[cryptography] yet another certificate MITM attack

Jon Callas jon at callas.org
Thu Jan 10 18:59:31 EST 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Others have said pretty much the same in this thread; this isn't an MITM attack, it's a proxy browsing service.

There are a number of "optimized" browsers around. Opera Mini/Mobile, Amazon Silk for the Kindle Fire, and likely others. Lots of old "WAP" proxies did pretty much the same thing. The Nokia one is essentially Opera.

These optimized browsers take your URL, process it on their server and then send you back an "optimized" page. That can be converted pictures, edits to the HTML proper, and so on.

The security characteristics are a mixed bag. They can send smaller pictures, scan for malware, but obviously they can't process your SSL connections. So they send the URL to the cloud server, make the SSL connection, and then send you the optimized page over SSL.

Some of these browsers let you turn off the "optimizations" for SSL pages. The Amazon Silk browser does. 

You can find information about Opera at:

<http://www.opera.com/mobile/specs/>

Here's articles with various concerns about Silk:

<http://www.zdnet.com/blog/networking/amazons-kindle-fire-silk-browser-has-serious-security-concerns/1516>

<http://www.theinquirer.net/inquirer/news/2203964/amazon-confirms-kindle-fires-silk-browser-tracks-users>

They're not doing certificate hinkiness. They are straightforward cloud services, or perhaps more formally proxy services. Heck, Google Reader is more or less the same thing, itself, albeit as an RSS reader than a web browser.

If one wants to get upset about them, there's plenty to grumble over. There's the explicit security concerns, concerns about tracking, concerns about misrepresentation to the users about what's really going on, and so on. The meta concern that smart people like us are even discussing it is also a security concern.

But they provide services that some people find valuable. I don't use them, but I wouldn't even call them a MITM, myself. When we say "MITM" we're eliding the word "attack." It's not an attack.

	Jon


-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: windows-1252

wj8DBQFQ71XksTedWZOD3gYRAoShAKDyXR3LPirRscaxA1RDTPQFrjl/jgCgpiMF
TMyJCoC77oZ9uaaWWomVuEg=
=f2UH
-----END PGP SIGNATURE-----



More information about the cryptography mailing list