https://torrentfreak.com/italy-approves-piracy-shield-vpn-dns-proposal-risk-of-prison-for-isps-intact-241001/

As title. Italy is decided to pass a law that basically creates a chinese-type firewall in the country. The question is simple: even if I’m not doing anything illegal, my VPN provider will have to know what am I doing to report it in case it’s illegal, or face jail.

So how could my traffic remain private in this scenario?

Can a VPN provider with no logs policy be held accountable of anything? Can it actually know what I’m doing?

  • fl42v@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    Depends on your definition of “what”, and the server you’re talking to, and what DNS you’re using, and your VPN provider, and maybe the phase of the moon.

    So, pretty much the best-case scenario is when the site works via https, and the server supports “encrypted client hello” (ech), and your browser has ech enabled. In this case your VPN provider can see that you’ve sent something to the IP (one IP can host multiple websites with different domains).

    Https and no ech = can see IP, can see the domain.

    Http = can see everything (thankfully, quite rare now).

    Some VPN providers may as well use their own DNS, then they can see what domains you’ve talked to regardless of ech (afaik, since domain lookup should happen before client hello, since you’re basically looking up whom to “greet”)

    Some providers are Facebook with fake mustache and will shamelessly try to mitm you

  • groet@feddit.org
    link
    fedilink
    English
    arrow-up
    0
    ·
    2 months ago

    The post office knows who you are sending letters to. They have to know because they have to deliver it. They do not know the content of the letter. They also dont know if the letter will be passed along by the receiver to a different destination.

    Your ISP knows you are sending traffic to proton but not where proton is sending it to. Proton knows where you are sending traffic to but not the content of that traffic. So if you browse a website that only serves pirated content, then proton knows you are consuming pirated media but not which media.

    If the law requires proton to report any and all traffic to blacklisted sights then a “no logs policy” would breach that law.

    However to make this law work, Italy would have to ban all VPNs and http proxy services outside of Italy. Italy would have to force pretty mutch the whole world to follow this law for it to work.

    What happens if you run a tiny server on AWS in the USA to proxy your private traffic. Unless AWS USA is watching all traffic to see if it complies with Italian law there is no way to enforce it.

    • kali@fedia.io
      link
      fedilink
      arrow-up
      0
      ·
      2 months ago

      To add to this, the Oracle Cloud free teir is totally capable of running a VPN- only probpem is they have credit card KYC.

  • shortwavesurfer@lemmy.zip
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    If it truly keeps no logs, then it cannot tell what you are doing. But otherwise, a VPN provider can indeed tell what you’re doing because you are only shifting the trust from your internet service provider to your VPN provider. I would highly recommend something like IVPN or Mullvad and only pay for it in Monero. That way, even if logs are kept, you are just a number account to them and they do not have a name for you.

    • HelixDab2@lemm.ee
      link
      fedilink
      arrow-up
      0
      ·
      2 months ago

      I’m curious how hard it would be for a typical user to chain VPNs together so that my traffic went sequentially through VPNs. In theory it seems like VPN #1 would know that it was connected to my home and VPN #2, so it couldn’t tell where data was originating. VPN #2 could see the site that was being accessed and VPN #1, but not me.

      I have no idea if it actually works this way in practice through.

      • shortwavesurfer@lemmy.zip
        link
        fedilink
        arrow-up
        0
        ·
        edit-2
        2 months ago

        What you are describing is the tor network.

        1. You connect to a guard node which knows who you are
        2. The Guard node connects to a middle relay node, and that middle relay only knows who the Guard is, but does not know who you are.
        3. If you are going to the standard internet, the relay node connects to an exit node, which knows who the relay operator is, but does not know who the guard node is and does not know who you are.
        4. The exit node connects to Facebook, Google, Amazon, etc. and only knows that the traffic goes back to the relay node when Amazon or whatever it responds. And then the entire thing goes in reverse back to you.

        Now, if you are going to a hidden service and not out to the standard internet, it does this process twice and so you get six hops in between yourself and the hidden service instead of the three to the standard internet.

      • shortwavesurfer@lemmy.zip
        link
        fedilink
        arrow-up
        0
        ·
        2 months ago

        HTTPS doesn’t stop them from knowing what you visited. It just stops them from knowing what you did while you were there. VVPN provider can still see that you visited Google, but they cannot see what you asked for Google to do for you.

        • ShortN0te@lemmy.ml
          link
          fedilink
          arrow-up
          0
          ·
          2 months ago

          Yes. Not claimed otherwise. OC claimed that they see what you are doing which is wrong.

      • delirious_owl@discuss.online
        link
        fedilink
        arrow-up
        0
        ·
        2 months ago

        You can read more about this learning about X.509.

        Its the PKI thats broken, namely the root stores. Has been unreliable for many, many years. This is why packages are signed.

        • ShortN0te@lemmy.ml
          link
          fedilink
          arrow-up
          0
          ·
          2 months ago

          You can read more about this learning about X.509.

          Its the PKI thats broken, namely the root stores. Has been unreliable for many, many years. This is why packages are signed.

          So you are basically saying that root CAs are unreliable or compromised?

          The great thing is, that you can decide on your own which CAs you trust. Also please proof that those are actively malicious.

          And no. That is not the reason that packages are signed, i am guessing you mean packages like on linux, packages contained in the installation repository. The reason is, that you build another chain of trust. Why would i trust a CA which issues certificates for domains with code distribution. That’s not their job.

          • mox@lemmy.sdf.org
            link
            fedilink
            arrow-up
            0
            ·
            edit-2
            2 months ago

            So you are basically saying that root CAs are unreliable or compromised?

            Not exactly. They are pointing out that HTTPS assumes all is well if it sees a certificate from any “trusted” certificate authority. Browsers typically trust dozens of CAs (nearly 80 for Firefox) from jurisdictions all over the world. Anyone with sufficient access to any of them can forge a certificate. That access might come from a hack, a rogue employee, government pressure, a bug, improperly handled backups, or various other means. It can happen, has happened, and will happen again.

            HTTPS is kind of mostly good enough for general use, since exploits are not so common as to make it useless, but if a government sees it as an obstacle, all bets are off. It is not comparable to a trustworthy VPN hosted outside of the government’s reach.

            Also, HTTPS doesn’t cover all traffic like a properly configured VPN does. Even where it is used and not compromised, it’s not difficult for a well positioned snooper (like an internet provider that has to answer to government) to follow your traffic on the net and deduce what you’re doing.

            • ShortN0te@lemmy.ml
              link
              fedilink
              arrow-up
              0
              ·
              2 months ago

              Not exactly. They are pointing out that HTTPS assumes all is well if it sees a certificate from any “trusted” certificate authority. Browsers typically trust dozens of CAs (nearly 80 for Firefox) from jurisdictions all over the world. Anyone with sufficient access to any of them can forge a certificate.

              Great thing, that you can remove them and only trust those you trust.

              Also, HTTPS doesn’t cover all traffic like a properly configured VPN does.

              Pls explain what https is not covered? The SNI on tbe first visit? A VPN just moves the “exit point” of your traffic. Now the Datacentef and VPN provider sees what you ISP saw.

              it’s not difficult for a well positioned snooper (like an internet provider that has to answer to government) to follow your traffic on the net and deduce what you’re doing.

              No. I never said otherwise. But they cannot spy on the traffic. And since the SNI is not encrypted anyway they do not even nerd to “follow the traffic”. But what sites you are visiting and what you are doing on them are 2 different things.

              • delirious_owl@discuss.online
                link
                fedilink
                arrow-up
                0
                ·
                edit-2
                2 months ago

                Lol OK. Every US company has to legally provide their private keys (or a subordinate CA) to the US government if asked, due to NSL laws. We have examples of the US doing this historically, only because some companies broke the law and spoke out publicly.

                So go ahead and remove all CAs issued from US companies. Verisign, cloudflare, akamai, Microsoft, Amazon, etc.

                Now 80% of the Internet is broke.

          • delirious_owl@discuss.online
            link
            fedilink
            arrow-up
            0
            ·
            2 months ago

            Yes, there is countless examples of root CAs containing compromised CAs. Also the private keys live on the server, hot. That’s why we sign with release keys that are not stored on the publishing infr

      • slazer2au@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        2 months ago

        don’t have to break TLS to know what site you are accessing. The SNI of the cert does that.

        The specific url however is protected by TLS.

        • ShortN0te@lemmy.ml
          link
          fedilink
          arrow-up
          0
          ·
          2 months ago

          They see what sites you are visiting yes but they do not see what you are doing on them. They do not see the content of the traffic. Huge difference.

  • ShortN0te@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    When you visit sites with https then the traffic is encrypted. They still see what sites you are visiting.

  • ExcessShiv@lemmy.dbzer0.com
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    2 months ago

    Yes, any VPN provider will see what’s in your traffic, no way around that…ever…no matter who you choose

    however not all VPN providers will keep a record of your traffic, so it may only exists briefly in their servers as it passes through and then it’s gone. This is how companies like mullvad operate. Even if the cops come with a warrant, there will be no evidence because nothing is saved.

    • corroded@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      2 months ago

      Aren’t there a few VPN providers that don’t even install writable storage in their servers? I can’t remember which, but I’m sure there’s at least one that boots their machines off of read-only media and only installation hard drives in the servers used for storing login credentials.

        • Random Dent@lemmy.ml
          link
          fedilink
          English
          arrow-up
          0
          ·
          2 months ago

          Yeah it’s been kind of legally proven that Mullvad keeps no logs too, they were raided by police last year and they came away with nothing.

          From the article:

          However, Swedish police left empty-handed. It looks like Mullvad’s own lawyers stepped in and pointed out that the company maintains a strict no-logging policy on customer data. This means the VPN service will abstain from collecting a subscriber’s IP address, web traffic, and connection timestamps, in an effort to protect user privacy. (It’s also why Mullvad VPN is among our most highly ranked VPN services.)

          “We argued they had no reason to expect to find what they were looking for and any seizures would therefore be illegal under Swedish law,” Mullvad said. “After demonstrating that this is indeed how our service works and them consulting the prosecutor they left without taking anything and without any customer information.”

    • ShortN0te@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      2 months ago

      Yes, any VPN provider will see what’s in your traffic, no way around that…ever…no matter who you choose

      Yes, there is a way around it, just use https.

      • ExcessShiv@lemmy.dbzer0.com
        link
        fedilink
        arrow-up
        0
        ·
        2 months ago

        Doesn’t that just hide the specific content? They still know where the content is coming from?

        And not everything done online, especially things that can get you in trouble with authorities (like torrenting copyrighted material) can be done through https.

        • ShortN0te@lemmy.ml
          link
          fedilink
          arrow-up
          0
          ·
          2 months ago

          Basically everything online can be done encrypted. bittorrent has had support for encryption for years. There are other challenges like hiding from DPI and the thing that you broadcast your torrent IP but the content can be securely emcrypted.