Get superfast AT&T Fiber internet
SilverXpress's profile

Teacher

 • 

18 Messages

Sunday, June 30th, 2019 3:20 PM

AT&T Uverse Broadband Fiber network degrades SSL Encryptions

For the past two weeks, I have been experiencing a serious degradation of HTTPS communications into our AT&T Business Fiber network.. 

After several tech visits to:


1) Replace the Modem,

2) Hardwire a fiber line to the modem (use the ONT port), 

3) Upgrade to a symmetric speeds (25/25),

4) Enabling Ping in the firewall.

 

While the performance is better (no page timeouts), there are still visible delays in page completions.  This is only with HTTPS, encrypted, secured connectivity.  Not with HTTP connections which are snappy and fast. No delays.


I have concluded that AT&T Uverse Broadband Fiber network degrades SSL Encryptions due to the increase packet monitoring, packet sniffing with DPI (Deep Packet Inspection) done in Atlanta.   Our SSL packets are encrypted using modern settings TLS v1.3 and EDHE ciphers which yield A+ grading at SSL Labs, https://www.ssllabs.com/ssltest/

 

I serve the PCI market and A+ security rating web servers is a basic requirement for many of the customers.

It is my opinion the increased encryption securities which are now required by most major browsers and PCI Auditors is causing significant delays with AT&T network services which are now also monitoring customer networks to provide their own "Services."   Perhaps they added too much boundary violation Level 3 applications, proxies to sniff packets at level 1?   

I don't know for sure, but it all points this way.   I've had a T1 since 1998.  In 2016, when AT&T finally added Business Fiber into the office building to serve the bank, I  were able to "piggy back" off it and I replaced the T1 with a 50/10 profile.  For nearly 2 years, there was absolutely no HTTPS connectivity issues, but in the last two weeks, my customers from Australia, UK,  California, Florida, Texas, etc, and even myself from my home office 2 miles away began to see and report major HTTPS connection issues. But not HTTP.  You might be able to see the difference here:

Non-encrypted unsecured page:  http://santronics.com
secured page: https://secure.santronics.com

Both domains go to the same IP.   The only difference is the HTTP and HTTPS protocol.    While right now, it is operating OK, enough to continue operating, customers can get in, there is still some delays.   But imagine that until this past Wednesday when I was finally able to talk with an Level 1 network engineer, there were browsers timeouts and retransmissions of packets (as seen with WireShark), a complete HTTPS breakdown to access the system from the outside only..  From within the LAN, inside the office, no problem.  Only from the WAN. 

So I am posting to get some insight and discussion into this problem.   Higher encryption is now the standard.  The industry is now enforcing it, whether its the browsers, the Security auditors, SSL Labs,  the IETF, the APIs like OpenSSL,  the implementers and developers like myself, these HTTPS packets are heavy duty now and the DPI and NSA snooping is going to be harder to decrypt.  So how are they dealing this?   Feeding the packets to some DEEP AI engine?    AT&T is also adding overhead with service monitoring.  I'm already starting to get the emails about the sniffing it does on my network, telling me what ports are open, etc.  With Deep AI in the picture,  more sniffing proxies are surely going to be added to learn about our customer communications, borderline unethical, another bridge to cross.    All because of the perceived idea that HIGHER bandwidths can make all this additional network provider overhead more feasible to do, with little or no delays added to the customer.

The problem is, there are are issues with HTTPS overhead delays and I am seeing it in my network. 

The suggestion by the level 1 engineer was to switch to a Dedicated (trunk) line.    Well more money, why do I have to pay $300-$500 more to get a reliable channel>?  Is it going to resolve the HTTPS delays?  I doubt it. It is probably above his pay grade to understand that concept.  But this illustrates how the lost of Net Neutrality has put the small business at a disadvantage. Why am I paying Business Tier rates but getting Home Tier service?     I never had a business problem with HTTPS until 2 weeks ago, after 25 years, when a decision was apparently made within AT&T to begin to accept HTTPS performance degradation and use it to convince customers to pay a higher cost to use HTTPS.

Go Figure.  Its a problem now and AT&T should own this problem and address it.  I will not pay more money to fix this problem.  I would rather switch to another provider. The problem there, is it still an AT&T Network!  I can not afford to switch to find out they will have the same problems!!!

I am sending this to the OpenSSL Committee folks to make them aware that a major network provider, AT&T is causing problems with high grade HTTPS encrypted packets due to their HTTPS packet processing along the end-points routes.  In other words, OpenSSL may no longer work reliably under Broadband connectivity due to network provider overhead to process HTTPS packets.

I also plan to contact local, state and federal officials, anyone who will listen and has some interest in addressing  the lack of Net Neutrality and the concerns it has brought to end-users and small business with higher cost and less reliability.   

In fact, I will suggest this makes the network more insecure by encouraging the smaller operations to not use HTTPS communications.  Stay with HTTP.  That would not be good.

Thanks for listening.  If you can do anything about this,  you should.  Its a real problem and it can get worst if not addressed.  By the end of the years, OpenSSL v1.0 will be End Of Life.   No longer supported.  That means web servers and encrypted channels must begin to switch to the higher overhead encryption levels using OpenSSL v1.1.   I made this switch early this year.  Didn't see an issue until the 2+ weeks ago.

Hector Santos, CTO/CEO
Santronics Software, Inc.

Community Support

 • 

231.3K Messages

5 years ago

Hey @SilverXpress,

 

Let us see if we can help!

 

So that we can get your feedback/request to the appropriate team, we will need your account information.W e'll have to continue this conversation in a Private Message (PM). Check your forums inbox by clicking the envelope at the top of the page, look for a message from ATTCARES, and respond with the requested information.

We look forward to assisting further!

Rury, AT&T Community Specialist

Not finding what you're looking for?
New to AT&T Community?
New to the AT&T Community? Start by visiting the Community How-To.
New to the AT&T Community?
Visit the Community How-To.