Page cover
Edit

OPSEC

Good OPSEC is about consistent practices and understanding your actual threat model, not just following checklists blindly.

Check for DNS leak

  • One of the most effective methods to check for a DNS leak is to capture and analyze your network's outgoing traffic using Wireshark.

  • Just enter dns into the display filter field and review the captured packets.

  • If your VPN/proxy is configured correctly or if you're relying on encrypted DNS protocols like DNS over HTTPS (DoH) or DNS over TLS (DoT) you should see no packets matching this filter.

Minimizing Digital Footprints in Hostile Environments

There are 4 pieces of information that can reveal which websites/apps/services you use, to the ISP/government:

DNS

  • Avoid using plain text DNS as much as you can.

  • Use DNS over HTTPS for security and anonymity.

  • Governments can block well-known servers quickly, you can however self-host on a private cloud or use a serverless DNS to have access to a new endpoint for DoH over a newly setup domain.

  • If you use DoH all they can see is the domain name of the Secure DNS server as well as the IP addresses of the websites you connect to.

Certificate

  • Use TLS v1.3.

  • When using TLS v1.3, the certificate part of the HTTPS connection is encrypted and none of its details are visible to the eavesdropper.

  • TLS v1.2 handshakes do not encrypt the certificates, resulting in the common name and the website you are visiting to be revealed to the eavesdropper.

URL

  • The full path to a web page or web resource is sent over HTTP protocol, so if website uses HTTPS, it's all encrypted.

  • When using HTTPS, the path and query string (everything after TLD and slash) is encrypted and not available to anybody but the client and server, the answer is encrypted as well.

SNI (Server Name Indication or Client Hello)

  • This is the most important part.

  • If you don't use a proper VPN, SNI can still reveal the domain and sub-domain of the website you are visiting to the eavesdropper.

  • To secure that, the browser and the website must support ECH (Encrypted Client Hello) or use proper VPN like OpenVPN or WireGuard.

LogoSpyNetGirl Security blogSpyNetGirl Security blog
Sources
PreviousRegexNextVirtualization

Last updated