I don’t like smart-phones at all. I do not like how people use them in bars and restaurants. I also don’t like that the phone is always online. Especially not since all kinds of “apps” and background processes are constant leaking information about me. Call me a fool, but I’m worried about my privacy. Since my friends nowadays refuse to send me SMS (they solely rely on WhatsApp) I was getting socially isolated (showing up at canceled events and so on). That is why I recently gave up my stubbornness and decided to buy a smartphone as well. Still everyday I am wondering what (and how) my smartphone is communicating over the Internet. To get an answer to this question I decided to investigate this.
I had the above Sitecom (WL-113) USB wifi dongle laying around that could serve as an access point for my phone so that I could peek into the communication on my PC using the excellent open source Wireshark software. This is a diagram of the infrastructure:
I am running Xubuntu 14.04 and I connected my USB dongle.
First I ran “lsusb” to confirm the adapter was identified.
maurits@nuc:~$ lsusb ... Bus 002 Device 024: ID 0df6:9071 Sitecom Europe B.V. WL-113 rev 1 Wireless Network USB Adapter
And yes it was. Great! Now to see what the system says about it when I connected it. Running “dmesg” showed me the driver that was loaded:
maurits@nuc:~$ dmesg ... [20068.576242] usb 2-1.4: new high-speed USB device number 24 using ehci-pci [20068.669492] usb 2-1.4: New USB device found, idVendor=0df6, idProduct=9071 [20068.669498] usb 2-1.4: New USB device strings: Mfr=16, Product=32, SerialNumber=0 [20068.669501] usb 2-1.4: Product: USB2.0 WLAN [20068.669504] usb 2-1.4: Manufacturer: Sitecom [20068.744236] usb 2-1.4: reset high-speed USB device number 24 using ehci-pci [20068.837283] ieee80211 phy12: Selected rate control algorithm 'minstrel_ht' [20068.837521] zd1211rw 2-1.4:1.0: phy12 [20068.855382] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
To see whether the adapter was really there I ran “ifconfig -a” and yes it was and it was named “wlan0″:
maurits@nuc:~$ ifconfig -a ... lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:5387 errors:0 dropped:0 overruns:0 frame:0 TX packets:5387 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:634228 (634.2 KB) TX bytes:634228 (634.2 KB) wlan0 Link encap:Ethernet HWaddr 00:00:de:ad:be:ef UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
I did get a little curious of what the dongle would look like on the inside, so I Googled for “zydas wl-113″. I found the following image on Wireless-Forum.ch:
I also found a guy who had a Sitecom WL-113 with a chip inside (probably not a “rev 1″ model). But I am pretty sure mine has a ZyDAS 1211 as in the above picture (but I did not open it up). Before we can do “nice” things with it we need to see whether it supports “master mode“. This means that the dongle goes into a mode in which it behaves as an access point. Ubuntu has a tool called “iw” (install it with “sudo apt-get install iw”) that allows you to list the supported modes (amongst many other things) like this:
maurits@nuc:~$ iw list Wiphy phy12 ... Supported interface modes: * IBSS * managed * AP * AP/VLAN * monitor * mesh point
Bingo! Our dongle supports “AP” mode (many devices do not). You may want to try to put the adapter in master mode with the following command:
maurits@nuc:~$ iwconfig wlan0 mode master Error for wireless request "Set Mode" (8B06) : SET failed on device wlan0 ; Operation not permitted.
But that fails. After reading the web a little I found that this does not mean that the dongle does not support it.
Installing “hostapd” the host access point daemon
You just need to install “hostapd” program using “sudo apt-get install hostapd”. Before you can start the hostapd application you need to take a few steps. First I had to create the “/etc/hostapd/hostapd.conf” file with the following contents:
interface=wlan0 bridge=br0 driver=nl80211 ssid=MyNetwork hw_mode=g channel=7 macaddr_acl=0 auth_algs=1 ignore_broadcast_ssid=0 wpa=3 wpa_passphrase=YourPassPhrase wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP rsn_pairwise=CCMP
Now edit the file “/etc/default/hostapd” and uncomment the “DAEMON_CONF” line and make it:
If we want the PC to temporarily act like a router we need to enable IPv4 forwarding:
sudo sysctl -w net.ipv4.ip_forward=1
Now you can start the “hostapd” access point software with:
sudo hostapd /etc/hostapd/hostapd.conf
If all goes well it should show:
maurits@nuc:~$ sudo hostapd /etc/hostapd/hostapd.conf Configuration file: /etc/hostapd/hostapd.conf Using interface wlan0 with hwaddr 00:00:de:ad:be:ef and ssid "MyNetwork" wlan0: interface state UNINITIALIZED->ENABLED wlan0: AP-ENABLED
If it does not work you may want to run the following:
sudo nmcli nm wifi off sudo rfkill unblock wlan
This is because network manager has detected the wlan interface and grabbed it. If you need debug output you may run:
sudo hostapd -d /etc/hostapd/hostapd.conf
If you need even more debug output you may run:
sudo hostapd -dd /etc/hostapd/hostapd.conf
If this fails with the following message:
hostapd_free_hapd_data: Interface wlan0 wasn't started
sudo service hostapd stop
If it says it started (using “sudo hostapd”), but you actually don’t see the Wifi network on your smartphone then reconnecting the dongle and starting all over again may help. Note that the “hostapd” service will automatically be started on next boot.
Bridging to get Internet access
Now you may want to configure a bridge between eth0 (your Internet connection) and wlan0 (your dongle access point). First we remove the IP address from eth0 using. Then we add eth0 to bridge br0 (which already contains wlan0). After that we bring the bridge up, let it do DHCP and which also adds a default route to the gateway using:
sudo ifconfig eth0 inet 0.0.0.0 sudo brctl addif br0 eth0 sudo ifconfig br0 up sudo dhclient br0
Now you should still be able to surf the Internet while you also have a software access point running on your computer. If you want to undo the bridge configuration you may run:
sudo ifconfig br0 down sudo brctl delif br0 wlan0 sudo brctl delif br0 eth0 sudo ifconfig br0 down sudo dhclient eth0
Permanent configuration (persist on reboot)
The IPv4 forwarding setting can be made permanent by uncommenting the following line in “/etc/sysctl.conf”:
# Uncomment the next line to enable packet forwarding for IPv4 net.ipv4.ip_forward=1
If you want to make the bridge configuration permanent you can add the following to “/etc/network/interfaces”:
manual wlan0 manual eth0 auto br0 iface br0 inet dhcp bridge_ports eth0
Note that this wont work since the network manager will still grab the wlan0 and execute “rfkill”. To avoid this you can turn off the network manager completely (and permanently) with:
sudo service network-manager stop echo "manual" | sudo tee /etc/init/network-manager.override
To re-enable the network manager simply do the opposite:
sudo rm /etc/init/network-manager.override sudo service network-manager start
Capturing with Wifi with Wireshark
Now we can start Wireshark on the wlan0 interface using:
sudo wireshark wlan0
And we get nice output:
Using this tool I can record and analyze the communication of the apps I installed on my smartphone.
Figuring all the above out was not possible without the following websites:
Firefox, a browser built by the Mozilla foundation, is in my opinion the best browser on the web. It is available all major operating systems including Linux and Android. Unfortunately Firefox is not available for iOS. Firefox is “Committed to you, your privacy and an open Web” and on the Mozilla website they tell us that Firefox is:
- Trusted: Designed to protect your privacy
- Flexible: Designed to be redesigned
- Fast: Faster than ever
On the Firefox privacy page Mozilla says:
We build Firefox with a mission to put you first, above all else.
We do it to keep you in control. We do it so you can browse without worry.
And we do it because no one else will. – Mozilla
I think it is widely accepted (and true) that your privacy is much at risk when you are surfing the Internet. Firefox will protect your privacy (to some extent) if you tell it to, but you do have to tell it to do so. You can do this by clicking the menu button and clicking “Preferences”. This screen has a privacy tab and I strongly recommend you to set the settings as strict as shown on the screenshot below:
Pay extra attention to the “Accept third-party cookies” and “Tell sites that I do not want to be tracked” options. Unfortunately this last feature just informs any third party of your preference, but it does not actually block the tracking. This is where AdBlock Plus comes into play.
Download Adblock Plus here. After installing you can configure the AdBlock Plus icon (red stop sign) to be present in the toolbar (or not) by clicking the menu icon, clicking “Add-ons” and then the “Extension” tab on the left and then the “Preferences” button of AdBlock Plus. On the bottom there is a list of checkboxes and one is “Show in toolbar”.
It is very convenient to have the AdBlock Plus icon in the toolbar (left from the menu icon) so that you can quickly disable it if that is needed. It may for instance happen that a site no longer shows you Facebook “Like” buttons and you are very desperate to “Like” something.
For the best experience I would disable “Show tabs on Flash and Java” and disable “Count filter hits”. In the filter preferences I have added three subscriptions and unchecked “Allow some non-intrusive advertising”, like this:
Most people install only “EasyList”, which is easy to find and mainly blocks advertisers. I also recommend the “Adblock warning Removal List” to avoid any warnings that may appear due to the usage of AdBlock Plus. The other subscription you should have is “Fanbox’s Annoyance List” which sounds unimportant, but actually blocks all Google and Facebook tracking (and many other “annoying” things). These subscriptions may not be available from the user interface, but this should not stop you. You can find them on the following link:
AdBlock Plus will block the loading of elements that match the rules that are defined in the subscriptions. These elements can be visible or invisible (scripts or transparent tracking pixels). This does not only improve your privacy online, but also makes websites load faster. It actually matters a lot as you can see from a quick experiment I did using Firebug. I executed a full page refresh on several websites with and without AdBlock Plus enabled. Below a graph showing the loading time of the website with AdBlock Plus enabled compared to the loading time of the website without AdBlock Plus enabled. You can see that all sites load faster with AdBlock Plus enabled (<100%), since the browser has to load less elements from the website:
This is the data I collected in my (single) run along some popular websites, which is used to draw the above graph:
website total onload total ABP onload ABP total onload washingtonpost.com 12.06 6.98 5.12 4.72 42% 68% nytimes.com 11.35 5.72 6.84 4.28 60% 75% nu.nl 5.17 4.07 2.29 1.63 44% 40% microsoft.com 3.41 2.85 2.69 2.15 79% 75% mail.google.com 10.19 1.15 8.47 1.12 83% 97% google.com 1.58 1.06 0.89 0.84 56% 79% cnn.com 9.48 5.45 3.09 2.17 33% 40% bbc.com 3.42 3.05 2.09 1.82 61% 60%
So the bottomline is this: by protecting your privacy better, surfing the Internet will go faster. This is a well-kept secret that I share with you “because no one else will.”
About privacy and the ethics of blocking ads
Here is a screenshot of my Google Webmaster Tools search statistics for the past 3 months (sorry for the Dutch dates and text):
It seems that LeaseWeb Labs was affected by an update of Google’s ranking algorithm named “Panda”. Every now and then Google adjusts the ranking of websites to avoid search engine spam.
Google launched Panda 4.1 on September 25, 2014 and told us it would be a “slow rollout” that would go into the following week. No one really expected the rollout to continue into this week but it has and the fluctuations and ranking changes you are seeing are likely related to that. – searchengineland.com
As you can see in the above graph we have lost 10-20% of our search traffic from Google. We believe that update 27 (version 4.1) of the Panda ranking algorithm is to blame. Although Google may be optimizing their algorithm continuously, updates with high impact do not occur often. It is believed that on Friday 8 August 2011 7% of the queries were affected by an update. Until the May update this year there was never such a big impact of any update. In September we have seen another update and although the impact is said to be smaller, it seems bigger on our site. Below an overview of this years algorithm updates (source):
Update Name Date Queries affected 26 Panda 4.0 2014-05-20 8% 27 Panda 4.1 2014-09-25 4%
So it this really bad? No, not at all! Google needs to fight search engine spam and every honest site benefits from that, so this is also good for us. And we are not completely dependent on Google search traffic. It is estimated that about 40-50% of the total visitors of this site come from Google. So this small loss of organic traffic is hardly visible in our total traffic graph (from the “Count-Per-Day” WordPress plugin) as you can see below:
Did we learn any lesson from this? No, not really. We will just continue to make good (unique) content and trust that Google will keep rewarding us with lots of visitors.
You may be at risk! A man-in-the-middle attack may be effective between you and any site that runs on HTTPS. This is explained two days ago by Google in their publication about the POODLE attack. It explains that SSLv3 has a vulnerability and negotiation of this protocol can be enforced by a man-in-the-middle. That man-in-the-middle is able to read (part of) the plaintext of your secure communication with the server. You can click the above image (that links to https://www.poodletest.com/) and if you are vulnerable you will see a poodle.
Fixing the vulnerability is also very easy. If you run a server you may want to check out my post on fixing the POODLE issue in Nginx and Apache. Even transfers from browsers that are not fixed can then no longer be intercepted and decoded by a man-in-the-middle.
But you should also fix this issue in your browser right now! In Firefox you simply type “about:config” in the address bar and then “tls” in the search bar. Change the value of “security.tls.version.min” from “0” to “1” as the above screenshot illustrates:
Mozilla says that it is making Firefox 34 safe from POODLE by disabling SSLv3 by default. – betanews.com
This change is so easy (only costs a few seconds and requires a browser restart) that I would not wait for Mozilla to release Firefox 34. If you run another browser, and you are looking for a guide, you may want to check out tomsguide.com.
Are you running an HTTPS website on Ubuntu (or any other Linux) with Nginx or Apache? You may be at risk! A man-in-the-middle attack may be effective. This is explained yesterday by Google in their publication about the POODLE attack. POODLE is an acronym for “Padding Oracle On Downgraded Legacy Encryption”. The attack uses a fall-back to the 18 year old “SSLv3″ protocol. The security researchers propose that the easiest “fix” is to disable this legacy SSL variant. Fortunately only a small part of your visitors will be impacted:
All modern browsers and API clients will support TLSv1 and later. Disabling SSLv3 will inconvenience WindowsXP users who browse using Internet Explorer 6 – nginx blog
The attack is registered as CVE-2014-3566. Now let’s quickly look at the commands we need to execute:
Disable SSLv3 on Apache
1) We need to edit the file that holds the Apache SSL configuration:
sudo nano /etc/apache2/mods-enabled/ssl.conf
2) Find the following line:
SSLProtocol all -SSLv2
3) Add the option “-SSLv3″ so that the line will look like this:
SSLProtocol all -SSLv2 -SSLv3
4) Now restart Apache to make the change effective:
sudo service apache2 restart
Disable SSLv3 on Nginx
1) We need to search in all virtualhost configuration files for the use of the “ssl_protocols” directive:
maurits@nuc:~$ grep -R ssl_protocols /etc/nginx/sites-* /etc/nginx/sites-available/default: ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
2) We need to edit each file that holds the “ssl_protocols” directive:
sudo nano /etc/nginx/sites-available/default
3) Find the following line:
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
4) Remove the option “SSLv3″ so that the line will look like this:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
5) Now restart Nginx to make the change effective:
sudo service nginx reload
Bonus: Disable SSLv3 on HAProxy
1) Edit the “
/etc/haproxy.cfg" file and find your “
bind" line. Append “
no-sslv3". For example:
bind :443 ssl crt <crt> ciphers <ciphers> no-sslv3
2) Now restart HAProxy to make the change effective:
sudo service haproxy reload
You should disable SSLv3 on all applications you run, so also on your IMAP/POP3/SMTP daemons. Think about Courier-imap, Dovecot, Sendmail and Postfix. For more information read this post on AskUbuntu.
Testing your server
A server that does not support SSLv3 will give the following output when trying to force a SSLv3 connection:
maurits@nuc:~$ openssl s_client -connect www.nginx.com:443 -ssl3 < /dev/null 2>&1 | grep New New, (NONE), Cipher is (NONE)
A server that is still supporting SSLv3 (and may thus be vulnerable) will give the following output:
maurits@nuc:~$ openssl s_client -connect www.google.com:443 -ssl3 < /dev/null 2>&1 | grep New New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA
NB: You can also test other services with this command, but then you need to change 443 to the appropriate port number.