https://torrentfreak.com/italy-approves-piracy-shield-vpn-dns-proposal-risk-of-prison-for-isps-intact-241001/

As title. Italy is decided to pass a law that basically creates a chinese-type firewall in the country. The question is simple: even if I’m not doing anything illegal, my VPN provider will have to know what am I doing to report it in case it’s illegal, or face jail.

So how could my traffic remain private in this scenario?

Can a VPN provider with no logs policy be held accountable of anything? Can it actually know what I’m doing?

    • slazer2au@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      2 months ago

      don’t have to break TLS to know what site you are accessing. The SNI of the cert does that.

      The specific url however is protected by TLS.

      • ShortN0te@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        2 months ago

        They see what sites you are visiting yes but they do not see what you are doing on them. They do not see the content of the traffic. Huge difference.

    • shortwavesurfer@lemmy.zip
      link
      fedilink
      arrow-up
      0
      ·
      2 months ago

      HTTPS doesn’t stop them from knowing what you visited. It just stops them from knowing what you did while you were there. VVPN provider can still see that you visited Google, but they cannot see what you asked for Google to do for you.

      • ShortN0te@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        2 months ago

        Yes. Not claimed otherwise. OC claimed that they see what you are doing which is wrong.

    • delirious_owl@discuss.online
      link
      fedilink
      arrow-up
      0
      ·
      2 months ago

      You can read more about this learning about X.509.

      Its the PKI thats broken, namely the root stores. Has been unreliable for many, many years. This is why packages are signed.

      • ShortN0te@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        2 months ago

        You can read more about this learning about X.509.

        Its the PKI thats broken, namely the root stores. Has been unreliable for many, many years. This is why packages are signed.

        So you are basically saying that root CAs are unreliable or compromised?

        The great thing is, that you can decide on your own which CAs you trust. Also please proof that those are actively malicious.

        And no. That is not the reason that packages are signed, i am guessing you mean packages like on linux, packages contained in the installation repository. The reason is, that you build another chain of trust. Why would i trust a CA which issues certificates for domains with code distribution. That’s not their job.

        • mox@lemmy.sdf.org
          link
          fedilink
          arrow-up
          0
          ·
          edit-2
          2 months ago

          So you are basically saying that root CAs are unreliable or compromised?

          Not exactly. They are pointing out that HTTPS assumes all is well if it sees a certificate from any “trusted” certificate authority. Browsers typically trust dozens of CAs (nearly 80 for Firefox) from jurisdictions all over the world. Anyone with sufficient access to any of them can forge a certificate. That access might come from a hack, a rogue employee, government pressure, a bug, improperly handled backups, or various other means. It can happen, has happened, and will happen again.

          HTTPS is kind of mostly good enough for general use, since exploits are not so common as to make it useless, but if a government sees it as an obstacle, all bets are off. It is not comparable to a trustworthy VPN hosted outside of the government’s reach.

          Also, HTTPS doesn’t cover all traffic like a properly configured VPN does. Even where it is used and not compromised, it’s not difficult for a well positioned snooper (like an internet provider that has to answer to government) to follow your traffic on the net and deduce what you’re doing.

          • ShortN0te@lemmy.ml
            link
            fedilink
            arrow-up
            0
            ·
            2 months ago

            Not exactly. They are pointing out that HTTPS assumes all is well if it sees a certificate from any “trusted” certificate authority. Browsers typically trust dozens of CAs (nearly 80 for Firefox) from jurisdictions all over the world. Anyone with sufficient access to any of them can forge a certificate.

            Great thing, that you can remove them and only trust those you trust.

            Also, HTTPS doesn’t cover all traffic like a properly configured VPN does.

            Pls explain what https is not covered? The SNI on tbe first visit? A VPN just moves the “exit point” of your traffic. Now the Datacentef and VPN provider sees what you ISP saw.

            it’s not difficult for a well positioned snooper (like an internet provider that has to answer to government) to follow your traffic on the net and deduce what you’re doing.

            No. I never said otherwise. But they cannot spy on the traffic. And since the SNI is not encrypted anyway they do not even nerd to “follow the traffic”. But what sites you are visiting and what you are doing on them are 2 different things.

            • delirious_owl@discuss.online
              link
              fedilink
              arrow-up
              0
              ·
              edit-2
              2 months ago

              Lol OK. Every US company has to legally provide their private keys (or a subordinate CA) to the US government if asked, due to NSL laws. We have examples of the US doing this historically, only because some companies broke the law and spoke out publicly.

              So go ahead and remove all CAs issued from US companies. Verisign, cloudflare, akamai, Microsoft, Amazon, etc.

              Now 80% of the Internet is broke.

        • delirious_owl@discuss.online
          link
          fedilink
          arrow-up
          0
          ·
          2 months ago

          Yes, there is countless examples of root CAs containing compromised CAs. Also the private keys live on the server, hot. That’s why we sign with release keys that are not stored on the publishing infr