kaila join:2000-10-11 Lincolnshire, IL |
to DataRiker
Re: Simple solutionNot sure about this, but couldn't SSL still be vulnerable to man-in-the-middle type attacks if ISP's are proxying the traffic. |
|
|
|
No.
SSL uses endpoint mutual authentication. |
|
|
to kaila
Yes, if ISPs are inserted into the SSL certificate chain. Most ISPs don't do this but censored countries and many corporate networks, for example, do this. When in the certificate chain they can proxy SSL traffic silently and eavesdrop on the traffic going through the connection. "Steve explains why and how world governments are able to legally compel their national SSL Certificate Authorities to issue Intermediate CA certificates which allow agencies of those governments to surreptitiously intercept, decrypt, and monitor secured SSL connections of any and all kinds." » www.grc.com/sn/sn-243.htm |
|
|
There is a solution though. It's called TOR and it allows encrypted traffic to proxy servers through which you can browse the regular internet. I'm not aware of any exploit against TOR at this time that would allow man-in-the middle as it doesn't use the SSL chain of trust. Though there is speculation that if a government provided a proxy node they could potentially identify some users. The probability is extremely low that this would succeed due to the onion routing, though it is technically possible. The only issue to deal with is that TOR is slow (because of the onion routing). TOR has been a documented resource in allowing people in oppressive totalitarian regimes to bypass the censorship regimes and provide real information flow.
The beauty of TOR over generalized proxy's is that the traffic is routed through multiple proxies before source and destination, thus shielding both sides from oppressive government (or ISP in this case) action. |
|
Matt3All noise, no signal. Premium Member join:2003-07-20 Jamestown, NC |
Matt3
Premium Member
2011-Aug-5 2:44 pm
said by rahvin112:There is a solution though. It's called TOR and it allows encrypted traffic to proxy servers through which you can browse the regular internet. I'm not aware of any exploit against TOR at this time that would allow man-in-the middle as it doesn't use the SSL chain of trust. Tor is no solution, asshat torrenters and child pornographers have ruined the network. As far as exploits, why, a simple Google search shows there is in fact an easy way to perform a man-in-the-middle attack, even of SSL encrypted traffic. said by article : He then mentioned all the passwords, and credit card numbers that SSLstrip was able to pull from Tor users and save in plain text (You dont shop using Tor do you?).
» www.google.com/search?rl ··· e-middle |
|
MxxCon join:1999-11-19 Brooklyn, NY ARRIS TM822 Actiontec MI424WR Rev. I
|
to rahvin112
Tor is not a solution, it's a workaround. Using Tor you'd bypass your ISPs hijacking, but you have no idea if the exit node you picked has a similar hijacking ISP. The only way to protect against this kind of hijacking is https or perhaps IP-level authentication that I think IPv6 can provide. |
|
4 edits |
to Matt3
If one uses their browser in default setting as intended, a Man in the Middle attack is not transparent and will fail.
Your browser will issue a warning saying the Cert does not match.
All the rest is FUD. |
|
ctceo Premium Member join:2001-04-26 South Bend, IN |
to kaila
ISP's are in the perfect position to use MitM paralelling. You've already given them permission to snoop. You only need a piece of widely used publicly available software to do the trick. |
|
|
to InfinityDev
said by InfinityDev:Yes, if ISPs are inserted into the SSL certificate chain. Most ISPs don't do this but censored countries and many corporate networks, for example, do this. When in the certificate chain they can proxy SSL traffic silently and eavesdrop on the traffic going through the connection.
"Steve explains why and how world governments are able to legally compel their national SSL Certificate Authorities to issue Intermediate CA certificates which allow agencies of those governments to surreptitiously intercept, decrypt, and monitor secured SSL connections of any and all kinds."
»www.grc.com/sn/sn-243.htm In the real world the ISP can trick you into installing their root cert the same way they can trick you into installing a key logger or advertising malware. This is realistically the only capability they will see. Any covert LEA capability to sign fake certs is sure as hell not going to be pissed away in pursuit of extracting a few dollars from advertising campaigns. The days of the MD5 only signatures used previously to generate fake intermediates with PS3 clusters are over. As of a few months ago some browsers have stopped accepting them. |
|
|