On 16/01/14 15:30, Max Mehl wrote: > Yes, you're completely right. > After the NSA leaks, the usage of Tor/VPN increased heavily and people started > to secure their online privacy and security in different ways. But > paradoxically less people care about their basic network security. One can > also use plain HTTP instead of sophisticated anonymisation techniques if his > "inner circle" is compromised. > The leaks before the end of 2013 stated that NSA successfully redirected > network traffic to shadow servers with cloned content if the hardware is > backdoored/insecure. So if your router isn't secure, your traffic is neither, > no matter which tools you use - Man-in-the-middle says hello.
With proper certificate management practices, there is zero difference whether your router compromised by the NSA or your ISP's servers compromised by the NSA attempt to snoop on you. The endpoints need to do the encryption, not some intermediary device. Of course, compromised routers have implications beyond those of compromised ISP servers for LAN traffic, but assuming the use of strong cryptography, those have more to do with effectively having no firewall against certain agencies. If this concerns you and your ISP does not permit you to use your own router, you can always do ISP router @ home → your router and firewall @ home → LAN. However, chances are that NSA knows a vulnerability or two in your router, so you probably need a better plan if you are seriously worried about this. (Of course, breaking into non-backdoored routers on massive scale is most likely impossible, as some very clever people would probably spot the attacks and patch the attack vectors.) If you simply wish to stop making it easy for the NSA to snoop on your local traffic and your ISP is being a douche, just put your own router after the ISP's. -- Heiki "Repentinus" Ojasild FSFE Fellowship Representative mailto:[email protected] xmpp:[email protected] http://blogs.fsfe.org/repentinus/ _______________________________________________ Discussion mailing list [email protected] https://mail.fsfeurope.org/mailman/listinfo/discussion
