34
8
Packets travel through internetworks, and take many routes through internet routers. On each route that forwards traffic to another until reaching the ultimate destination, what stops them from viewing the packets they receive/forward?
Naughty.Coder
Posted 2013-11-26T12:43:43.107
Reputation: 495
52
Short answer : you can't prevent them from sniffing your traffic, but you can make it meaningless for them by using encryption.
Either use encrypted protocols (HTTPS, SSH, SMTP/TLS, POP/TLS, etc.) or use encrypted tunnels to encapsulate your unencrypted protocols.
For example, if you use HTTPS instead of HTTP, the content of the webpages you fetch will not be readable from those routers.
But remember that they can still save the encrypted packets and try to decrypt them. Decryption is never about "can or can't", it's about "How much time does it take". So use ciphers and key lengths suitable for the degree of privacy you need, and the "expiration time" of the data you want to "hide". (meaning if you don't care if someone gets it a week after the transmission, use a strong protocol. If it's an hour, you can lower the key length)
mveroone
Posted 2013-11-26T12:43:43.107
Reputation: 1 752
oh this is terrifying. a complex solution for naives – Naughty.Coder – 2013-11-26T12:56:33.003
5Actually, encryption schemes exist that can never be defeated. 'With enough time, any encryption can be broken' is not necessarily true. – Marcks Thomas – 2013-11-26T12:58:20.083
5@MarcksThomas - please provide at least a link to those unbeatable encryption schemes to show what you mean. – SPRBRN – 2013-11-26T13:20:02.987
20
@rxt One-time pads are information-theoretically secure. Of course, they also have some pretty serious downsides.
– a CVn – 2013-11-26T13:26:23.3972OTP is an impossible algorithm. the keylength must be the same as the message length, so if you have a secure channel to transmit the key (which is essential, because if you ever use a key for more than one message, the OTP can be attacked through lexicographical analysis), you might as well use that same secure channel to pass the message in the first place. – Frank Thomas – 2013-11-26T13:31:56.157
7@FrankThomas The Wikipedia article mentions some situations in which OTPs can actually be useful. The most obvious is where you have a secure channel now but need to be able to communicate with provable security later. For normal communications, however, they are indeed impractical (though hardly "impossible"; ever tried doing AES-256 with paper and pencil?). – a CVn – 2013-11-26T13:37:16.673
@Naughty.Coder I still think that I have answered the question fully. He wants to protect himself, theire is only one solution, and I'm telling him which. Now if he wants deepest advices, we need more data on what he wants to do. – mveroone – 2013-11-26T14:30:40.070
The next question, is how feasible is it for those routers to man-in-the-middle you? Should that be a different question? – Cruncher – 2013-11-26T14:43:45.967
Most branded high-grace core routers have (Documented or undocumented) backdoors, theoriticaly reserved for legal purposes, but which could somehow be used by someone else. Better assume it's possible and protect yourself than bet on luck ;) – mveroone – 2013-11-26T15:00:27.033
@FrankThomas: The US government uses one-time pads for its most secure transmissions. They transfer truck-loads of tapes with large random keys on them by armed-guard, or so the story goes. – BlueRaja - Danny Pflughoeft – 2013-11-26T17:15:16.123
@Cruncher, Not easy at all because of certificates. When one connects to an https URL you check that the host you're contacting matches the private key it's supposed to have (via a crypto challenge, I think) – Guido – 2013-11-26T18:47:39.053
2
@FrankThomas: It is possible to generate a secure key over distance, or abort communication if someone is eavesdropping: https://en.wikipedia.org/wiki/Quantum_key_distribution
– Andrey Vihrov – 2013-11-27T00:20:36.920ok man, now you're reaching. quantum computing is not a practical reality, and even if it were it would only be able to use Heisenberg to its advantage if the entire network between the two nodes was optical and using a quantum configuration. – Frank Thomas – 2013-11-27T03:14:50.397
2We might be a bit out of context now. From simple eavesdropping awareness/protection, we reach quantum computing. We should invent the "Heisenberg point" where any computing discussion reach quantums instead of nazis. – mveroone – 2013-11-27T09:23:43.247
1@FrankThomas: Just scroll down to the "Implementations" section… – Andrey Vihrov – 2013-11-27T10:37:21.583
19
Nothing.
Every hop between your computer and the server you are accessing can read the packets you are transmitting and receiving.
You can however encrypt them, so they will be meaningless to any eavesdroppers.
n.st
Posted 2013-11-26T12:43:43.107
Reputation: 1 538
4Not "unless", because you can even sniff encrypted traffic. It will be meaningless, unless (!) you use weak encryption. – SPRBRN – 2013-11-26T13:20:22.147
7
In principle, "packet sniffing" is not a job of routers. Routers don't inspect the content of a packet, they just pick the header of the packet and find a suitable exit interface so that it will reach the destination stated in the packet's header.
However, your packets could be sniffed by anyone interested while the packets are moving. Interested bodies (often called attackers) can stop your packet and sniff it before it reaches the destination. This is called active sniffing, and is performed by firewalls. Another way of sniffing is passive sniffing. This method involves collecting copies of your packets passively. Wireless sniffing is a popular attack method in this category.
You can reduce such risks by using encryption techniques discussed above.
user14372
Posted 2013-11-26T12:43:43.107
Reputation: 171
4
The real answer: Nothing you could do to prevent a router to sniff all of the traffic that flows through it. But that should not be the question - this should be: "What could I do to prevent anybody to read my traffic?" - The answer: "Use only encrypted communication/protocols!". The best thing: Use a VPN between you and your communication partner. For all others: HTTPS instead of HTTP, IMAPS instead of IMAP and so on.
UsersUser
Posted 2013-11-26T12:43:43.107
Reputation: 413
3
As it was previously mentioned, it is not possible to stop a router from sniffing your data.
There is a simple way to make the listener's life harder by using Tor bundle.
Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet.
It cannot guarantee that your information will be 100% secure but if you use it properly (e.g Don't enable or install browser plugins), your data should be a bit more safe.
George Michael
Posted 2013-11-26T12:43:43.107
Reputation: 31
26did you know that if you capture all the packets in an SMTP transmission, dump their data and convert it back to text (unicode nowadays, used to be ascii), you can read the email with little or no modification? people refer to email as a postcard, because there is no envelope to hide it from view as it passes between your host and the server. – Frank Thomas – 2013-11-26T12:58:09.713
@FrankThomas interesting! – Naughty.Coder – 2013-11-26T13:09:50.493
As you can tell from the answers, routers can easily sniff IP traffic. In particular, wireless access points are also routers (or bridges), and they are particularly easy to set up and entice people to use. – 200_success – 2013-11-26T17:17:30.617
Routers have to "view" your packet in order to verify checksums, to pull out the headers to make routing decisions, to rewrite addresses (NAT) and to modify the TTL fields. – Kaz – 2013-11-26T18:16:03.953
2@FrankThomas - this is true only if SMTP does not use TLS (by STARTTLS etc.). I thought most servers does not accept unencrypted SMTP from clients (however - I would not my first disappointment in people's approach to security). – Maciej Piechotka – 2013-11-26T19:51:36.097
2@MaciejPiechotka, TLS only encrypts point to point. (Not end to end) Each server can read the message in it's entirety and there is no guarantee that the server will use TLS anyway, even if you do. – user606723 – 2013-11-27T20:32:34.867
@FrankThomas, last time I checked, and that was now, Hotmail/Outlook/Yahoo don't use TLS when sending a mail to an external server. They doesn't even check if the receiving SMTP server can upgrade to TLS. At least Gmail does use TLS. – Daniel F – 2013-11-29T06:40:48.967
@Et Al, I would be surprised to find unencrypted email services these days (Daniel, your findings are terrifying) and you are quite correct, encryption is the answer. the SMTP example has always been text book, because its easy to walk students through in the lab, and really underscores the importance of encrypting data crossing unknown or unfriendly networks. – Frank Thomas – 2013-11-29T21:34:29.897