LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-04-2016, 06:36 PM   #1
General
Member
 
Registered: Aug 2005
Distribution: Debian 7
Posts: 526

Rep: Reputation: 31
Does too many people on one network cause https connections to fail?


My new apartment complex recently went from just a few residents to thousands of people. About a month after this influx, the local ISP said that they will change new arrivals to use some new way to connect using "iNodes". But a lot of people are still using the old way. My connection, which still uses the older service, has had frequent problems with https.

Pretty much any computer using the older Internet service gets frequent warnings that "A secure connection could not be made." Sites with http are fast. Sites with lots of https use, break often.

The ISP tells me they can't understand what is happening, see I'm running Linux and say it is my computers fault, so they won't do anything to fix it. I checked with my neighbors, and they have the same issue on Windows computers, but they don't use https much, so they aren't backing me up in complaining.

Could some problem with "iNodes" or otherwise, too many people on a limited network of wires in the building, explain this https problem?
 
Old 03-05-2016, 01:37 AM   #2
Michael Uplawski
Senior Member
 
Registered: Dec 2015
Posts: 1,624
Blog Entries: 40

Rep: Reputation: Disabled
In the way I understood stream-cypher on crypted communication-channels, once established, the connection should be as fast as the others. In consequence, https should deliver content just as fast as http, once the partners have come to an agreement and certificates had been exchanged.

If not, we are both learning something new today.
 
Old 03-05-2016, 02:05 AM   #3
dugan
LQ Guru
 
Registered: Nov 2003
Location: Canada
Distribution: distro hopper
Posts: 11,275

Rep: Reputation: 5342Reputation: 5342Reputation: 5342Reputation: 5342Reputation: 5342Reputation: 5342Reputation: 5342Reputation: 5342Reputation: 5342Reputation: 5342Reputation: 5342
Is it by any chance using a proxy server with imperfect HTTPs support? That's the only guess I can come up with.

Googling for "ISP" and "inode" got me this. Is this what you're talking about?

http://www.inode.gr/

Last edited by dugan; 03-05-2016 at 02:07 AM.
 
Old 03-05-2016, 09:30 AM   #4
General
Member
 
Registered: Aug 2005
Distribution: Debian 7
Posts: 526

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by dugan View Post
Is it by any chance using a proxy server with imperfect HTTPs support? That's the only guess I can come up with.http://www.inode.gr/
Is there any way, such as through traceroute, that I can determine if that is how the Internet is setup?

I noticed in several occasions that advertisements were being added to all pages, the same ad appearing on every unrelated site I visit, even with a fresh install of Debian, with no add-ons, so it does appear someone occasionally likes to modify the pages before they reach me. Is that evidence that a proxy server is used?

An IT students told me that the neighborhood is setup on a single IP address, so that results in some problems. Is that a possibility?

Is it possible that hacker has setup a proxy server for stealing people's information?
 
Old 03-05-2016, 09:36 AM   #5
General
Member
 
Registered: Aug 2005
Distribution: Debian 7
Posts: 526

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by Michael Uplawski View Post
In the way I understood stream-cypher on crypted communication-channels, once established, the connection should be as fast as the others.
The problem isn't really that https is slower than http. Https sites either work fine and quickly, like other sites, or they refuse the connection entirely. I can use an https site for 10 minutes fine, then suddenly it just stops working.

Last edited by General; 03-05-2016 at 09:40 AM.
 
Old 03-06-2016, 12:34 AM   #6
General
Member
 
Registered: Aug 2005
Distribution: Debian 7
Posts: 526

Original Poster
Rep: Reputation: 31
A computer science student told me that the whole neighborhood, are on the same IP address. That could be 5,000-10,000 people. Today, I have confirmed this to be true. I traveled around and checked at different places, finding that when you go to a "What's my IP site", the same IP is listed, at least for people who use that same ISP.

Is that at all normal? Could this explain the https problem?

When I try using wget on https sites, I get

Code:
ERROR: The certificate of `www.url.com' is not trusted.
ERROR: The certificate of `www.url.com' hasn't got a known issuer.
Or

Code:
GnuTLS: A TLS packet with unexpected length was received.
Unable to establish SSL connection.
 
Old 03-06-2016, 01:09 AM   #7
astrogeek
Moderator
 
Registered: Oct 2008
Distribution: Slackware [64]-X.{0|1|2|37|-current} ::12<=X<=15, FreeBSD_12{.0|.1}
Posts: 6,279
Blog Entries: 24

Rep: Reputation: 4226Reputation: 4226Reputation: 4226Reputation: 4226Reputation: 4226Reputation: 4226Reputation: 4226Reputation: 4226Reputation: 4226Reputation: 4226Reputation: 4226
Quote:
Originally Posted by General View Post
A computer science student told me that the whole neighborhood, are on the same IP address. That could be 5,000-10,000 people. Today, I have confirmed this to be true. I traveled around and checked at different places, finding that when you go to a "What's my IP site", the same IP is listed, at least for people who use that same ISP.

Is that at all normal? Could this explain the https problem?

When I try using wget on https sites, I get

Code:
ERROR: The certificate of `www.url.com' is not trusted.
ERROR: The certificate of `www.url.com' hasn't got a known issuer.
Or

Code:
GnuTLS: A TLS packet with unexpected length was received.
Unable to establish SSL connection.
No that is not at all normal!

And that could definitely explain the https problem! HTTPS is slower if it has been decrypted and re-encrypted with a substituted cert twice in each direction!

The same IP, the addition of ads and the bad TLS packets - on the surface sound like a gigantic man-in-the-middle scenario. I would NOT use that connection - at all!

Who and where is this "ISP"?

What does whois return for the shared IP address?

Last edited by astrogeek; 03-06-2016 at 01:27 AM.
 
Old 03-06-2016, 01:59 AM   #8
dugan
LQ Guru
 
Registered: Nov 2003
Location: Canada
Distribution: distro hopper
Posts: 11,275

Rep: Reputation: 5342Reputation: 5342Reputation: 5342Reputation: 5342Reputation: 5342Reputation: 5342Reputation: 5342Reputation: 5342Reputation: 5342Reputation: 5342Reputation: 5342
Quote:
Originally Posted by astrogeek View Post
Who and where is this "ISP"?
And check if there's a forum for them on dslreports.com. You'd probably want to escalate from here to there.
 
Old 03-06-2016, 04:52 AM   #9
General
Member
 
Registered: Aug 2005
Distribution: Debian 7
Posts: 526

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by astrogeek View Post
No that is not at all normal!
Are there no places at all that normally operate on a single IP address? Would an office building or skyscraper ever use such a setup? I did many Web searches, but came up with nothing. Everything says that computers each have their own IP address, unless using a Wifi router. Might this have been done to save money? Or because IPv4 is running out?

Last edited by General; 03-06-2016 at 08:01 AM.
 
Old 03-07-2016, 01:34 AM   #10
Michael Uplawski
Senior Member
 
Registered: Dec 2015
Posts: 1,624
Blog Entries: 40

Rep: Reputation: Disabled
Quote:
Originally Posted by General View Post
Are there no places at all that normally operate on a single IP address? Would an office building or skyscraper ever use such a setup? I did many Web searches, but came up with nothing. Everything says that computers each have their own IP address, unless using a Wifi router. Might this have been done to save money? Or because IPv4 is running out?
Not knowing the kind of IP-address that we are discussing, here, I try to keep out of trouble by focusing on the Wifi router example. You can say “Gateway” instead of “Wifi Router” or “Router”, which facilitates the explication and maybe hint that I am able to give. For the people on one side of the Gateway, there is only the address of the Gateway (1 address) which connects them to the Internet (or network) on the other side of the Gateway. Not more is needed. You cannot say, though, that everyone uses the “same address”. The computers all have a specific private address (usually something 192.168.... but others are possible).

Such a configuration is completely normal even on a bigger scale.
I somehow doubt that all computers have the same external IP-address, and the discussion has in my opinion not yet produced evidence to back this assumption.., but have to admit that I have never had opportunity to test such a scenario. Would that not necessitate that the IP-stack be ignored and packages are “handed over” from the Ethernet (mac) level directly to the TCP-layers... I do not get it.

Last edited by Michael Uplawski; 03-07-2016 at 01:37 AM.
 
Old 03-07-2016, 02:30 AM   #11
astrogeek
Moderator
 
Registered: Oct 2008
Distribution: Slackware [64]-X.{0|1|2|37|-current} ::12<=X<=15, FreeBSD_12{.0|.1}
Posts: 6,279
Blog Entries: 24

Rep: Reputation: 4226Reputation: 4226Reputation: 4226Reputation: 4226Reputation: 4226Reputation: 4226Reputation: 4226Reputation: 4226Reputation: 4226Reputation: 4226Reputation: 4226
Quote:
Originally Posted by General View Post
Are there no places at all that normally operate on a single IP address? Would an office building or skyscraper ever use such a setup? I did many Web searches, but came up with nothing. Everything says that computers each have their own IP address, unless using a Wifi router. Might this have been done to save money? Or because IPv4 is running out?
I have thought about this through the day, and done a bit of searching.

I do not want to pretend to know more about this than I actually do, so I'll qualify it by saying of all that follows, "in my own experience and knowledge"...

So, in my own experience and knowledge, I have never seen anything called an ISP operate this way. An "office building" (very vague) might have a case for it, but I have never seen it and I have supported a lot of data centers in office buildings. A skyscraper (again vague), I would think less so than a smaller office building, but there may be a lot of different use cases for a skyscraper.

You said that your whole "neighborhood" was using the same IP - vague again. I imagined multiple buildings, users, businesses and residential users as a neighborhood, but perhaps I should ask for what you defined it to be.

In any case, what you are describing is essentially a proxy, but one which modifies packet content (inserts ads) and decrypts/reencrypts or at least mangles encrypted traffic (broken TLS packets). I would consider that totally unacceptable behavior for an ISP, and have never encountered it myself.

But before we begin burning people at the stake, it would be very helpful if you could provide a much more precise description of your relationship to this ISP, the nature of their business (public ISP or local private entity), the scope and nature of "the neighborhood", etc. Also, would you mind posting the whois info returned for the shared IP address, without showing the address itself.
 
Old 03-07-2016, 05:36 AM   #12
wpeckham
LQ Guru
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, VSIDO, tinycore, Q4OS, Manjaro
Posts: 5,806

Rep: Reputation: 2777Reputation: 2777Reputation: 2777Reputation: 2777Reputation: 2777Reputation: 2777Reputation: 2777Reputation: 2777Reputation: 2777Reputation: 2777Reputation: 2777
Request for Comment

I cannot understand how so many people would not have encountered this and not known exactly what was going on with the single IP address.
Your entire extended private network, most of the building from what you describe, is configured as private network and presented to the internet via NAT. It MAY be going through a proxy, but more likely through a web cache server. Designed to speed up web browsing, these servers can bork or perform badly when encryption is involved. It may be that they are selling add space access to their clients, and this is why the adds. That might make the service cheaper, but I REALLY hate it! It also adds a factor to make encrypted traffic can perform poorly.
This is pretty old-school stuff. Is this ISP a small local operation that may be techno-backwards? (If so, kudos for them in going to a newer or different system, but shame on them for not doing so sooner AND for not understanding what their legacy server is doing to client traffic!.)

After some thought, all of the factors that would explain the evidence you provided would be explained by ancient equipment and considering every client and piece of equipment as a revenue stream opportunity instead of a service improvement. Such a focus (paradoxically perhaps) results in decisions that reduce service, reduce performance, and send clients and income to the competition, and reduce revenue. Does this ISP have no effective competition?

Last edited by wpeckham; 03-07-2016 at 05:38 AM.
 
Old 03-10-2016, 09:42 PM   #13
General
Member
 
Registered: Aug 2005
Distribution: Debian 7
Posts: 526

Original Poster
Rep: Reputation: 31
I have no other choice of ISP, because this is faculty housing. The ISP is a major company, but I'm starting to think the ISP isn't at fault, but probably the campus network.

I called the IT staff again. They had previously told me I must have setup my firewall wrong, insisting they could not think of anything wrong beyond that. I told them nearly all https sites were broken, but they wanted me to give a specific list of sites to check. They checked on their computers and found the same problem on their own machines! I think they would notice that too, because it isn't just one or two sites, but if I randomly search the Internet for https sites, most I try are not working.

They told me the reason for https having problems is that the Internet is just slow. Is 4 MB/s slow enough to interfer with https? If the servers are on the other side of the world? I thought this Internet is quick. And I tried sites with https and http versions to choose from, and the http versions were quick.

Anyway, the IT people said they would fix the sites I listed, but told me they couldn't possibly fix every https site on the whole WWW, there were just too many.

So, checking the Internet now, the first Web site on the list is fixed, working just as fast as any other Web site. But the rest of https sites are still broken, as before.

How it is that they are able to fix one site and it suddenly works great? That is some ability that an ISP has? What is going on here?

Last edited by General; 03-11-2016 at 06:40 AM.
 
Old 03-11-2016, 07:08 PM   #14
wpeckham
LQ Guru
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, VSIDO, tinycore, Q4OS, Manjaro
Posts: 5,806

Rep: Reputation: 2777Reputation: 2777Reputation: 2777Reputation: 2777Reputation: 2777Reputation: 2777Reputation: 2777Reputation: 2777Reputation: 2777Reputation: 2777Reputation: 2777
I think we have it nailed down now. The problem is NOT with the ISP, but the administration of the local (campus) network. They have some solution in place for tracking, accountability, security, or multiple functions that is causing the behavior you noticed. They can add some finite number of exceptions, but it becomes a policy and political issue.

If you make enough noise, they may either decide your cause is worth fighting for (unlikely), or that they will be better off stonewalling you until you give up.

If there is a strong enough campus tech community, you may be able to push for updating, improving, and fixing the local network: IF you have the on-hand experts!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Why are connections to https failing? General Linux - Networking 14 02-04-2016 11:46 PM
[Apache2] Connections via https questions... HellSinker Linux - Server 1 04-29-2014 11:52 AM
Some https connections time out. Likosin Linux - Networking 0 04-26-2005 07:48 PM
Squid problem with https connections thermoponch Linux - Networking 0 11-03-2004 04:41 AM
password rejected on https connections JCQ78 Linux - Networking 1 09-07-2003 05:36 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 10:51 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration