This will be my final post on this, any other discussions on this topic need to be taken elsewhere.  Because of the breadth of this discussion, I'm pulling examples into place

In the United States, which is my jurisdiction, there is legal precedent in the courts that states that, in summary, "There is zero expectation of privacy for any activities on any network you do not control."  This comes up regularly in the courts where people are fired or punished under their workplace policies for sending an email from work email or using work resources (network, etc.) for personal uses and it in turn results in some kind of punishments - either at the workplace or legal repercussions or otherwise.  In every such case, the law and legal precedent states that you have zero expectation of privacy on any network you connect to.

Case in point.  I have a network at my home that is enterprise-grade with how I've set it up.  Controls on content, access to the Internet and resources, etc.  I have a section of my network for guests to connect to that is isolated from my core network, and allows access to (limited) bandwidth for Internet access.  However, because I run the network, the expectation is that if you or someone else is connected to my network that the users of my network understand - whether explicitly told or otherwise - that "Thomas controls this network, my use of this network is at his leisure, and he has a right to monitor the activity going on in the network in order to prevent behaviors or activity that they do not permit."  Therefore, I have a right to monitor my network for activity, connection of devices, etc. and prohibit activities on my network.  Additionally, since my home network is provided by Comcast and Verizon (I have dual ISP links for failover, etc.), both Comcast and Verizon have the right to monitor the activity traversing their corresponding network links (Verizon can't monitor Comcast's traffic and vice versa, but I can monitor the activity on the network links on my network for both).

Another case.  I won't name specifics, but at my employer's network, I am the IT Security guy.  The network is locked down to prohibit connection to certain types of content by filtration, and we prohibit certain activities on our network.  We additionally monitor all attempts to access things that are NOT permitted for various network segments, and in turn audit that data to determine if there are breaches, employees trying to do corporate espionage, etc.  Additionally, we use an IDS/IPS solution that checks traffic as well to identify whether it falls into certain categories of threats and in turn blocks those threats from being used on the network.  This includes VPN providers outside our network, because we do not permit people inside our network to use external VPN services.  Because users of our network are bound by contract to the terms of use and by using our network implicitly agree to all terms of network use, they implicitly accept that their activity may be monitored.  We detected a user on our network doing personal research on corporate resources in a way that violated the network use policies that all employees and guests abide by in our environment.  That user was denied access to the network, and later was fired because they were an employee abusing resources.

Let's look at a Cloud Service provider.  I had a VPS at a VPS provider.  It was discovered by them that there was malicious activity going on due to a breached site that was on one of those VPSes.  They locked down the VPS after receiving abuse reports and correlated the reported abuse with network activity logs on their end, and because they run the network even though the VPS was mine, their terms of contract and service indicate they have the right to monitor activity for abuse of service.

Your ISP is the same way, like i briefly mentioned above.  When you sign up for Internet service from an ISP (home, business, mobile, etc.), the provider must disclose acceptable use policies.  ISPs have rules against running malware, phishing sites, etc. in a lot of cases and some proactively scan and monitor the network activity for clear signs of abuse.  The ISP reserves the right as your provider of network services to monitor your activity in accordance with their published terms of service and use.  All of those Terms of Service indicate they may monitor your activity.  Because your home network is actually provided by the ISP, the ISP has the right to monitor your traffic for TOS violations.

Even VPN providers, etc. are not exempt from this.  VPN providers have terms of use as well, and while VPN providers typically aren't monitoring your traffic on the provider, they reserve the right to if they truly believe you're causing trouble on the network.  ANY provider of network services is entitled to monitor traffic on their respective links.

As such, there is no expectation of privacy on any given network you connect to.


Thomas


On 10/21/23 01:22, Jason Long wrote:
Hello,
Thanks again.
You said "Unless you yourself manage/control the network you're connected to, there is ZERO expectation of privacy on the connection you're using.  Even if you use your home network, there's no expectation that the ISP *won't* observe your traffic.", Can you tell me more?






On Saturday, October 21, 2023 at 08:43:11 AM GMT+3:30, Thomas Ward <teward@thomas-ward.net> wrote: 






I reiterate my original statements:

Stunnel is not a VPN, so no it can't "hide your browsing".  Hiding your browsing needs more than just stunnel because of how DNS and other components for browsing work.
So no, STunnel will not help you.

Tor is not a guarantee of a solution.  Nor is a VPN.

UNFORTUNATELY, though "how to hide browsing" is beyond the scope of this list.

And I'm sorry to say, but as an IT Security professional myself, I must disclose to you this little nugget of knowledge: There is no such thing as "illegally looking at users' traffic" when using someone else's network.  Whether they're harvesting credentials or not, it is NOT illegal for the network management people to look at the traffic of those who use their network - it's an implicit "You're at the provider's whims and choices".

Even in a corporate environment, there is no implication of security and privacy.  Case in point: I am the primary sysadmin of my employer's network and security operations.  Our firewall and other content filtration components decode traffic at the border BEFORE sending out to the Internet for requests.  Theoretically, between the point of decryption and reencryption to go out the door, I could have nastyness in the firewall or other systems to harvest passwords, sniff activity, etc.  The workplace has policies such as "Acceptable Use" and also the "You are consenting to activity on the work network being monitored." because, well, corporate security is a thing.

Unless you yourself manage/control the network you're connected to, there is ZERO expectation of privacy on the connection you're using.  Even if you use your home network, there's no expectation that the ISP *won't* observe your traffic.




Thomas




On 10/21/23 01:07, Jason Long wrote:


  Hello,
Thank you so much for replies.
First of all, I don't want to do anything illegal. I feel that the person who is in charge of managing the Fortinet and FortiGate devices is illegally looking at the users' traffic, and because I don't have access to the device, I can't prove it. If I use a VPN or Tor, can he\she still look at my traffic? Can Stunnel help me?






On Friday, October 20, 2023 at 10:52:22 PM GMT+3:30, Eberhard <flash@vicsmba.com> wrote: 






Exactly!  If people could get around the Forti products that easily they would not have the reputation they have!  Eric
 
 
 
VICS, LLC
Eric S Eberhard
2933 W Middle Verde Rd
Camp Verde, AZ  86322
 
928-567-3727            (land line)
928-301-7537            (cell phone)
 
http://www.vicsmba.com
https://www.facebook.com/groups/286143052248115
 
 
From: Thomas Ward via stunnel-users <stunnel-users@stunnel.org> 
Sent: Friday, October 20, 2023 6:11 AM
To: Jason Long <hack3rcon@yahoo.com>; Stewart Anderson via Stunnel-users <stunnel-users@stunnel.org>
Subject: [stunnel-users] Re: How do I hide my browsing?
 
Stunnel is not a VPN, so no it can't "hide your browsing".  Hiding your browsing needs more than just stunnel because of how DNS and other components for browsing work.
 
Question 2 is beyond the scope of stunnel's list to answer.
 
This said: If you have to ask how to hide your browsing that means you're violating your network's use policies, and with Fortinet and Fortigate in line it sounds like you're on a workplace network.  Just don't use your workplace network for whatever shady stuff you're concerned about them finding you doing.
 
 
 
Sent from my Galaxy
 
 
 
-------- Original message --------
From: Jason Long via stunnel-users <stunnel-users@stunnel.org> 
Date: 10/20/23 09:05 (GMT-05:00) 
To: Stewart Anderson via Stunnel-users <stunnel-users@stunnel.org> 
Subject: [stunnel-users] How do I hide my browsing? 
 
Hello,
In an internal network, they monitor web browsing through firewalls (Fortinet and FortiGate). I have two questions:
 
1- Can I use Stunnel to hide my browsing?
 
2- Can they capture usernames and passwords for email and other websites?
 
Thank you.