This and similar issues have been an ongoing issue with Spectrum going back to before Congress felt the need to call them (along with the other telcos) out for failing to secure their networks. I've noticed handshake issues at one time or another with webpages, DoH and dnscrypt, and VPN with TLS over UDP on a non-stand port.
During one particularly annoying episode where it effectively became a DOS I had my router log all dropped packets and then rebooted it. Immediately after reconnecting it drops a few incoming martians and invalid packets as if they were still expecting an active connection where there shouldn't have been any. The IPs were mostly upstream endpoints or gateways but at least once it was from a residential IP instead.
Between the weird arbitrary nature of the SSL/TLS handshake issues and the possible spoofing from upstream gateways I get the impression this is much more than just a bug.
They are also probably collecting DNS records from millions of customers too or inspecting SNI on TLS handshakes to know what sites each customer is visiting.
Not sure what TFA means with this, reads like ECH doesn't help
Coincidentally, this article's webpage breaks copy & paste in its tables for presumed reasons of being "cutesy" with table click behavior. Can people please stop doing idiotic shit like this?
They most certainly are. Large ISPs use Nokia Deepfield or Kentik for network monitoring, observability and user metrics. Both work due to volumes of metadata from net flows and DNS.
My gut tells me the broken intercept is a Nokia product.
This and similar issues have been an ongoing issue with Spectrum going back to before Congress felt the need to call them (along with the other telcos) out for failing to secure their networks. I've noticed handshake issues at one time or another with webpages, DoH and dnscrypt, and VPN with TLS over UDP on a non-stand port.
During one particularly annoying episode where it effectively became a DOS I had my router log all dropped packets and then rebooted it. Immediately after reconnecting it drops a few incoming martians and invalid packets as if they were still expecting an active connection where there shouldn't have been any. The IPs were mostly upstream endpoints or gateways but at least once it was from a residential IP instead.
Between the weird arbitrary nature of the SSL/TLS handshake issues and the possible spoofing from upstream gateways I get the impression this is much more than just a bug.
Is it naive of me to ask why it is being just casually accepted that a major ISP is mitm'ing TLS traffic?
They are also probably collecting DNS records from millions of customers too or inspecting SNI on TLS handshakes to know what sites each customer is visiting.
ECH and DOH people!
None of that requires messing with the connection though. You can't draw just passively observe and get the same info.
> "Encrypted Client Hello (ECH) - Enabled, limited effect"
Not sure what TFA means with this, reads like ECH doesn't help
Coincidentally, this article's webpage breaks copy & paste in its tables for presumed reasons of being "cutesy" with table click behavior. Can people please stop doing idiotic shit like this?
They most certainly are. Large ISPs use Nokia Deepfield or Kentik for network monitoring, observability and user metrics. Both work due to volumes of metadata from net flows and DNS.
My gut tells me the broken intercept is a Nokia product.
This is correct, it's even open source: https://github.com/deepfield/dnsflow.
OT: Letter-spacing horrible. Backslash: SSL\TLS.