There is no way to detect tethering by looking at network traffic short of analysing traffic patterns which would be very uncertain. If tethering is blocked, it must be because the network tells the phone not to allow it.
I tend to agree.
The reason is that there are apps you could run on a phone, tablet, laptop, or a PC, which all generate similar data streams. So any tethering detection which involves looking at the data would generate some % of false positives, and if you have sold say 1M phones (on contracts – the usual business) you cannot afford 1k or 10k people complaining.
The other data point is that the networks banned Nokia from including Joikuspot on phones sold in the USA. If they had an easy way to detect tethering, they would not have needed to do that. JS allows tethering which cannot be detected from the network side, except by looking at the data the apps are consuming. Of course hacked phones do allow it to be installed, and those tether fine with the same US carriers!
However it may be that the cheap networks are doing something extra – like Ryanair charge for everything possible, these cheap networks have to do the same, and chip off as much as possible around the edges.
Incidentally I think the networks all allow some amount of data before doing anything, to support devices which chatter back to their maker (Iphones, Ipads, Android stuff all do this). These devices would lost some functionality if roaming or tethered data was totally cut off. For example GPS assistance uses a bit of data over wifi, and on an Iphone when you move the i-message on/off slider it tells Apple you have done it.
I thought they can detect tethering by looking at the screen size of requests through from the http header?
Are such requests normal? HTTPS would make all that stuff invisible anyway, and a lot of sites use that for no real reason – it’s just trendy nowadays.
HTTPS would make all that stuff invisible anyway, and a lot of sites use that for no real reason – it’s just trendy nowadays.
All sites should use it because HTTP is insecure. I could easily post under your name on EuroGA, all I need is to be in a network close to you (next fly-in!) and intercept the traffic. The step to gaining admin privileges shouldn’t require much more effort.
You would have to decrypt WPA; I don’t think there is a publicly known non-exhaustive attack on that (WEP can be cracked with about 1GB of intercepted data). Or, on a wired connection, connect to the telephone line between the house and the exchange. Or, on GSM/3G, have some fancy gear for interception.
And what would you achieve?
I consider a cellular connection pretty good for the intended usage, and any “banking” uses https anyway. I would use a VPN for anything that needs it. WIFI is far less secure than cellular because anybody with access to the wifi router’s ethernet connection can potentially see all the packets, but all that anybody doing that would achieve is reading zillions of boring emails and maybe picking up some email passwords.
HTTPS sites mostly run very slowly. Is compression still available? That makes a huge difference to how fast a site runs but it would need to be done before the encryption.
I thought they can detect tethering by looking at the screen size of requests through from the http header?
I’m no web protocol expert, but it seems to me that there is no http header field giving screen size info? On the other hand there is info about the web browser.
I am no expert either but one example of a possible false positive would be Safari on the Iphone and Safari on the Ipad.
Bad example because the Iphone uses a different APN when tethering, but you get the idea – Firefox on Android?
Maybe one can tell them apart but on Android you can hack the browser agent strings and if this was the whole story everybody would be doing it (there would be apps for it; in fact there would be tablet/laptop browser apps which look like a phone browser). And 6 months from now it will be something else, and there is a massive pool of people out there with old gear, old apps… Also some people don’t www browse and just collect emails…
One telecomms person told me that there are many cases of such ambiguities which make the detection of tethering using app signatures too dodgy. These firms already struggle with using script monkey staffed call centres in India which every one of their customers really hates.
Is compression still available?
Sure, any reasonable cryptography implementation will want to take any redundancy out of the plaintext before encryption. After all, the Germans helped the Brits in decoding enigma a lot by starting every message with “Heil…”
Do those techniques mean anything nowadays? Enigma had many silly weaknesses. Compression just gives you other stuff to work on e.g. predictable headers and other structures. Encrypting a ZIP file just gives you a giveaway “PK” at the start of every message – a 65536x reduction in workload. I don’t think a known plaintext attack has any meaning in the context of modern crypto. IMHO the low hanging fruit for somebody wanting to collect low grade (e.g. email account) passwords is hooking into the ethernet link to the WIFI access point (or setting up syslog on the router) and then wading through the GB of garbage. Trivial to do in a cafe with free wifi which every customer will hook into, but what will they get for their effort? Reading thousands of mostly banal emails. Intercepting cellular is much harder, for the casual hacker.
If everything is TLS encrypted as it should be, then it becomes much much harder for any attacker (government or private) to wade through the “garbage” because it takes a lot of effort to notice what is garbage.
TLS is not slow. Google requires it for every search request and they do not offer anything non TLS encrypted anymore. A bit embarrassing though that SSL v1/2 was completely insecure from day #1… 
Do those techniques mean anything nowadays?
Sure it has. Every good compression will leave you with very little structure, otherwise it wouldn’t be good compression. And certainly known plaintext still helps breaking ciphers, even today, the PKZIP stream cipher is susceptible to it. AES apparently not yet, known plaintext only reduces effort by a factor of 4 or so.
A few points:
HTTP headers don’t contain information about screen size. Servers can ask a browser to run Javascript which will report it.
HTTPS isn’t slow these days. There are various reasons to use it, but one is perhaps more compelling than most.
But on the other hand, the only time in over 15 years that our websites have been compromised was because they were using HTTPS.
Capturing someone else’s HTTP traffic is trivial if you can insert a device into the chain between client and server, but it’s pretty hard otherwise. Installing key logging software on the targets computer is usually easier. That’s why I like two-factor authentication.
