http://lists.ausnog.net/pipermail/ausnog/2012-June/013833.html and http://www.scmagazine.com.au/News/305928,telstra-says-its-not-spying-on-users.aspx were recently published saying that Telstra NextG users were seeing some interesting things. (Yes, there’s a Whirlpool post too, but since they block requests from Tor I’m not going to link to them)
Basically, on their servers they were seeing HTTP requests to the same URL as they had just visited with their phone, but from an IP address that certainly wasn’t their phone.
I started to investigate.
I put up a simple HTML page on a standard HTTP server and then got a NextG device to query it. I saw a log that came from a TELSTRA owned block of IPs. I didn’t see any suspicious second request though. Sadness.
Turns out you have to request the URL twice to get this other request. It is after this second request that you get a query from a Rackspace/Slicehost IP (cloud provider, so it is unlikely Rackspace itself is involved any more than as a Cloud provider) with the same URL (although via HTTP/1.0 instead of 1.1). On a subsequent request, I didn’t see a corresponding one from this IP. Also, when accessing this URL from a different NextG device, I did not see a request from the Rackspace/Slicehost IP block.
If I change the content of the file and try to fetch again, it doesn’t download it anew. This suggests that there is not inspection of the content of what’s coming back from the HTTP server.
The User Agent pretends to be Firefox running on Windows. I have not yet found out anything specific about it.
What can we learn from this?
- If you think that putting a URL up and only telling 1 person about it is private you are very, very, very much mistaken
- Telstra is quite possibly spying on you, from servers in the USA, which is under a different set of laws than if it was done in Australia.
- Telstra is sending what websites you visit on your NextG connection to the USA. If you are at all involved in anything that may make the US government unhappy (e.g. disagreeing with it) this may have interesting implications. Further research is needed as to what exactly
- Telstra keeps a record of all URLs as otherwise it could not implement “on the second request”
- The iPhone needs Tor more than ever and it needs it on a system level.
Update: I have been pointed to http://v3.mike.tig.as/onionbrowser/ which is an Open Source Web Browser that uses Tor on iOS.