[kwlug-disc] "In the new Canada, the web browses you"
unsolicited
unsolicited at swiz.ca
Sat Aug 13 16:30:39 EDT 2011
Chris Irwin wrote, On 08/13/2011 2:31 PM:
> On Fri, Aug 12, 2011 at 06:30:27PM -0400, unsolicited wrote:
>> Mind you ... you're right ... with ssl (https) ... isn't listening
>> in at the ISP all but pointless?
>
> Not really. Most of the difficulty of executing a man-in-the-middle
> attack is getting in the middle, a non-issue for your ISP.
OK, fair enough, I wasn't considering MITM, but I saw nothing in the
articles discussing that. OTOH, I do wonder if we haven't just stepped
into a form of digital lock breaking, which then becomes state
sponsorship of it. Truth stranger than fiction, again.
> There was a presentation a BlackHat 2009 using a MITM attack to rewrite
> 'https://..." urls to "http://..." urls, ...
I remember that discussion coming up in the (our) lug.
> Even if you trusted every certificate vendor in your browser (or
> removed those you don't), can you trust their infrastructure?
>
> CA hacked to provide fraudulent certificates.
> https://www.eff.org/deeplinks/2011/03/iranian-hackers-obtain-fraudulent-https
OK, but, for the purposes of this thread, we largely don't care.
Largely, we only care that the traffic of this conversation not be
sniffable by the ISP. Getting into the, are we really on the site it
says it is, is a whole 'nuther thread.
And ... how many of us have turned off the browser warnings about
mixed un/encrypted pages. So, again, we're not paying as much
attention as we probably should that the site really is the site, and
the signer itself is trustable. Score another for marketing and
VeriSign, I suppose. (I wonder how much budget they put towards just
maintaining their credibility, proper use of logos on sites, etc.)
>> Thinking of the English riots, talk of BlackBerry sniffing whatever
>> ... just having a sense of the preponderance of data going
>> somewhere, like a facebook site, and the ability to get to that site
>> directly oneself, seems sufficient. No need to crack the data
>> itself, just, where it's going. And if you see bad stuff (facebook),
>> then you're listening for what's headed that way.
>
> Anybody remember when Blackberry told (I believe) India and UAE that it
> was absolutely impossible to allow snooping on blackberry traffic, and
> there was a possible risk of blackberries being blacklisted in the
> country due to that? Now they are willing to co-operate fully. Hmm.
Right, but my expectation was that RIM would open up the ability to
plain text see the traffic at the BES point. In very specific
circumstances. Is that how it went down?
Given the Google / China experience, I don't expect RIM had much
choice, shareholder wise.
I will wonder, however, if that episode will lead to the eventual
demise of the BB. In essence, they showed their security is not
absolute in all cases, and with SSL end to end on PDA's (I presume)
showing that alternate security strategies take you to the same place,
the BB competitive advantage isn't as strong as it was - making
i<thing> / Android viable choices even on the security front.
Anyways, the debate point here, for England / riots is ... slippery slope.
More information about the kwlug-disc
mailing list