-1

I found out that the landlord of my building is able to access all my internet URLs even though they are HTTPS. Ex they are able to see this entire URL: https://www.google.com/search?q=stackoverflow including path and query params.

I verified by clicking on the lock icon of my browser that the certificate issuer is "Google Trust Services". They are able to see all URLs, not just google.

Therefore, I am not able to understand how are they able to access all my internet traffic (I am certain they are able to access it). I am not sure if they can see the request/response body & content as well. We are using AT&T internet (not sure if they have a Netgear Nighthawk router connected in the middle). I cannot access the router interface (192.168.0.1) because the attacker (the landlord) is able to see all my URLs.

Is there a way to thwart their attack by using some browser plugin or a similar solution? I found out that Chrome has HTTPS Everywhere Plugin but that might not help because my browser is already showing that the connection is HTTPS. Ideally I would like to find a way to also detect (and prove) that they are looking at my web browsing history, ex: I can create a website and use javascript to log visitor information (but it will be hard to pinpoint that they are the attacker), in case I decide to show it to our local authorities.

I use Firefox and Chrome for browsing the internet.

codebee
  • 101
  • 2
  • 3
    _"I found out that the landlord of my building is able to access all my internet URLs even though they are HTTPS"_ How do you know this? – multithr3at3d Aug 17 '20 at 22:41
  • Landlord showed them to another tenant in the building. So I am 100% sure. Its been happening for over 3 months. – codebee Aug 17 '20 at 22:56
  • 2
    We can't really know what the problem is without a lot more information. It's possible they have full access to your computer, or a hidden camera in your building. Either way, it sounds like you should contact someone for help. – multithr3at3d Aug 17 '20 at 23:07
  • 3
    What you describe is not possible as a simple result of them being in control of the router. They would have had to get you to install something on your computer. – Conor Mancone Aug 17 '20 at 23:40
  • I am on Ubuntu 18.04 and I am pretty sure they did not have me install anything (they have never accessed my computer). Also I am a software engineer and they are not technical. – codebee Aug 17 '20 at 23:44
  • 1
    If your landlord has admin access to your router then yes they can likely see all of the URLs you visit. However if you are using SSL/TLS (e.g., HTTPS) then it's unlikely that they can also see the payload (e.g., your HTTPS requests/responses content). If you would like to hide your URLs from your landlord, then simply just use some web proxy instead. They even have ones for SSL/TLS too! – ManRow Aug 18 '20 at 04:29
  • 1
    Forgot to mention -- don't use TLS/SSL proxies for websites where you access, provide, or manipulate sensitive information since malicious proxies can be used to carry out MITM attacks as well. But hey --- at least your landlord won't see it! ; ) – ManRow Aug 18 '20 at 04:38
  • 3
    @ManRow Every part of the URL other than the domain, port, and plausibly the protocol is part of the TLS-protected message (the "payload", as you put it). In particular, the path and query string are sent within the HTTP request (inside the TLS connection), and are not transmitted in any form in plain text. Also, while there are attacks you could launch from a compromised router, *by itself* owning the router does not give the owner ***any*** ability to read the full URLs. Just, as mentioned above, the domains and ports. Some additional info (like length) are also available but inconclusive. – CBHacking Aug 18 '20 at 05:33
  • 1
    Note that the domain name is visible in the [Server Name Indication](https://en.wikipedia.org/wiki/Server_Name_Indication#Security_implications) part of SSL/TLS negotiation, as well as (with less specificity) via the DNS lookup the client does before connecting. That is, when you hit `https://www.google.com/search?q=stackoverflow`, the `www.google.com` part is visible as a DNS query, and then via SNI. That is, unless you use DNS over TLS or HTTPS, and encrypted SNI (both of which are getting more common). – Gordon Davisson Aug 18 '20 at 07:19
  • 1
    @CBHacking Ahh, good point -- the URL is *more than just* the domain. I guess I was referring to just the "domain" segment then (the DNS part), although Gordon-Davisson's comment suggests that even that may be hidden via "DNS over TLS/HTTPS", which major browsers seem to have already implemented long ago(!). Anyway, interestingly enough, the OP mentions that a lot of URL information (quite more than "domain-only!") is available, even over HTTPS! Sounds like there might be something more going on here... – ManRow Aug 18 '20 at 08:38
  • 1
    @codebee As a Chrome user, you may wish to review your (sorry I cannot make that a link!) to make sure you didn't accidentally install any potentially rogue, landlord-managed CA certificates into your browser's truststore. This could give them the ability to MitM you easily even over TLS/HTTPS! – ManRow Aug 18 '20 at 09:34
  • Thanks ManRow, I did not see any certs page when I tried that link. Again, Landlord is not technical to be able to fiddle with my Truststore. As far as I know, there are only two pieces to the puzzle here: 1. physical ATT router (that's out in the open and there is nothing attached to it). 2. A potential parental control (ex Nighthawk) router type of device that they connected via wifi that allows them fine grained control of what sites I can visit and emails them logs of my web history. I will use flood idea from answer by Ljm as cover fire to login to router and try looking for that device. – codebee Aug 18 '20 at 18:23

1 Answers1

3

In general, it is easy to get some information about the browsing of a person. The information that is leaked is:

  • site that you are using
  • approximate length of the URL
  • approximate length of the page
  • approximate number of other resources
  • time

See Are URLs viewed during HTTPS transactions to one or more websites from a single IP distinguishable? for a more elaborate explanation.

In a corporate environment, there are a number of vendors that deliver TLS decryption, for example Palo Alto does this. In general this requires that the MitM-device CA has been accepted as valid on your computer. You may have done this inadvertently, though with Chrome, that is very hard. Or someone with access to your computer may have done this. If the latter: if they install certificates like that, they may have done other things as well. You may want to re-install.

Key-loggers are also an option.

It may be important to know that there is no legal way for your landlord to do this without your explicit and informed consent (at least in the EU).

The second part is how to prevent this.

Depending on your level of paranoia, there are two things you can do:

  • reinstall the systems
  • use a VPN (NordVPN, ExpressVPN, etcetera)

It is also possible to flood your landlord's logs:

while : ; do
   ranhost=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
   wget https://$ranhost.com
done

which will make it harder for him to extract the real URLs that you use, and will also give him the signal that you know he is doing something illegal.

Ljm Dullaart
  • 1,897
  • 4
  • 11
  • Thanks, I know that they are not technical to install Key Logger or fiddle with my device CA etc. I am sure there is some parental control type of device ex- Nighthawk connected over wifi. I will try 'flooding' idea as cover fire to login to the router and try to find that device and update this thread if I find anything. – codebee Aug 18 '20 at 18:28