How safe is Usenet without SSL?

[rocky12]

Would a free VPN do the job? Or does the VPN have to be paid? I read it's July 12th. I am located in the USA. Which VPN would be best, so nothing would happen?

[cola]

This. I don't use SSL either.

Say that coming July. Every ISP in the USA just about will start monitoring what you download. Think Usenet is free from that type of attention? You are sadly mistaken. Better to use SSL than not and it it has no impact on your connection.

Ugh, not this again. Theres no new monitoring program. There is just a unified way of dealing with DMCA complaints across major ISPs. Most ISPs had 3 strikes rule on DMCAs. Now they're moving to 6 DMCAs. Nothing is really changing.

[zot]

My biggest complaint is that, as before, there are absolutely no standards that copyright holders need to follow to ensure that these accusations are accurate. They can't file provably fraudulent claims, but that's it. They are allowed to harvest data of any kind, any way they want, and send DMCA requests, even completely automated ones with no human oversight, based on any criteria they dream up.

Fortunately for us, Google publishes most of the takedowns it gets, and within those often-humongous lists have been many innocent sites, as noted by TorrentFreak and Techdirt, upon discovering their own news articles were taken down.

[Quartr]

Its about your privacy really, the chance of catching some sort of "heat" over grabbing usenet "articles" without SSL is extremely slim to none...however with SSL enabled only you and your provider know what you've been up to, anyone in the middle can only see that you are transferring data between yourself and your provider. Not what the data is. For all they know you were just downloading an entire collecting of open source linux releases!

[cola]

Not that hard to do a man-in-the-middle attack on SSL. I can't think of any client that asks users to check the ssl cert anyways.

http://www.securityfocus.com/brief/910

[heiska]

Not that hard to do a man-in-the-middle attack on SSL. I can't think of any client that asks users to check the ssl cert anyways.

http://www.securityfocus.com/brief/910

It would illegal in the western world and a very bad business decision on the ISP's part to do MITM attacks on their customers. MITM attacking cybercriminals won't be interested in what you download.

Your ISP could try to brute force the shared SSL key, but it's completely impractical with the strong encryption methods these days.

In countries like Saudi Arabia, Iran, Pakistan and China they can snoop SSL traffic because their country-level root CAs are in every computer (Windows folks can run certmgr.msc to check their CAs). Since the root level CA is universally trusted, it can issue bogus bogus intermediate certificates, forging the legitimate certs to one's browser/client. I do believe we might see something like this in western countries too if the US's fight against privacy and basic human rights terrorism continues, but that's just me speculating.

[zot]

Not that hard to do a man-in-the-middle attack on SSL. I can't think of any client that asks users to check the ssl cert anyways.

http://www.securityfocus.com/brief/910

This kind of attack is one reason why people would be wise to disable their web browser's re-direct setting. (of course that also means that all the links on Filesharingtalk's forum will be disabled also -- FST renames all posted URLs with [hidden] redirect links, which will then dead-end-- but sadly that's the cost of safety

In case anyone here has ever wondered, that is one reason why I always try to remember to use the "code /code " function whenever posting URL addresses here ... for the benefit of security geeks reading this site.

Your ISP could try to brute force the shared SSL key, but it's completely impractical with the strong encryption methods these days.

In countries like Saudi Arabia, Iran, Pakistan and China they can snoop SSL traffic because their country-level root CAs are in every computer (Windows folks can run certmgr.msc to check their CAs). Since the root level CA is universally trusted, it can issue bogus bogus intermediate certificates, forging the legitimate certs to one's browser/client. I do believe we might see something like this in western countries too if the US's fight against privacy and basic human rights terrorism continues, but that's just me speculating.

Considering that the issuers of SSL certificates are mainly US companies like Verisign, what's to prevent the US government from simply seizing the SSL keys the same way they seized all those dozens of .com .org and .net web domains -- no questions asked-- practically just by snapping their fingers? (and unlike domain seizures, SSL seizures could be implemented without anyone ever noticing, allowing the ISP to easily sniff even the "most secure" encrypted traffic and see everything a person does online.)

To me, it's not a question of IF it will happen, but WHEN.

[heiska]

Or the government could just blackmail USPs with case Megaupload or with some bs cp accusations to log and share everything their customers download. Those just downloading are still relatively safe as mpaa/riaa can't claim 100 billion dollars in damages because there is no evidence of distributing (uploading) copyrighted material.

[zot]

Or the government could just blackmail USPs with case Megaupload or with some bs cp accusations to log and share everything their customers download. Those just downloading are still relatively safe as mpaa/riaa can't claim 100 billion dollars in damages because there is no evidence of distributing (uploading) copyrighted material.

But for how long are usenet downloaders still relatively safe?

Japan passed a new law in 2010 making the downloading of copyrighted material a crime. (And uploading/sharing copyrighted material has for years been a serious criminal offense in Japan -- as well as writing P2P software that encourages such behavior, as the Winny developer learned from his jail cell) If a similar law were to pass in the USA and Netherlands, it would not be surprising to see all the major usenet servers in the world being monitored, their download traffic logged by the police.

We've not seen anything like this happen so far in the western world, and the idea of police intercepting and logging usenet traffic is still a long way off, but let's not forget that in Japan, the police have gone to great lengths to crack open all the supposedly "anonymous" (encrypted + proxied) P2P networks such as Winny, Share, and Perfect Dark -- reportedly setting up large blankets of police-run nodes across those networks from which to launch MIM attacks and unmask users.

It seems like just about every year or two since the internet has been around, a new law gets passed that further restricts the rights of downloaders, and further penalizes everyone that Hollywood doesn't like. The only reason why SOPA failed was because it was a simple case of "too much too fast." The "boiling frog" method has proven to be much more effective at taking away people's rights without causing a riot. For this reason I don't have much hope for the future: every new internet/copyright law that the **AAs bribe through Congress pushes us in the same direction ... if ever so slightly ... toward North Korea.

[Hole69]

Piracy will never die out just as prostitution and drugs won't. As Usenet is a part of the Internet I doubt that anything will happen to it. Taking out Usenet is like taking down Google. Just look at the Pirate Bay, it still survives and thrives, just like Usenet will. If it does, the world will be a vastly different place to the one we live in now and I suspect it will end up looking like Children of Men.