Re: Application Throttling/Management
 

Is it the same IPs though or do VM essentially allocate shadow IPs or proxy it so they can differentiate and limit the service as defined in the contract between the 2. (Assuming that VM customers don't get the same access and retention on Easynews as Easynews customers)

Re: Application Throttling/Management
 

Thousands of customers would just up and leave not go to some company vm has connections too.
Really bad show and the final nail in vm's casket if this dpi stuff goes ahead said it a long time ago when this stuff was first mentioned this is no different to what the advertising malarkey were upto, isp's could filter anything (affecting traffic now and creeping to whatever surfaces as the next p2p) they want out with the kit leading in the end to a distrust of the isp using the kit and a 2 tier system and a more encrypted internet.

This could also be used covertly for isp discrimination to certain services or products that the isp's see fit for use (they WILL say they wont but will they?)

Re: Application Throttling/Management
 

I am stuck with them well unless I quit and move house

Re: Application Throttling/Management
 

Deep Packet Inspection/Interception of a UK/EU/US consumers Unique datastream IS NOT legal, UNLESS they have been given written full and informed consent by the owner of that data stream, I.E YOU as the owner and maker of that unique datastream.

You as the owner and maker of that data can remove any of the rights you may have given them at any time with a simple "official notice" in writing to the data controller of the company involved removing that right.

(as the phorm/NebuAd cases are showing and educating the worlds Broadband masses today).

---------- Post added at 18:25 ---------- Previous post was at 18:05 ----------

this is so true, thats why theres such a massive potential for some Uk 3rd party Co-location site to set up a basic free tunneling service to their servers and charge a reasonable price for higher data packages.

if only someone would provide this simple free basic service ASAP (google Uk infrastructure perhaps?) for your average users that dont know how to get or setup their own SSL tunneled Co-location Virtual web servers and related apps for personal remote use.

that way you tunnel from your VM/BT master home machine pluged into your desk BB modem directly to the free 3rd party virtual web server, and run your real datatreams end point from that 3rd party location,and hence VM/BT etc cant easly see these unencypted data end point requests, lets see VM/BT justify STMing that single SSL data pipe to a 3rd party in court.

OC as time moves on, its looking far more viable to look into direct WiMax and wireless gigE to the Co-Location sites around the country and bypass the ISPs invasive snooping all together.

as the Wimax/GigE hardware prices fall through the floor for this old/new wireless kit, all it takes today is a few mates or a small village to club together and run their own cheap Meshed wifi and a single server housed somewere handy to all of them with this wireless WiMax/GigE connection pointing to your friendy Co-Location site and you can do that today, never mind the url story below that will make it even easyer and cheaper later.

http://www.dailywireless.org/2008/09/04/gigabit-wi-fi/

http://www.dailywireless.org/2008/08...most-as-cheap/

Re: Application Throttling/Management
 

The problem is though that it just ends up with any traffic being throttled unless it can be identified as being a 'wanted' protocol, and while that may not be liked it's a perfectly legitimate thing for VM to do. :(

And yes it's not hard to shape things, you don't have to shape based on protocol, you can shape based on destination, number of TCP connections, source, TCP port, whatever you want.

Not sure if the quote was aimed at me or if you were just pointing out the things I mentioned above regarding behavioural shaping and SSL CA chains / self signing / SSL proxying and putting them in a somewhat better way :)

Re: Application Throttling/Management
 

they already did, they "asking ISPs to sign up for a Code of Practice" ... "It's a voluntary code that will be tested using 'mystery shoppers,' " ..."Ofcom is also going to investigate real broadband speeds around the country" with a survey.

"One thing not mentioned is throttling. For example, an ISP could give an accurate speed estimate then deliver a lower speed due to contention or deliberate speed throttling in response to file sharing. The fact that your DSL2 connection can do 7Mbps doesn't mean you're going to get that speed all day every day"

it just fills you with real confidence that Ofcom are really looking after your legal consumer rights doesnt it :rolleyes:

http://blogs.guardian.co.uk/technolo...tish_isps.html

getting yourself a few D1 forms and fact sheets an passing them around your friends will be far more effective in the long term OC.

Re: Application Throttling/Management
 

its not been the case for a long time now, at least for any and all plain text inside the ssl tunnel datastreams and the right kit, but you seem to already understand this point yet skip over it!? but no matter,its still interesting to other readers of the thread later perhaps.

this is a so called "Man In The Middle attack" built directly into industrial ISP grade hardware that business and well funded criminal oufits can purchase off the shelf today and pay an ISP tech to plug in for instance.

Ohh, it seems that later in the thread you concentrate on full decyption of the tunnel, wereas for the purposes of this thread and the reality of why VM and the DPI vendors are doing this is to get just enough information from your encypted datastream to use it in whatever mannor they chose to increase their profit margins at the end users expense...and without regard to the legal or political implications that might bring in the future from their actions.

and by "to close the security loophole that SSL creates" they obviously mean that without this kit they couldnt see much if any of your unique datastream property to profit from its processing...

http://www.intelcommsalliance.com/ks...04daf53086f015
"
Netronome SSL Inspector Transparent SSL Proxy


[img]Download Failed (1)[/img][img]Download Failed (1)[/img][img]Download Failed (1)[/img][img]Download Failed (1)[/img][img]Download Failed (1)[/img]
No ratings yet

Resources

Product Web Page
Datasheet

Categories

Application Software
Other


The Netronome SSL Inspector, the industry's highest-performance transparent SSL proxy, enables network security applications to access the clear text in SSL-encrypted connections and has been designed for security and network appliance manufacturers, enterprise IT organizations and system integrators. Without compromising any aspect of enterprise- or government-regulated compliance, the SSL Inspector allows network appliances to be deployed with the highest levels of flow analysis while still maintaining multi-gigabit line-rate network performance.

The SSL Inspector's unique combination of capabilities removes the risks arising from the lack of visibility into SSL traffic while simultaneously increasing the performance of security and network appliances.

The SSL Inspector Appliance provides existing sniffing (IDS) and filtering (IPS) security appliances with access to the decrypted plaintext of SSL flows. This equips network appliance manufacturers with a mechanism to provide their security applications with visibility into both SSL and non-SSL network traffic, increase their application performance and avoid becoming the source of reduced network throughput. This also allows end-users to add SSL Inspection capabilities to their network security architecture immediately to close the security loophole that SSL creates.

The SSL Inspector is also available in a standard development kit that provides the industry's only open application programming interface.


..."

Re: Application Throttling/Management
 

Popper, those rely on having the proxy configured as a CA on the browsers so that they can create phony certificates to present to the browsers.

They can work on layer 2 however they terminate the SSL tunnel from client to server and server to client. To do this they require the browser to trust them to sign certificates. This can be done in an Enterprise environment where you have control over the security policies on browsers, however in an ISP environment it's not feasible.

EDIT: The other alternative is to get certified as a CA properly so that you get installed into browsers, however use of CA in this manner is not valid and any company doing this will soon find their CA disappears.

Remember how SSL works - in order to properly set up the session you need to have a certified, signed public/private key pair from the server. While it is possible to impersonate the client and decrypt the flow initially it is not possible to impersonate the server unless you have a signed public/private key pair the client trusts through appropriate certification.

Having set up SSL offload appliances all, without exception, require the transferral of the key pair from the server to the appliance or generation of a new key pair which has been appropriately signed and certified on a per server basis. I would suggest the same goes for trying to SSL 'offload' within the ISP network as well.

Re: Application Throttling/Management
 

So you are admitting it is possible? even though you said to me it is impossible? and my point was it wasn't impossible just very hard? no i am not bring this up again just curious to your thoughts.

Re: Application Throttling/Management
 

See my post here: http://www.cableforum.co.uk/board/34632497-post274.html

That's the mechanism by which these appliances work. It's not breaking SSL it's attempting to impersonate each side to the other. It's not difficult at all and open source implementations are available, but will show up on a browser when you go to www.barclays.co.uk and the SSL certificate the server provides is signed by Virgin Media and can't be verified.

It isn't a break of SSL though, is easily detectable, and requires browsers to be set up specifically to accomodate it as in an enterprise environment, so no I'm not admitting anything :)

---------- Post added at 13:17 ---------- Previous post was at 13:14 ----------

Ah forgot to respond to this. I'm well aware of DPI being used with partial decrypts, I've worked on DPI kit with regards to detecting encrypted Bittorrent. As you rightly said only enough 'decryption' was needed to detect what the underlying protocol was. In the case of encrypted BT the encryption was rather weak and although it took a few months researchers did indeed break it to the point where it could be positively identified.

Re: Application Throttling/Management
 

So if I use Giganews with 256bit SSL - can they just take a peak and see what I'm leeching?

I was under the impression that they'd need DPI to do this.

Re: Application Throttling/Management
 

DPI alone will not allow them to see the contents of SSL-encrypted traffic. The would need to use a man in the middle attack, as described earlier in this thread, to decrypt the stream analyse it and reencrypt it before delivering to you. This is not "breaking" SSL and can be detected from the client end.

Ed.

Re: Application Throttling/Management
 

If VM continues to do this there will be no point in having anything above 4mb.

Mind you having seen this:

"I would note there is ALSO a seperate trial going on while controls ports speciifcally for games (Wow etc) which affect the pings for said games."

Which is obviously a lie, it wouldn't surprise me if the rest was.

Re: Application Throttling/Management
 

I'm on 4mb and it's crawling between 25-40k and the most i've seen it at tonight has been about 250k, my signals are good too.

It's been like this a few times over the last 2 or 3 weeks. I wouldn't be surprised if the *******s are up to something in this area.

Re: Application Throttling/Management
 

There's many different factors you have to look at i.e congestion, wireless router, not just VM are throttling your speeds plus are your speeds from torrents,newsgroups,p2p?