This will be my final post on this, any other discussions on this
topic need to be taken elsewhere. Because of the breadth of this
discussion, I'm pulling examples into place
In the United States, which is my jurisdiction, there is legal precedent in the courts that states that, in summary, "There is zero expectation of privacy for any activities on any network you do not control." This comes up regularly in the courts where people are fired or punished under their workplace policies for sending an email from work email or using work resources (network, etc.) for personal uses and it in turn results in some kind of punishments - either at the workplace or legal repercussions or otherwise. In every such case, the law and legal precedent states that you have zero expectation of privacy on any network you connect to.
Case in point. I have a network at my home that is
enterprise-grade with how I've set it up. Controls on content,
access to the Internet and resources, etc. I have a section of my
network for guests to connect to that is isolated from my core
network, and allows access to (limited) bandwidth for Internet
access. However, because I run the network, the
expectation is that if you or someone else is connected to my
network that the users of my network understand - whether
explicitly told or otherwise - that "Thomas controls this network,
my use of this network is at his leisure, and he has a right to
monitor the activity going on in the network in order to prevent
behaviors or activity that they do not permit." Therefore, I have
a right to monitor my network for activity, connection of devices,
etc. and prohibit activities on my network. Additionally, since
my home network is provided by Comcast and Verizon (I have dual
ISP links for failover, etc.), both Comcast and Verizon have the
right to monitor the activity traversing their corresponding
network links (Verizon can't monitor Comcast's traffic and vice
versa, but I can monitor the activity on the network links on my
network for both).
Another case. I won't name specifics, but at my employer's
network, I am the IT Security guy. The network is locked down to
prohibit connection to certain types of content by filtration, and
we prohibit certain activities on our network. We additionally
monitor all attempts to access things that are NOT
permitted for various network segments, and in turn audit that
data to determine if there are breaches, employees trying to do
corporate espionage, etc. Additionally, we use an IDS/IPS
solution that checks traffic as well to identify whether it falls
into certain categories of threats and in turn blocks those
threats from being used on the network. This includes VPN
providers outside our network, because we do not permit people
inside our network to use external VPN services. Because
users of our network are bound by contract to the terms of use
and by using our network implicitly agree to all terms of
network use, they implicitly accept that their activity may be
monitored. We detected a user on our network doing personal
research on corporate resources in a way that violated the network
use policies that all employees and guests abide by in our
environment. That user was denied access to the network, and
later was fired because they were an employee abusing resources.
Let's look at a Cloud Service provider. I had a VPS at a VPS provider. It was discovered by them that there was malicious activity going on due to a breached site that was on one of those VPSes. They locked down the VPS after receiving abuse reports and correlated the reported abuse with network activity logs on their end, and because they run the network even though the VPS was mine, their terms of contract and service indicate they have the right to monitor activity for abuse of service.
Your ISP is the same way, like i briefly mentioned above. When you sign up for Internet service from an ISP (home, business, mobile, etc.), the provider must disclose acceptable use policies. ISPs have rules against running malware, phishing sites, etc. in a lot of cases and some proactively scan and monitor the network activity for clear signs of abuse. The ISP reserves the right as your provider of network services to monitor your activity in accordance with their published terms of service and use. All of those Terms of Service indicate they may monitor your activity. Because your home network is actually provided by the ISP, the ISP has the right to monitor your traffic for TOS violations.
Even VPN providers, etc. are not exempt from this. VPN providers have terms of use as well, and while VPN providers typically aren't monitoring your traffic on the provider, they reserve the right to if they truly believe you're causing trouble on the network. ANY provider of network services is entitled to monitor traffic on their respective links.
As such, there is no expectation of privacy on any given network you connect to.
Thomas
Hello, Thanks again. You said "Unless you yourself manage/control the network you're connected to, there is ZERO expectation of privacy on the connection you're using. Even if you use your home network, there's no expectation that the ISP *won't* observe your traffic.", Can you tell me more? On Saturday, October 21, 2023 at 08:43:11 AM GMT+3:30, Thomas Ward <teward@thomas-ward.net> wrote: I reiterate my original statements:Stunnel is not a VPN, so no it can't "hide your browsing". Hiding your browsing needs more than just stunnel because of how DNS and other components for browsing work.So no, STunnel will not help you. Tor is not a guarantee of a solution. Nor is a VPN. UNFORTUNATELY, though "how to hide browsing" is beyond the scope of this list. And I'm sorry to say, but as an IT Security professional myself, I must disclose to you this little nugget of knowledge: There is no such thing as "illegally looking at users' traffic" when using someone else's network. Whether they're harvesting credentials or not, it is NOT illegal for the network management people to look at the traffic of those who use their network - it's an implicit "You're at the provider's whims and choices". Even in a corporate environment, there is no implication of security and privacy. Case in point: I am the primary sysadmin of my employer's network and security operations. Our firewall and other content filtration components decode traffic at the border BEFORE sending out to the Internet for requests. Theoretically, between the point of decryption and reencryption to go out the door, I could have nastyness in the firewall or other systems to harvest passwords, sniff activity, etc. The workplace has policies such as "Acceptable Use" and also the "You are consenting to activity on the work network being monitored." because, well, corporate security is a thing. Unless you yourself manage/control the network you're connected to, there is ZERO expectation of privacy on the connection you're using. Even if you use your home network, there's no expectation that the ISP *won't* observe your traffic. Thomas On 10/21/23 01:07, Jason Long wrote:Hello, Thank you so much for replies. First of all, I don't want to do anything illegal. I feel that the person who is in charge of managing the Fortinet and FortiGate devices is illegally looking at the users' traffic, and because I don't have access to the device, I can't prove it. If I use a VPN or Tor, can he\she still look at my traffic? Can Stunnel help me? On Friday, October 20, 2023 at 10:52:22 PM GMT+3:30, Eberhard <flash@vicsmba.com> wrote: Exactly! If people could get around the Forti products that easily they would not have the reputation they have! Eric VICS, LLC Eric S Eberhard 2933 W Middle Verde Rd Camp Verde, AZ 86322 928-567-3727 (land line) 928-301-7537 (cell phone) http://www.vicsmba.com https://www.facebook.com/groups/286143052248115 From: Thomas Ward via stunnel-users <stunnel-users@stunnel.org> Sent: Friday, October 20, 2023 6:11 AM To: Jason Long <hack3rcon@yahoo.com>; Stewart Anderson via Stunnel-users <stunnel-users@stunnel.org> Subject: [stunnel-users] Re: How do I hide my browsing? Stunnel is not a VPN, so no it can't "hide your browsing". Hiding your browsing needs more than just stunnel because of how DNS and other components for browsing work. Question 2 is beyond the scope of stunnel's list to answer. This said: If you have to ask how to hide your browsing that means you're violating your network's use policies, and with Fortinet and Fortigate in line it sounds like you're on a workplace network. Just don't use your workplace network for whatever shady stuff you're concerned about them finding you doing. Sent from my Galaxy -------- Original message -------- From: Jason Long via stunnel-users <stunnel-users@stunnel.org> Date: 10/20/23 09:05 (GMT-05:00) To: Stewart Anderson via Stunnel-users <stunnel-users@stunnel.org> Subject: [stunnel-users] How do I hide my browsing? Hello, In an internal network, they monitor web browsing through firewalls (Fortinet and FortiGate). I have two questions: 1- Can I use Stunnel to hide my browsing? 2- Can they capture usernames and passwords for email and other websites? Thank you.