[peteretep]

I would be interested in an easy-to-use local packet sniffer that attempted to give me hints on what I was leaking - what isn't via https from all apps on my machine, for example.

Obviously wireshark would get you 50% of the way there - to add to that then, a pretty UI focussed on scaring users with what information is being leaked - hostnames for SSL sites they're visiting for example.

[schoen]

This is a great project idea. A challenge is in classifying all of the elements of every protocol dissector as interesting or uninteresting. For example, TCP sequence numbers are high-entropy but low-consequence. MAC addresses are high-severity but normally not propagated to an ISP or a remote site operator.

There are also tensions between trying to identify leaks to a network eavesdropper and trying to identify leaks to a remote site (or ad network). In many people's analysis, the network eavesdropper is worse because you didn't mean to communicate with them at all, so any information they derive whatsoever is a pure loss of communications security. But for projects like Tor Browser and Privacy Badger, it counts as a loss of privacy if different sites can recognize you as the same user, even if you intentionally communicated with those sites.

Using HTTPS will prevent a sniffer from recognizing that some tracking cookies or identifiers are being sent, so you simultaneously get a true improvement against the network adversary and a false negative measuring privacy against the ad networks.

[flatulentone]

Considering that digital electric meters have been compromised, and that the one I studied had dual-band radios including WiFi spectrum, it may be best to assume that there may be unexpected data pathways that could use a MAC address. Note that the WiFi of many routers broadcasts the wired MAC addresses on the LAN as well as the wireless clients.

You're right about false-negatives with sniffers. If you read the source on pages you visit, you'll see https analytics data mining, so don't assume that every outgoing https connection is okay. (and some browsers don't use your normal DNS / hosts settings, so sites you think are blocked may not be)

[imglorp]

I've been messing with a little kernel module to do that by logging all new IP connections. Having it there lets you watch all your applications for unwanted traffic. You could layer a policy/reporting/blocking layer in userspace.

Surely there's already something to do this aside from a full sniffer?

[peteretep]

Sure, something like LittleSnitch on the Mac is an interactive and easy-to-use firewall. But I'm really after something that is looking for things you could write easy filters for:

- Tell me whenever something that looks like an email address is sent in the clear

- Tell me whenever my name/postcode/other user-specifiable text is sent in the clear

- Tell me when I'm connect to an SSL site but the hostname is leaked

- Keep a list of DNS entries that I'm leaking

The real challenge will not be to capture everything, it'll be trying to show up items of interest.