In this increasingly digitalised world, privacy was initially neglected for some time, but is now gathering speed. The internet was the no-privacy Wild West, with big social media outlets, advertising companies and government agencies trying to gather whatever was legally (and sometimes even illegally) possible. People, however, are becoming more and more aware of the privacy implications of using the internet and, fortunately, tools do exist to improve the privacy of online browsing. With such tools in place, however, it also becomes more and more difficult to protect an organisation like CERN against remote attacks and user blunder. -
Privacy is important. The amount of data that online giants have collected about us is staggering. Standard web browsing is, by design, leaving traces (you can check these traces on sites like https://clickclickclick.click/ - best with sound on). Embedded "like" buttons and similar third party content make it possible to gather even more information. And even if you have enabled browser privacy add-ons like "Ghostery", "Privacy Badger", "uBlock", "DuckDuckGo Privacy Essentials", etc., certain of your computer's parameters and features (operating system, time zone, local language, screen size and color depth, fonts, browser plugins, touch support) still provide sufficient entropy to identify your device among millions of others (check out yours at https://coveryourtracks.eff.org). In a particularly frightening example, an activist group was able to reconstruct the life of a volunteer based only on her Google-stored search history and metadata (https://www.madetomeasure.online/en/experience).
In order to protect your privacy, the use of so-called "secured" protocols like HTTPS, SSH and VPN help in shielding all your communication from eavesdropping by third parties. In addition, Mozilla, Apple and others have proposed and implemented new and more sophisticated (but also intrusive) measures to stop people spying on your network traffic:
- Mozilla, in collaboration with Cloudflare, provides a browser option to funnel all your DNS requests, i.e. the task of resolving an IP address to a domain name and vice versa, via HTTPS to their DNS servers ("DNS-over-HTTPS" or, for short, "DoH") instead of using local ones. Google offers the same through their 8.8.8.8 DNS resolver. This prevents third parties (other than Cloudflare or Google, of course) collecting the domain names your device wanted to access.
- Some other companies have started to randomise so-called MAC addresses, i.e. the normally unique IDs of every device (https://blogs.gnome.org/thaller/2016/08/26/mac-address-spoofing-in-networkmanager-1-4-0/). These "Private Wi-Fi addresses" (term used by Apple) hinder Wi-Fi infrastructure providers' efforts to trace a device, as the unique identifier is now randomised and varies often.
- Just recently, Apple introduced "iCloud Private Relay" (https://developer.apple.com/support/prepare-your-network-for-icloud-private-relay/), which spawns a Virtual Private Network (VPN) to Apple's servers in order to hide local IP addresses and stop any traffic being exposed to third parties.
Dilemma 1. You face a dilemma, however, as DoH, VPN, and "iCloud Private Relay" might not work when connecting CERN-internal services, as those measures tunnel to outside CERN. Similarly when using "Private Wi-Fi addresses", as by changing quickly they prevent your device from connecting to CERN's Wi-Fi network. The CERN Wi-Fi network requires a permanent, fixed MAC address (hence, please disable this feature in the Wi-Fi settings for the CERN network ("CERN SSID")).
Dilemma 2. The CERN Computer Security team faces a dilemma, too. While we value your privacy, all of these privacy measures hinder our efforts to do our job, namely to protect the Organization and to protect your devices against any kind of cyberattack. With secured channels - HTTPS, VPN, DoH - we are less able to detect whether your device is connecting to some malicious domains, being redirected to spooky websites or downloading data with dangerous contents. And being blind conflicts directly with our objective to keep your device, and the Organization, secure.
Hence, while we continue to encourage you to use HTTPS, SSH and VPN (as a client at CERN; see also our Bulletin articles on VPN tunnels, "Tunnel Madness"; https://home.cern/news/news/computing/computer-security-tunnel-madness), please refrain from using DoH and Apple's "iCloud Private Replay" while on the CERN network for the sake of the general protection of the network and its attached devices. If this does not work, we will have to consider blocking these features (but would first need to better understand the collateral damage), and we prefer not to.
