Does too many people on one network cause https connections to fail?
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Does too many people on one network cause https connections to fail?
My new apartment complex recently went from just a few residents to thousands of people. About a month after this influx, the local ISP said that they will change new arrivals to use some new way to connect using "iNodes". But a lot of people are still using the old way. My connection, which still uses the older service, has had frequent problems with https.
Pretty much any computer using the older Internet service gets frequent warnings that "A secure connection could not be made." Sites with http are fast. Sites with lots of https use, break often.
The ISP tells me they can't understand what is happening, see I'm running Linux and say it is my computers fault, so they won't do anything to fix it. I checked with my neighbors, and they have the same issue on Windows computers, but they don't use https much, so they aren't backing me up in complaining.
Could some problem with "iNodes" or otherwise, too many people on a limited network of wires in the building, explain this https problem?
In the way I understood stream-cypher on crypted communication-channels, once established, the connection should be as fast as the others. In consequence, https should deliver content just as fast as http, once the partners have come to an agreement and certificates had been exchanged.
Is it by any chance using a proxy server with imperfect HTTPs support? That's the only guess I can come up with.http://www.inode.gr/
Is there any way, such as through traceroute, that I can determine if that is how the Internet is setup?
I noticed in several occasions that advertisements were being added to all pages, the same ad appearing on every unrelated site I visit, even with a fresh install of Debian, with no add-ons, so it does appear someone occasionally likes to modify the pages before they reach me. Is that evidence that a proxy server is used?
An IT students told me that the neighborhood is setup on a single IP address, so that results in some problems. Is that a possibility?
Is it possible that hacker has setup a proxy server for stealing people's information?
In the way I understood stream-cypher on crypted communication-channels, once established, the connection should be as fast as the others.
The problem isn't really that https is slower than http. Https sites either work fine and quickly, like other sites, or they refuse the connection entirely. I can use an https site for 10 minutes fine, then suddenly it just stops working.
A computer science student told me that the whole neighborhood, are on the same IP address. That could be 5,000-10,000 people. Today, I have confirmed this to be true. I traveled around and checked at different places, finding that when you go to a "What's my IP site", the same IP is listed, at least for people who use that same ISP.
Is that at all normal? Could this explain the https problem?
When I try using wget on https sites, I get
Code:
ERROR: The certificate of `www.url.com' is not trusted.
ERROR: The certificate of `www.url.com' hasn't got a known issuer.
Or
Code:
GnuTLS: A TLS packet with unexpected length was received.
Unable to establish SSL connection.
A computer science student told me that the whole neighborhood, are on the same IP address. That could be 5,000-10,000 people. Today, I have confirmed this to be true. I traveled around and checked at different places, finding that when you go to a "What's my IP site", the same IP is listed, at least for people who use that same ISP.
Is that at all normal? Could this explain the https problem?
When I try using wget on https sites, I get
Code:
ERROR: The certificate of `www.url.com' is not trusted.
ERROR: The certificate of `www.url.com' hasn't got a known issuer.
Or
Code:
GnuTLS: A TLS packet with unexpected length was received.
Unable to establish SSL connection.
No that is not at all normal!
And that could definitely explain the https problem! HTTPS is slower if it has been decrypted and re-encrypted with a substituted cert twice in each direction!
The same IP, the addition of ads and the bad TLS packets - on the surface sound like a gigantic man-in-the-middle scenario. I would NOT use that connection - at all!
Are there no places at all that normally operate on a single IP address? Would an office building or skyscraper ever use such a setup? I did many Web searches, but came up with nothing. Everything says that computers each have their own IP address, unless using a Wifi router. Might this have been done to save money? Or because IPv4 is running out?
Are there no places at all that normally operate on a single IP address? Would an office building or skyscraper ever use such a setup? I did many Web searches, but came up with nothing. Everything says that computers each have their own IP address, unless using a Wifi router. Might this have been done to save money? Or because IPv4 is running out?
Not knowing the kind of IP-address that we are discussing, here, I try to keep out of trouble by focusing on the Wifi router example. You can say “Gateway” instead of “Wifi Router” or “Router”, which facilitates the explication and maybe hint that I am able to give. For the people on one side of the Gateway, there is only the address of the Gateway (1 address) which connects them to the Internet (or network) on the other side of the Gateway. Not more is needed. You cannot say, though, that everyone uses the “same address”. The computers all have a specific private address (usually something 192.168.... but others are possible).
Such a configuration is completely normal even on a bigger scale.
I somehow doubt that all computers have the same external IP-address, and the discussion has in my opinion not yet produced evidence to back this assumption.., but have to admit that I have never had opportunity to test such a scenario. Would that not necessitate that the IP-stack be ignored and packages are “handed over” from the Ethernet (mac) level directly to the TCP-layers... I do not get it.
Last edited by Michael Uplawski; 03-07-2016 at 01:37 AM.
Are there no places at all that normally operate on a single IP address? Would an office building or skyscraper ever use such a setup? I did many Web searches, but came up with nothing. Everything says that computers each have their own IP address, unless using a Wifi router. Might this have been done to save money? Or because IPv4 is running out?
I have thought about this through the day, and done a bit of searching.
I do not want to pretend to know more about this than I actually do, so I'll qualify it by saying of all that follows, "in my own experience and knowledge"...
So, in my own experience and knowledge, I have never seen anything called an ISP operate this way. An "office building" (very vague) might have a case for it, but I have never seen it and I have supported a lot of data centers in office buildings. A skyscraper (again vague), I would think less so than a smaller office building, but there may be a lot of different use cases for a skyscraper.
You said that your whole "neighborhood" was using the same IP - vague again. I imagined multiple buildings, users, businesses and residential users as a neighborhood, but perhaps I should ask for what you defined it to be.
In any case, what you are describing is essentially a proxy, but one which modifies packet content (inserts ads) and decrypts/reencrypts or at least mangles encrypted traffic (broken TLS packets). I would consider that totally unacceptable behavior for an ISP, and have never encountered it myself.
But before we begin burning people at the stake, it would be very helpful if you could provide a much more precise description of your relationship to this ISP, the nature of their business (public ISP or local private entity), the scope and nature of "the neighborhood", etc. Also, would you mind posting the whois info returned for the shared IP address, without showing the address itself.
I cannot understand how so many people would not have encountered this and not known exactly what was going on with the single IP address.
Your entire extended private network, most of the building from what you describe, is configured as private network and presented to the internet via NAT. It MAY be going through a proxy, but more likely through a web cache server. Designed to speed up web browsing, these servers can bork or perform badly when encryption is involved. It may be that they are selling add space access to their clients, and this is why the adds. That might make the service cheaper, but I REALLY hate it! It also adds a factor to make encrypted traffic can perform poorly.
This is pretty old-school stuff. Is this ISP a small local operation that may be techno-backwards? (If so, kudos for them in going to a newer or different system, but shame on them for not doing so sooner AND for not understanding what their legacy server is doing to client traffic!.)
After some thought, all of the factors that would explain the evidence you provided would be explained by ancient equipment and considering every client and piece of equipment as a revenue stream opportunity instead of a service improvement. Such a focus (paradoxically perhaps) results in decisions that reduce service, reduce performance, and send clients and income to the competition, and reduce revenue. Does this ISP have no effective competition?
I have no other choice of ISP, because this is faculty housing. The ISP is a major company, but I'm starting to think the ISP isn't at fault, but probably the campus network.
I called the IT staff again. They had previously told me I must have setup my firewall wrong, insisting they could not think of anything wrong beyond that. I told them nearly all https sites were broken, but they wanted me to give a specific list of sites to check. They checked on their computers and found the same problem on their own machines! I think they would notice that too, because it isn't just one or two sites, but if I randomly search the Internet for https sites, most I try are not working.
They told me the reason for https having problems is that the Internet is just slow. Is 4 MB/s slow enough to interfer with https? If the servers are on the other side of the world? I thought this Internet is quick. And I tried sites with https and http versions to choose from, and the http versions were quick.
Anyway, the IT people said they would fix the sites I listed, but told me they couldn't possibly fix every https site on the whole WWW, there were just too many.
So, checking the Internet now, the first Web site on the list is fixed, working just as fast as any other Web site. But the rest of https sites are still broken, as before.
How it is that they are able to fix one site and it suddenly works great? That is some ability that an ISP has? What is going on here?
I think we have it nailed down now. The problem is NOT with the ISP, but the administration of the local (campus) network. They have some solution in place for tracking, accountability, security, or multiple functions that is causing the behavior you noticed. They can add some finite number of exceptions, but it becomes a policy and political issue.
If you make enough noise, they may either decide your cause is worth fighting for (unlikely), or that they will be better off stonewalling you until you give up.
If there is a strong enough campus tech community, you may be able to push for updating, improving, and fixing the local network: IF you have the on-hand experts!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.