dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
89
kaila
join:2000-10-11
Lincolnshire, IL

kaila to DataRiker

Member

to DataRiker

Re: Simple solution

Not sure about this, but couldn't SSL still be vulnerable to man-in-the-middle type attacks if ISP's are proxying the traffic.

DataRiker
Premium Member
join:2002-05-19
00000

DataRiker

Premium Member

No.

SSL uses endpoint mutual authentication.
InfinityDev
join:2005-06-30
USA

InfinityDev to kaila

Member

to kaila
Yes, if ISPs are inserted into the SSL certificate chain. Most ISPs don't do this but censored countries and many corporate networks, for example, do this. When in the certificate chain they can proxy SSL traffic silently and eavesdrop on the traffic going through the connection.

"Steve explains why and how world governments are able to legally compel their national SSL Certificate Authorities to issue Intermediate CA certificates which allow agencies of those governments to surreptitiously intercept, decrypt, and monitor secured SSL connections of any and all kinds."

»www.grc.com/sn/sn-243.htm
rahvin112
join:2002-05-24
Sandy, UT

rahvin112

Member

There is a solution though. It's called TOR and it allows encrypted traffic to proxy servers through which you can browse the regular internet. I'm not aware of any exploit against TOR at this time that would allow man-in-the middle as it doesn't use the SSL chain of trust. Though there is speculation that if a government provided a proxy node they could potentially identify some users. The probability is extremely low that this would succeed due to the onion routing, though it is technically possible. The only issue to deal with is that TOR is slow (because of the onion routing). TOR has been a documented resource in allowing people in oppressive totalitarian regimes to bypass the censorship regimes and provide real information flow.

The beauty of TOR over generalized proxy's is that the traffic is routed through multiple proxies before source and destination, thus shielding both sides from oppressive government (or ISP in this case) action.

Matt3
All noise, no signal.
Premium Member
join:2003-07-20
Jamestown, NC

Matt3

Premium Member

said by rahvin112:

There is a solution though. It's called TOR and it allows encrypted traffic to proxy servers through which you can browse the regular internet. I'm not aware of any exploit against TOR at this time that would allow man-in-the middle as it doesn't use the SSL chain of trust.

Tor is no solution, asshat torrenters and child pornographers have ruined the network.

As far as exploits, why, a simple Google search shows there is in fact an easy way to perform a man-in-the-middle attack, even of SSL encrypted traffic.
said by article :
He then mentioned all the passwords, and credit card numbers that SSLstrip was able to pull from Tor users and save in plain text (You don’t shop using Tor do you?).


»www.google.com/search?rl ··· e-middle

MxxCon
join:1999-11-19
Brooklyn, NY
ARRIS TM822
Actiontec MI424WR Rev. I

MxxCon to rahvin112

Member

to rahvin112
Tor is not a solution, it's a workaround. Using Tor you'd bypass your ISPs hijacking, but you have no idea if the exit node you picked has a similar hijacking ISP.
The only way to protect against this kind of hijacking is https or perhaps IP-level authentication that I think IPv6 can provide.

DataRiker
Premium Member
join:2002-05-19
00000

4 edits

DataRiker to Matt3

Premium Member

to Matt3
If one uses their browser in default setting as intended, a Man in the Middle attack is not transparent and will fail.

Your browser will issue a warning saying the Cert does not match.

All the rest is FUD.

ctceo
Premium Member
join:2001-04-26
South Bend, IN

ctceo to kaila

Premium Member

to kaila
ISP's are in the perfect position to use MitM paralelling. You've already given them permission to snoop. You only need a piece of widely used publicly available software to do the trick.

dslcreature
Premium Member
join:2010-07-10
Seattle, WA

dslcreature to InfinityDev

Premium Member

to InfinityDev
said by InfinityDev:

Yes, if ISPs are inserted into the SSL certificate chain. Most ISPs don't do this but censored countries and many corporate networks, for example, do this. When in the certificate chain they can proxy SSL traffic silently and eavesdrop on the traffic going through the connection.

"Steve explains why and how world governments are able to legally compel their national SSL Certificate Authorities to issue Intermediate CA certificates which allow agencies of those governments to surreptitiously intercept, decrypt, and monitor secured SSL connections of any and all kinds."

»www.grc.com/sn/sn-243.htm

In the real world the ISP can trick you into installing their root cert the same way they can trick you into installing a key logger or advertising malware. This is realistically the only capability they will see.

Any covert LEA capability to sign fake certs is sure as hell not going to be pissed away in pursuit of extracting a few dollars from advertising campaigns.

The days of the MD5 only signatures used previously to generate fake intermediates with PS3 clusters are over. As of a few months ago some browsers have stopped accepting them.