• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

HMRC can now view your internet history

Collapse
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    #11
    Based on the amount of times my EE provided broadband IP address changes in a week, those doing the tracking are going to have to make sure they don't confuse me, with the other previous owners of that IP address.
    Don't believe it, until you see it!

    Comment


      #12
      Originally posted by darrylmg View Post
      Based on the amount of times my EE provided broadband IP address changes in a week, those doing the tracking are going to have to make sure they don't confuse me, with the other previous owners of that IP address.
      That's the easy part. Big providers already know who had which IP and when. That is already evidence that can be used.
      See You Next Tuesday

      Comment


        #13
        If folks are worried about content sniffing then the lower bar is just to get sites like the one we're on to support TLS. Letsencrypt will hand out a cert for free so there's little excuse.

        Sure, the metadata will still leak as SNI requires you send the base URI and you'll have done an unencrypted DNS request that's all they're gonna get without hitting up the actual websites.

        On that note, are we all really logging in over plain text here anyway?

        Comment


          #14
          But given how there are a large number of household items accessing the internet, will the defence be "my fridge has been looking at pr0n again"
          …Maybe we ain’t that young anymore

          Comment


            #15
            Originally posted by fool View Post
            If folks are worried about content sniffing then the lower bar is just to get sites like the one we're on to support TLS. Letsencrypt will hand out a cert for free so there's little excuse.

            Sure, the metadata will still leak as SNI requires you send the base URI and you'll have done an unencrypted DNS request that's all they're gonna get without hitting up the actual websites.

            On that note, are we all really logging in over plain text here anyway?
            Bit more than that. HMG has effectively allowed for a back door in any new encryption products or services.

            Summary courtesy of El Reg.

            This was the proposed wording in the Code of Practice accompanying the legislation:

            CSPs subject to a technical capacity notice must notify the Government of new products and services in advance of their launch, in order to allow consideration of whether it is necessary and proportionate to require the CSP to provide a technical capability on the new service.

            As per the final wording of the law, comms providers on the receiving end of a "technical capacity notice" will be obliged to do various things on demand for government snoops – such as disclosing details of any system upgrades and removing "electronic protection" on encrypted communications.

            Don't be surprised if they start including changes to existing services under the scope of "...new products and services...".
            "Being nice costs nothing and sometimes gets you extra bacon" - Pondlife.

            Comment


              #16
              Originally posted by fool View Post
              If folks are worried about content sniffing then the lower bar is just to get sites like the one we're on to support TLS. Letsencrypt will hand out a cert for free so there's little excuse.

              Sure, the metadata will still leak as SNI requires you send the base URI and you'll have done an unencrypted DNS request that's all they're gonna get without hitting up the actual websites.
              On that note, are we all really logging in over plain text here anyway?
              That might need some explaining.

              Are you referring to this - https://forums.contractoruk.com/
              Secure Connection Failed

              An error occurred during a connection to forums.contractoruk.com. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG
              I'm here via http://forums.contractoruk.com/

              Comment


                #17
                Originally posted by DaveB View Post
                Bit more than that. HMG has effectively allowed for a back door in any new encryption products or services.

                Summary courtesy of El Reg.



                Don't be surprised if they start including changes to existing services under the scope of "...new products and services...".
                Yep, they want a look into all your communication. But TLS and PGP are still considered safe and it'll be pretty difficult for our Government to really break it without making it obvious.

                Originally posted by Contreras View Post
                That might need some explaining.

                Are you referring to this - https://forums.contractoruk.com/

                I'm here via http://forums.contractoruk.com/
                Yep. It would appear that all communication that we do is on plain text as it's not https://. I've had a browse of the source to see if at least the parts such as the logins were secure, but can't see any evidence for that. So yeah, logging in here seems to suggest you send both your username and password over plain text over the internet. This includes the posts you make and your source IP, which will make you pretty identifiable unless you've already been using a VPN the entire time.

                P.S. Happy to help the mods sort this out. Or you just look at something like https://caddyserver.com/ and it'll just provide certs for free.
                Last edited by fool; 3 December 2016, 13:24.

                Comment


                  #18
                  Originally posted by WTFH View Post
                  But given how there are a large number of household items accessing the internet, will the defence be "my fridge has been looking at pr0n again"
                  I'm sure that'll work just as well as all those car owners who claim that it wasn't them driving when their car was clocked at 90mph.

                  Comment


                    #19
                    Originally posted by Lance View Post
                    If you allow your wife and kids to use your connection are you a provider?
                    What about Starbucks WiFi?
                    I can't get over the feeling that they've not thought this through properly.
                    Starbucks use BT, so I would assume they will already have it covered.

                    I would imagine the days of free wifi will continue, but you will have to provide an email address or the like to confirm before be allowed to access any content
                    Originally posted by Stevie Wonder Boy
                    I can't see any way to do it can you please advise?

                    I want my account deleted and all of my information removed, I want to invoke my right to be forgotten.

                    Comment


                      #20
                      Originally posted by SimonMac View Post
                      Starbucks use BT, so I would assume they will already have it covered.

                      I would imagine the days of free wifi will continue, but you will have to provide an email address or the like to confirm before be allowed to access any content
                      It's a good job nobody can fake an email address then
                      See You Next Tuesday

                      Comment

                      Working...
                      X