (examples: ddos ​​attack on an oppositionist's blog).

In the table you can see in detail in which countries there are certain phenomena.

6. Russia and Ukraine in the top countries in terms of tightening Internet censorship over 5 years

Freedom House has been making such reports for several years. There are countries in which the tightening of Internet censorship is much more intense than in others. Russia and Ukraine are among them.

In our country, there are all measures to control the Internet, except for blocking social networks and suppressing the development of the IT sector (this is how the American company Freedom House sees the situation).

Ukraine has ceased to be considered a country with free internet quite recently. There are three reasons for this: the blocking of websites with political content, the arrests of bloggers, and cyber-attacks on government critics (I emphasize once again that they were identified as a result of independent research by American human rights activists).

7. But in Belarus and Kazakhstan, Internet control is tighter

In the Freedom House rating, Belarus has three points less than our country. Firstly, there were no cases of violence against bloggers and their murder. Also there in 2016, no new significant laws on Internet censorship were adopted. They started blocking websites back in 2001, and the legal basis for these measures was formed a long time ago.

And the rules are very strict. For example, according to Decree No. 60, all allowed sites must be located on the territory of Belarus, and the rest must be blocked. But this law is observed only partially.

In 2015, Minsk took up methods to circumvent restrictions. Authorities have begun blocking entry nodes to the Tor network and there are also reports of possible blocking of VPN providers.

8. North Korea is out of competition

There are two providers throughout the country that equip foreign embassies and government agencies with Internet. They are forbidden to use routers, and the list of persons who are entitled to access the network is viewed personally by the head of state.

In 2013, North Koreans accessed the Internet from only 1,500 IP addresses, although there are 25 million people living in the country. The rest of the Koreans use the nationwide Gwangmyeong network, but even 100,000 people have permanent access to it. There are rumors that fake news is published there about the victories of the national team in the World Cup and that dogs are eaten in the USA.

Also in Korea, all operating systems are prohibited except for Red Star of its own production. One of the versions (pictured) looks very much like MacOS.

9. The main weapon of state censors is the filter bubble

Even if it is not accepted in the country to block objectionable sites, this does not mean that the population can get to them. After all, they may simply not find them.

Every year, tens of thousands of sites are removed from Google search results at the request of governments of states or private companies. Usually, these are porn with minors and sites that violate copyrights.

10. “Network anomalies” exist in countries with officially free Internet

OONI Explorer is a research tool created by the independent Tor Project. He is able to identify network anomalies» - blocking sites, tools for monitoring traffic, limiting it and falsifying the content of web pages. According to OONI Explorer, such phenomena occur in 71 countries around the world.

In 12 states, the presence of tools for total control and traffic forgery was revealed - Blue Coat, Squid and Privoxy. Among them are Myanmar, Uganda, Iraq, the US and the UK.

As you can see, our internet censorship is "a little tighter" than the average for other countries. We still have room to "grow" to Iran and China, but a lot has already been implemented...

In 1993, the New Yorker magazine printed the famous cartoon about a dog in front of a computer. “On the Internet, no one knows that you are a dog,” the caption said. More than twenty years later, things are exactly the opposite. In today's Internet, any dog ​​knows who you are - and sometimes even better than yourself.

The Internet is not well suited to secrecy, and privacy is no exception. Every click made in the browser, by definition, needs to be known by two parties: the client and the server. This is at best. In fact, where there are two, there are three, or even, if we take the Hacker website as an example, all twenty-eight.

For example

To verify this, it is enough to enable the developer tools built into Chrome or Firefox. More than half of these requests have nothing to do with documents that are located on Hacker's servers. Instead, they lead to 27 different domains owned by several foreign companies. It is these requests that eat up 90% of the time when the site loads.

What are these domains? Ad networks, several web analytics systems, social networks, a payment service, an Amazon cloud, and a couple of marketing widgets. A similar set, and often even more extensive, is available on any commercial site .. Not only we know about them (this goes without saying), but also the owners of these 27 domains.

Many of them don't just know. They are watching you with the keenest interest. See the banner? It is downloaded from the server of Doubleclick, a large ad network that is owned by Google. If there was no banner, he would have found another way. The same data can be retrieved using the Google Analytics tracker or through AdSense, accessing fonts from Google Fonts or jQuery on the Google CDN. At least some clue will be found on a significant proportion of the pages on the Internet.

Analyzing the history of a user's movements on the Internet helps Google determine with good accuracy their interests, gender, age, wealth, marital status, and even health status. This is necessary in order to more accurately select ads. Even a small increase in Google-wide targeting accuracy is worth billions of dollars, but other applications are possible. According to documents published by Edward Snowden, American and British intelligence agencies intercepted Google trackers to identify suspects.


You're being watched, that's a fact you have to come to terms with. Better to focus on other issues. How do they do it? Is it possible to hide from surveillance? And is it worth it?

Find and hide

In order to follow a person, you need to be able to identify him. The simplest and most well-studied identification method is a cookie. The problem is that it is the most vulnerable to attacks from privacy advocates. Users and even politicians know about them. In the European Union, for example, there is a law that forces websites to warn users about the dangers of cookies. Zero sense, but the fact itself is alarming.

Another problem is that some browsers by default block cookies set by a third party, such as a web analytics service or an advertising network. This restriction can be bypassed by driving the user through a chain of redirects to a third party server and back, but this, firstly, is not very convenient, and secondly, it is unlikely to save anyone in the long run. Sooner or later, a more reliable method of identification will be required.

There are far more places in the browser where you can hide identification information than the developers planned. It just takes some ingenuity. For example, through the window.name DOM property, up to two megabytes of data can be passed to other pages, and unlike cookies, which are accessible only to scripts from the same domain, data in window.name is also available from other domains. Only the ephemeral nature of this property interferes with replacing cookies with window.name. It does not persist after the session ends.

A few years ago, it became fashionable to store identity information using the so-called Local Shared Objects (LSOs) that Flash provides. Two factors played in favor of the LSO. First, unlike cookies, the user could not delete them using the browser. Secondly, if cookies are different in each browser, then LSO, like Flash itself, is the same for all browsers on the computer. Due to this, it is possible to identify a user who alternately works in different browsers.

Continued available to members only

Option 1. Join the "site" community to read all the materials on the site

Membership in the community during the specified period will give you access to ALL Hacker materials, increase your personal cumulative discount and allow you to accumulate a professional Xakep Score rating!

It is clear to everyone that your provider is aware of all your movements on the Internet, there are often stories that company employees monitor customer traffic. How does this happen, can it be avoided?

How are you being watched

Providers in the Russian Federation are required to analyze user traffic for compliance with Russian legislation. In particular, clause 1.1 of the Federal Law of July 7, 2003 N 126-FZ (as amended on December 5, 2017) “On Communications” reads:

Communication operators are obliged to provide authorized state bodies engaged in operational-search activities or ensuring the security of the Russian Federation with information about users of communication services and about the communication services provided to them, as well as other information necessary to perform the tasks assigned to these bodies, in cases established by federal laws. laws.

The provider itself, of course, does not store traffic. However, it performs its processing and classification. The results are written to log files.

The analysis of basic information is carried out automatically. Usually, the traffic of the selected user is mirrored on SORM servers (means of operational-search measures), which are controlled by the Ministry of Internal Affairs, the FSB, etc., and the analysis is already carried out there.

An integral part of modern SORM-2 systems is a cyclic data storage buffer. It should store the traffic passing through the provider for the last 12 hours. SORM-3 has been introduced since 2014. Its main difference is an additional storage, which should contain a three-year archive of all billing and all connection logs.

How to read traffic using DPI

Circuit example from VAS Expert

DPI (Deep Packet Inspection) can be used as part of SORM or separately. These are systems (usually hardware and software systems - hardware with special software) that operate at all but the first (physical, bit) levels of the OSI network model.

In the simplest case, providers use DPI to control access to resources (in particular, to pages of sites from the "black" list of Roskomnadzor according to Federal Law No. 139 on amendments to the law "On the protection of children from information harmful to their health and development" or torrents) . But, generally speaking, the solution can be applied to reading your traffic.

Opponents of DPI claim that the right to privacy is enshrined in the constitution, and the technology violates net neutrality. But this does not prevent the use of technology in practice.

DPI easily parses content that is transmitted over unencrypted HTTP, FTP protocols.

Some systems also use heuristics, indirect signs that help identify the service. These are, for example, temporal and numerical characteristics of traffic, as well as special byte sequences.

HTTPS is more difficult. However, in the TLS level, starting from version 1.1, which is often used today for encryption in HTTPS, the domain name of the site is transmitted in clear text. Thus, the provider will be able to find out which domain you visited. But what they did there, he will not know without the private key.

In any case, providers do not check everyone

It's too costly. But theoretically they can monitor someone's traffic on demand.

What the system (or comrade major) noted is usually examined manually. But most often the provider does not have any SORM (especially if it is a small provider). Everything is searched and located by ordinary employees in a database with logs.

How torrents are tracked

The torrent client and the tracker, as a rule, exchange data using the HTTP protocol. This is an open protocol, which means, see above: viewing user traffic using a MITM attack, analysis, decryption, blocking using DPI. The provider can examine a lot of data: when the download started or ended, when the distribution started, how much traffic was distributed.

Siders are harder to find. Most often in such cases, specialists themselves become peers. Knowing the IP address of the seeder, the peer can send a notification to the provider with the name of the distribution, its address, the start time of the distribution, the actual IP address of the seeder, etc.

So far, it is safe in Russia - all laws limit the possibilities of the administration of trackers and other distributors of pirated content, but not ordinary users. However, in some European countries, the use of torrents is fraught with large fines. So if you're going abroad, don't get caught.

What happens when you visit the site

The provider sees the URL you have opened if it parses the contents of the packets that you receive. This can be done, for example, using a MITM attack (“man-in-the-middle” attack, a man in the middle).

From the contents of the packages, you can get the search history, analyze the query history, even read the correspondence and logins with passwords. Unless, of course, the site uses an unencrypted HTTP connection for authorization. Fortunately, this is becoming less and less common.

If the site works with HTTPS, then the provider sees only the IP address of the server and the domain name, as well as the connection time to it and the amount of traffic. The rest of the data is encrypted and cannot be decrypted without the private key.

What about MAC address

The provider sees your MAC address in any case. More precisely, the MAC address of the device that connects to its network (and this may not be a computer, but a router, for example). The fact is that authorization for many providers is performed by login, password and MAC address.

But MAC addresses on many routers can be changed manually. Yes, and on computers, the MAC address of the network adapter is set manually. So if you do this before the first authorization (or change it later and ask to rebind the account to a new MAC address), the provider will not see the true MAC address.

What happens if you have a VPN enabled

If you use a VPN, then the provider sees that encrypted traffic (with a high entropy coefficient) is sent to a specific IP address. In addition, he can find out that IP addresses from this range are sold for VPN services.

Where the traffic from the VPN service goes, the provider cannot automatically track. But if you compare the traffic of the subscriber with the traffic of any server by timestamps, you can perform further tracking. It just requires more complex and expensive technical solutions. Out of boredom, no one will definitely develop and use such a thing.

It happens that suddenly the VPN “falls off” - this can happen at any time and on any operating system. After the VPN has stopped working, the traffic automatically starts to go open, and the provider can analyze it.

It is important that even if traffic analysis shows that too many packets are constantly going to an IP address that could potentially belong to the VPN, you will not break anything. It is not forbidden to use VPN in Russia - it is forbidden to provide such services to bypass sites from the "black list" of Roskomnadzor.

What happens when you turn on Tor

When you connect via Tor, the ISP also sees encrypted traffic. And it will not be able to decipher what you are doing on the Internet at the moment.

Unlike VPNs, where traffic is usually directed to the same server over a long period of time, Tor automatically changes IP addresses. Accordingly, the provider can determine that you were probably using Tor from encrypted traffic and frequent address changes, and then reflect this in the logs. But legally, you won't get anything for it either.

At the same time, someone can use your IP address in the Tor network only if you configured the Exit Node in the settings.

What about incognito mode?

This mode will not help hide your traffic from the ISP. It is needed to pretend that you did not use the browser.

Incognito mode does not store cookies, site data, or browsing history. However, your actions are seen by the provider, the system administrator, and the websites you visit.

But there is also good news.

The provider knows a lot about you, if not everything. However, the budget of small companies does not allow buying DPI equipment, installing SORM or setting up an effective monitoring system.

If you perform legal actions on the Internet openly, and for actions that involve confidentiality, use VPN, Tor or other means of anonymity, the likelihood of "getting on the pencil" to the provider and special services is minimal. But only 100% legal actions give a 100% guarantee.

Share with friends:
Similar posts