My (3rdParty) modem/router looks to be on the way out, with increasingly frequent connection drops. I don't want to buy another 3rd party device quite yet because of various changes and upgrades going on with my ISP. Meanwhile I have 2 ISP modems/routers - I reluctantly tried the more recent model today to see if there's any connection drops and so far that part is good. The concern is that I've seen some strong recommendations not to use ISP M/Rs because of possible ISP spying, changing settings, placing backdoors and other scary things . Is it possible to test if an ISP is doing this? So far I've changed the default PW and disabled Wifi. What other settings would I need to pay attention to?
Can your ISP see pages you're visiting? Sure. If you want privacy, never get online. So-called "porn mode" in browsers only offers the illusion of privacy.
There are many ways to lose privacy without going online. But you can have as much privacy online as you're willing to create. Even more than in meatspace. Unless you're very wealthy, anyway.
Thanks guys. Just as an exercise I might try my 3rd party on-the-way-out one as I've never done this before. What settings should I be looking to change? In this scenario would "after" mean Computer>ISP modem/router> 3rdParty router part of modem/router? Yes I know ISPs see that but that's not what I asked. What would be helpful is to either have an explanation to see how ISPs are doing this and what I should look for, or if you know of any good resources.
When I say router/firewall, I don't mean the sort of modem/router that the ISP provides. I mean a standalone router. It might just work. But if, for example, both your ISP modem/router and the router/firewall use 192.168.1.0/24 for LAN, the router/firewall won't work. So you'll need to use 192.168.2.0/24 or whatever. ISPs can see everything because they're carrying it all. It's only when there's end-to-end encryption, such as HTTPS, that they can't see stuff.
Just get a good VPN write a firewall (they may provide a solid client that does it for you) to isolate the computer from the router pings, and you are "gone" as far as your ISP can see. They will only see the vpn1 connection but not one single page you visit using the VPN server. Just configure and operate on the assumption your ISP devices are NOT friendly. Its pretty easy to run based on that paradigm. HTTPS is OK but I don't even want my ISP to see me logging into my bank or email servers. I have changed and now the only place my ISP ever sees is that I connect to vpn1 and NOTHING else is ever handed over to them. That is for real name. For here and similar its many servers and providers, beyond reason for most in all estimation. LOL!
Be sure of one thing. If you use privacy services like VPN's, TOR or even search for ways to gain online privacy you just became a target for close surveillance so if its porn your into make sure you find some good ones for the guys at NSA headquarters. I heard they like the ones with hairy women
Sorry I've taken a bit of time getting back to this. I wanted to do some looking around online about bridge mode, DMZ etc. @mirimir thanks. With https I believe they can see the site you go to but not where you go on the site, right? @Palancar, if I could pull the needed resources together, assuredly I'd adopt your method faster than you could blink. I'm pretty keen to include a VPN in my setup but I'm not there yet (I'll blame mirimir ). For the present, things like TBB and 'tales' are great. There's a lot I'd like to achieve like installing a guest linux into VB but this modem/router thing is jumping the queue. The question I'm asking is what good is anything if your modem and router is "open". A few questions: What do you guys think about the TR-069 or CWMP (customer-premises equipment wide area network management protocol) utilized by ISPs and ACS (Auto Configuration servers)? Is there a way to find out if my ISP uses the above? Im not keen asking them point blank as I'd like something a bit more believable than ringing their helpdesk outsourced to some far away country. A computer based software FW wouldn't help blocking any port a modem/router is using for said purposes, right?
If you browse https://www.wilderssecurity.com/ and then navigate from the root, yes, for sure. But if you go to (for example) https://www.wilderssecurity.com/threads/isp-modem-routers-and-privacy.394704/ I'm not sure. It might be that the browser gets the IP address for https://www.wilderssecurity.com/ and then connects via HTTPS. And after that loads the requested page. But I'd need to check with Wireshark. Anyone know for sure?
AFAIK they only know IP and domain (even if you use their DNS). More here: https://stackoverflow.com/questions...uest-headers-protected-as-the-request-body-is
You may have missed some of my points. I understand wanting an ISP provided modem or a retail router to be secure, but there is NO way to be certain of that regardless of the user skillset. I study firmware and hardware as a hobby. So yes I try and deploy ddwrt and use the "known" counter measures against attacks I can see coming down the pipe. The truth however is that it doesn't matter if my router is wide open and my modem is compromised as long as I possess the skills and software to isolate my device from the network. Now what does that mean? I assume and admit that my router can see ALL traffic coming out of and into my laptop (example). However; that traffic is 100% highly encrypted so the payload being transmitted can be had by the whole world for all I care. The payload cannot be interpreted or decrypted, meaning its useless to all holders of the data EXCEPT the entity holding the decryption key. For incoming payloads its possible (easy in fact) to define via firewalls that only a specific tunnel entrance is allowed to be admitted. All other attempted pings or penetrations are summarily ignored by the device in question. Such a configuration, while easy to deploy, also means not even other devices on LAN have any access to the protected device. Now LAN smart TVs, other computers, etc..... cannot present a risk to the protected device. And even more obvious is that any internet outside of LAN doesn't have a prayer. Super easy, it lets me do my due diligence on retail routers, but without consequence at all if something gets through a backdoor because "they" designed it that way.
That's a good point. Thanks for mentioning it. Thanks for that link. The last part is absolutely a total no brainer. Configuration and isolation is what I'm interested in. Modem and router configs are probably the things I know least about. Yes probably so thanks for the clarification! Mmmm even a retail? interesting to know. I was hoping it wasn't going to be pointless asking you guys which is the best router? So ..... everyone who values their privacy is basically dependent on ALL net activity being highly encrypted and that would mean at least using a (reputable) VPN right? or are you ALSO talking about additional encryption such as locally encrypted files sent/received? VPNs are on my to do list and all this makes that decision more pressing now. My setup is VERY basic and my needs are simple. No smart devices (phones TVs IoTs smartmeters etc). No interest in joining FB and the like. Just one computer accessing the internet. I also work on the principle if it's not there to start with it can't be pwnd. Having no desire or need to share certain details makes that decision easy. None of this means my views on privacy are less. If I don't like physical onlookers over the shoulder I sure don't like obscured ones online no matter what I do.
If you have a browser extension from your vpn and it connects to the vpn ssl, what can an isp see traffic-wise?
It is only a matter of time before there is no true end to end encryption. The British Govenment is already making noises about legislating ISP's but no one seems to have figured out what they mean by that. I think I have though. you make https request to site.com isp recieves your request isp sends its own https request to site.com. etc.... we all know how mitm works
That would only work if your system or application trusts certificate, which ISP uses to reencrypt the traffic. Most app developers that provide end to end encryption probably won't allow this to happen. Well at least I hope so.
If it were legislated that ISP's must do that, the user would be required to run the ISP's setup before they can use it. The setup would install the ISP root cert. I had to think twice before posting about this I didn't want to give those government sociopaths ideas but I'm sure if I can think of it so can they.
App developers are usually one step ahead they could provide a key to you some other way so avoid standard online key exchange for now or create their own key exchange protocol to run after the initial https.
