Securing online communications

[Ian Batten]

On 23 Dec 2008, at 17:45, Alexander Hanff wrote:

> Hi everyone,
>
> I am hoping to draw on the expertise present on this list to try and
> determine the best real world solution for securing internet
> communications for large user groups.  Obviously this is related to my
> work against Phorm and I am trying to find a solution to encrypt
> communications and render Phorm's profiling equipment useless.
>
> The options as I see them are as follows:
>
> VPN
> SOCKS
> SSH Tunnel

Serious numbers of parallel encryption sessions aren't free: they burn  
CPU at a surprising rate.

If your intent is just to render Phorm useless, don't bother with  
encryption.  Just rent some server capacity in a data centre you know  
isn't Phormed on its Internet connection and run squid on port 3128,  
using simple authentication if you want to keep out people other than  
your friends.   If Phorm are telling the truth about their product  
that it'll blow straight past their inspectors, and if you find  
evidence that they aren't (ie strange cookies) then you really can go  
to the Information Commissioner.

If that's a bit too trusting, use stunnel / SSH / SOCKS / whatever to  
make an encrypted link between you and your squid cache (I don't  
_think_ squid can handle its input side being encrypted, as its SSL  
modes are all for use as an SSL accelerator, but I could be wrong).   
But even with care taken to get as much of the encryption kernel side  
as possible, you'll find the extra CPU load of the ciphering plus the  
extra context switches will require non-trivial CPU in volume.

Or you could change ISP.  That's what I'm in the process of doing.

ian