[cryptography] yet another certificate MITM attack

Kevin W. Wall kevin.w.wall at gmail.com
Sat Jan 12 14:35:34 EST 2013


Relevant to this thread, but OT to the charter of this list.

On Sat, Jan 12, 2013 at 5:46 AM, Jeffrey Walton <noloader at gmail.com> wrote:
> On Sat, Jan 12, 2013 at 4:27 AM, ianG <iang at iang.org> wrote:
>> On 11/01/13 02:59 AM, Jon Callas wrote:
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Others have said pretty much the same in this thread; this isn't an MITM
>>> attack, it's a proxy browsing service.
>>>
>>> There are a number of "optimized" browsers around. Opera Mini/Mobile,
>>> Amazon Silk for the Kindle Fire, and likely others. Lots of old "WAP"
>>> proxies did pretty much the same thing. The Nokia one is essentially Opera.
>>>
>>> These optimized browsers take your URL, process it on their server and
>>> then send you back an "optimized" page.
>>
>> Oh, I see.  So basically they are breaking the implied promise of the https
>> component of the URL.
>>
>> In words, if one sticks https at the front of the URL, we are instructing
>> the browser as our agent to connect securely with the server using SSL, and
>> to check the certs are in sync.
>>
>> The browser is deciding it has a better idea, and is redirecting that URL to
>> a cloud server somewhere.
>>
>> (I'm still just trying to understand the model.  Yes, I'm surprised, I had
>> never previously heard of this.)
> It's right up there with the PenTesters using BurpSuite to to destroy
> a secure channel. I look at the PenTest reports and shake my head in
> disbelief that no one took exception to what the PenTesters did....

Whoa...hold on there Jeff. I'm hoping that I'm misunderstanding your
last statement about what the pen testers did to "destroy a secure
channel".

Are you implying that _authorized_ PenTesters using software such as
BurpSuite (or Fiddler2 or Paros Proxy, or any other software that
leverages the browser's _forward_ proxy ability is violation of some
law or morals? If so, I would wholeheartedly disagree. They are not
capturing arbitrary HTTPS traffic of others, but only that originating
from their
own browser. How is that any different from doing it from a brower
plug-in, such as Tamper Data in Firefox? [Note: I'm not debating if
some arbitrary person tries to pen test their bank or some other
application that the have not been properly authorized to do. That
is a different store entirely and is a violation of the law, but probably
NOT because is is "destroying a secure channel"...DMCA not
withstanding.]

There is a big difference in forward proxies and reverse proxies. A forward
proxy is (generally) under your control. When it is not under the user's
control which appears the case here, that is completely different. It matters
little (to me at least) that Nokia has probably buried this under the fine
print legalese of their TOS.  But IMHO, that's a far cry from a pen tester
configuring their browser's forward proxy capability to use BurpSuite or
Fiddler2, or some other proxy. Keep in mind that it's not only pen testers
who do this, but many web application developers use these tools as well
to aid them in debugging their web applications.

-kevin
--
Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein



More information about the cryptography mailing list