funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC
 ·Verizon Online DSL
 ·Skype
2 edits | reply to GOLFnSUN
Re: Past BBR stories established Nebuad only monitoring
said by GOLFnSUN  :said by jimness000 :It sounds as though this technology could be used to gain access to proprietary info which is assumed to be secure (via HTTPS connections).Am I wrong? Yes. I think you are. The Nebuad device has no decrypting capabilities and can't see inside encrypted packets. They could tell the end points of the conversation but not see the data. The device is inserted in the middle, so it can see the entire transaction, including the cryptographic key exchange. **
That said, I have no evidence that it decrypts https, and I personally believe that it would use precious CPU time in a middlebox where processing speed must be an issue.
We also have NebuAd's word that they won't try it, FWIW.
[Edit: I'm not sure this really means anything, SSL is not my strong point. It includes client sending of a code that can only be decrypted by a server's private key, but also includes several flavors of encryption of various strengths. In a cytological attack, my understanding is that the MITM can affect which get negotiated. All the more reason that we SHOULD be able to trust our ISPs and their vendors.]
--
Robb Topolski -= funchords.com =- Hillsboro, Oregon
HTTP is the new Bandwidth Hog...
|
|
ctgreybeard
Old dogs can learn new tricks
Premium
join:2001-11-13
Bethel, CT
clubs: 
·AT&T Yahoo
| I believe that even if it can view the key exchange it still cannot decrypt the conversation unless it actually performs a "man in the middle" attack which would require it to spoof the certificates of BOTH ends of the conversation. This would be especially BAD, hopefully illegal, and DEFINITELY underhanded!
--
Old dogs can learn new tricks! |
|
espaeth
Digital Plumber
Premium,MVM
join:2001-04-21
Minneapolis, MN
·voip.ms
·Vitelity VOIP
·Callcentric
·VoiceStick
·ViaTalk
 ·Comcast
·Embarq
| reply to funchords
said by funchords :The device is inserted in the middle, so it can see the entire transaction, including the cryptographic key exchange. That said, I have no evidence that it decrypts https, and I personally believe that it would use precious CPU time in a middlebox where processing speed must be an issue. To be able to decrypt the conversation you need the private key (stored only on the hosting server/load balancer) that matches up with the public key served up in the https negotiation process.
The SSL cert also needs to match up as being issued by one of the default Certificate Authorities that had their authentication keys distributed with the web browser software.
Corporate SSL decoding solutions like that provided by Bluecoat work by having a "special" CA key installed on each of the client machines so that the appliance can spoof the https negotiation of valid Internet sources and have the public SSL key authenticate with the "special" CA that gets installed to the web browser so that the user never sees a pop-up to clue them in to the practice. Where you can notice this is if you look at the SSL cert details itself in the browser you will see that sites like Yahoo would be certified by some mystery CA instead of Verisign/Equifax/GeoTrust/Thawte/etc. The scary thing is that in a corporate environment this key can be distributed very easily/silently through Active Directory.
To be honest, the whole thing creeps me out and I'm usually pretty liberal in my view on acceptable practices in networking. |
|
knightmb
Everybody Lies
join:2003-12-01
Franklin, TN
·AT&T DSL Service
| reply to funchords
said by funchords :The device is inserted in the middle, so it can see the entire transaction, including the cryptographic key exchange. That said, I have no evidence that it decrypts https, and I personally believe that it would use precious CPU time in a middlebox where processing speed must be an issue. We also have NebuAd's word that they won't try it, FWIW. I have to agree, they wouldn't need to waste CPU time to do this. That would actually give it a dual purpose perhaps. Serve ads and secret wiretaps. Either way, we might not be able to do anything about the secret wiretap, but at least we can make the regular stuff all look like garbage. As usual in this type of stories, I chime in the link in my signature. 
--
Fight NebuAD and the like:
Click Here to pollute their data |
|
GOLFnSUN
Enjoy the sun
Premium
join:2002-03-03
Avalon, NJ
 ·Sprint Mobile Broa..
·Comcast
| said by knightmb :said by funchords :The device is inserted in the middle, so it can see the entire transaction, including the cryptographic key exchange. That said, I have no evidence that it decrypts https, and I personally believe that it would use precious CPU time in a middlebox where processing speed must be an issue. We also have NebuAd's word that they won't try it, FWIW. I have to agree, they wouldn't need to waste CPU time to do this. That would actually give it a dual purpose perhaps. Serve ads and secret wiretaps. Either way, we might not be able to do anything about the secret wiretap, but at least we can make the regular stuff all look like garbage. As usual in this type of stories, I chime in the link in my signature. I think espaeth already answered the HTTPS issue here:
»Re: Past BBR stories established Nebuad only monitoring
--
My BLOG .. .. Internet News .. .. My Web Page |
|
