Weekly Edition
Return to the Security page
| |||||||||||||
HTTPS interception in Nokia's mobile browserWhen using encrypted communication, users are at the mercy of the software that implements the cryptography. That generally works out reasonably well; users are only exposed to inadvertent bugs present in the code. But a recent report shows that sometimes using encryption may not actually result in more secure communication—such security depends on having tools that are actually trying to do what is expected of them. When a user visits an HTTPS site, they expect their browser to use an encrypted connection between it and the web site. Truthfully, many users are not technically sophisticated enough to understand that, but they have been (hopefully) trained to trust in the "lock" icon or other user interface elements that indicate a secure connection. Whether the user knows that means "encryption" or not depends on their level of technical savvy, but they almost certainly don't expect their secure data to be sent to a third-party server. But that's evidently what Nokia's Xpress mobile browser has been doing. HTTPS traffic is encrypted using keys that get exchanged between the destination server and client browser. A public key is contained in a server certificate that is signed by someone—typically a certificate authority (CA). The signature asserts that the key belongs to that server name. The public key is then used to encrypt and exchange session keys that are subsequently used to encrypt the session. The CA is integral to the web browser trust model; keys that don't validate under that model (e.g. keys signed by unknown or untrusted CAs, server names that do not match, etc.) are expected to cause some kind of alert from the browser. So it came as something of a surprise to security researcher Guarang Pandya that both regular HTTP and encrypted HTTPS traffic were being re-routed when using the Xpress browser. Worse yet, the certificate presented for any site visited was not that of the site in question, it was, instead, an ovi.com certificate. Ovi is Nokia's "brand" for its internet services. From some angles, this looks like a classic "man-in-the-middle" attack, but because the browser is complicit, Steve Schultze of the "Freedom to Tinker" blog calls it a "man-in-the-client". The man in the client is accepting a certificate for a Nokia proxy server instead of the site the user wanted to connect to, without notifying the user. Meanwhile, the man in the middle lives at the Nokia proxy server, which is making a connection to the desired destination. The proxy is used to speed up mobile browsing by using compression. It is similar to what is done by the Opera Mini browser, which Pandya also noted in his first report. But, Nokia was also using the proxy for HTTPS traffic, which meant that it was decrypting the incoming stream at the proxy and re-encrypting it, using the real destination's key, before sending it onward. Decrypting the HTTPS traffic from the mobile browser was not necessarily required, depending on how Nokia implemented things. It could have just relayed the traffic between the two endpoints by tunneling the traffic inside a client-to-proxy session. That would not have required decrypting the traffic, but it also would not have allowed the proxy to do its compression on the data, obviating the need for the proxy. Nokia, however, admitted that it decrypted the traffic in a comment by Mark Durrant on Pandya's post:
Importantly, the proxy servers do not store the content of web pages
visited by our users or any information they enter into them. When
temporary decryption of HTTPS connections is required on our proxy servers,
to transform and deliver users' content, it is done in a secure manner.
The "secure manner" phrase does not completely reassure, but this does not really look like an attempt to (knowingly) invade users' privacy. Durrant noted that Nokia has "implemented appropriate organizational and technical measures to prevent access to private information". It seems quite likely that this was simply a misstep by the company—one that could lead to a loss of privacy for Xpress users. That interpretation seems to be borne out by changes that Nokia made to the Xpress browser after Pandya's report. After a browser update, Pandya noted that HTTPS sessions were not being handled in the same way. The HTTPS traffic is now tunneled over an HTTP connection to Nokia's servers, and the certificate being used (at least as reported by the browser) is the proper one for the destination. So, only the destination endpoint should be able to decrypt the data. Given that, though, it's not clear why the proxy is not just bypassed for HTTPS traffic. The "welcome" notice that comes when installing the Xpress browser does make note of HTTPS decryption, though Schultze wonders how long that's been true, but certainly doesn't fully describe what's going on. Many users are likely to gloss over that statement—or not understand it at all. While web compression is a helpful feature for some users, it shouldn't come at the expense of reasonable security and privacy expectations. As more of our traffic moves into "the cloud", we will be seeing more of these kinds of problems. Investigations like Pandya's will be needed to ensure that we at least know this type of network manipulation is occurring. Open source mobile operating systems (or even just open source browsers on proprietary systems) make it easier to find and eliminate this kind of mistake, but vigilance is needed there as well. Reviewing the code and ensuring that the "app" corresponds to the code reviewed are still required. With open source, though, we can peek inside the black box, which should make things easier—though not foolproof. (Log in to post comments)
HTTPS interception in Nokia's mobile browser Posted Jan 24, 2013 11:28 UTC (Thu) by nim-nim (subscriber, #34454) [Link]
Such interception is widespread on corporate networks, since there is no way to properly proxy https traffic otherwise (and before you argue users are "entitled" to full network access without corporate supervision, access to physical corporate sites is protected by human guards, that, on a secure place, can ask you to show what's in your bags and check your are not leaving with sensitive material, so why the hell do all those "security" researchers expect people to be allowed to open a crypto tunnel freely and outsource the very same documents outside without any check?)
It is a great failure of the IT security community to have refused to acknowledge such basic needs, making it impossible to configure browsers so users are aware of the kind of checks they may be subjected to (that they may agree with or not, they could choose not to connect on corporate premises if they refuse the inspection on a properly designed system). So, instead, everyone is silently MITM-ing connexions by injecting its own root certificates behind the user's back (and please note it is *not* possible to restrict what those certificates can do in most browsers, so instead of authorising a certificate to connect to the known proxy only you're authorising it to do anything. The idiotic end-to-end no-compromise crypto mantra only produced systematic crypto breakage behind user's backs).
And that's just one kind of institution, various places (schools, prisons, etc) also require some filtering of what's going in and out.
Prisons excepted people can do whatever they want with their private smartphone, just not on a computer that does not belong to them.
HTTPS interception in Nokia's mobile browser Posted Jan 28, 2013 11:40 UTC (Mon) by meuh (subscriber, #22042) [Link]
And when the corporate human guards ask you for your passwords, credit card numbers and such, you give them and say thanks ? Later, you discovered the corporate human guards were not part of the corporate staff (thus not tied to the corporate rules about ethics and such), since the job were outsourced to an another company from a foreign country. Oh, I'd like to have some Dilbert strip about this situation.
HTTPS interception in Nokia's mobile browser Posted Jan 28, 2013 16:22 UTC (Mon) by nim-nim (subscriber, #34454) [Link]
Your analogy is very bad, because that is exactly the situation we have today, where the security community refused to handle https proxyfication, and as a result the only way to proxify traffic is to inject MITM certificates in the browser.
There is no way for the user to tell its browser "I allow this proxy to read my traffic, except for bigbank.com, and only if it presents certificate xxx, don't accept xxx for anything else". Instead you get complete MITM without any user control.
On a physical site when corporate human guards go beyond acceptable bonds you can escalate, refuse, protest, etc. But https "security" is not like this at all. Your bags are searched behind your back without any notification or limits, like in a bad spy movie. Since https designers refused to acknowledge the need for basic policing, organisations went directly to the stasi stage as a workaround.
Also note that the organisations complaining loudest about https interception (Google, Facebook, etc) are busy pushing the limits of existing laws when profiling their users, so no one is snow-white here.
HTTPS interception in Nokia's mobile browser Posted Jan 28, 2013 17:08 UTC (Mon) by hummassa (subscriber, #307) [Link]
Well, actually... You CAN manage all the certificates on your browser (yes, a corporate logon or cron script can undo your job, but you can also re-do it afterwards, or just before entering the browser, etc.)
You can also check it manually (take a printout of the certificate in your house and compare it to the certificate you get on the company) and just Do Not Logon on the site if they mismatch.
Most sysadmins I know take the nice CYA stance that "I don't touch HTTPS connections (besides denying them to some blacklist) because both the company and I could be held liable if some wrongful bank transaction is done from our proxy's IP address."
HTTPS interception in Nokia's mobile browser Posted Jan 28, 2013 18:01 UTC (Mon) by nim-nim (subscriber, #34454) [Link]
I didn't wrote you could not manage certificates. I wrote that due to various pas mis-decisions, the proxy has to spoof https web sites certificates behind the user and the browser's backs to work, instead of having a clear proxy certificate chain they are aware of, and can choose to trust (or not, one could implement pretty complex trust policies in browser extensions if needed).
As for the "don't touch https connexions" that's an increasingly unrealistic request, given that:
1. entities *do* have confidential informations they don't trust their users not to leak (and with good reason, some will post anything on any public web site without thinking of the consequences, especially when they've reached an organisational level where they feel immune to IT policies)
2. big web sites have started to crypt everything, killing cache performances if you ignore https (and they profile you anyway, so don't be duped – https is not improving your privacy there, killing proxies is also a way to protect their data gathering from anonymising intermediaries. Direct user access is best, especially when the user is IT-illiterate)
3. all the junkware vendors have started tunnelling every kind of dubious traffic on port 443, since they've discovered that was way easier than answering their customers' questions when their customers' security teams discovers said junkware is trying to breach the firewall via a forbidden port. (see also, websockets)
4. I'm quite sure spammers and phishers will make good use of crypto to hide their tracks as soon as there are enough https nodes to exploit
In other words, "don't touch https" means giving up on any firewall-like defence perimeter, trusting users will behave when they have no IT security culture, trusting no software installed on your system is going to leak data or even backdoor you via network accesses masquerading as https, trusting no web site you access is going to grossly abuse bandwidth and latency by serving badly-optimised content, etc
Does this level of trust seem compatible with the world we live in?
HTTPS interception in Nokia's mobile browser Posted Jan 28, 2013 19:06 UTC (Mon) by hummassa (subscriber, #307) [Link]
1. (users having confidential information the org does not want to leak) computers with access to such information should not be internet-connected; keep on reading...
2. yes, caching proxies are pretty much dead.
3. blocking ports does not work; one can always put one tunnel inside another (some years ago, a coworker had a simple http-80-GET/POST tunnel installed connecting his machine to his home machine, and from there, he was free). And THAT is why I said in #1 above that computers with confidential information should not be internet-connected.
4. I didn't understand what you meant with this; what can phishers and spammers do with https that they can't do with http? And MITM proxies just HELP phishers and spammers because your browser cannot veto the original certificate and more: you introdute a SPOF because if one pwns the proxy, you have the entire organization open to phishing and spoofing addresses (*).
> In other words, "don't touch https" means giving up on any firewall-like defence perimeter, trusting users will behave when they have no IT security culture, trusting no software installed on your system is going to leak data or even backdoor you via network accesses masquerading as https, trusting no web site you access is going to grossly abuse bandwidth and latency by serving badly-optimised content, etc
Repeating: firewall-like defence perimeter via proxy does not work, introduces a SPOF and your confidential data is never safe if it is in an internet-connected computer. You open yourself and your organization to millions of dollars in liability by MITMing https because you can be inadvertently opening a backdoor to secure, money-transacting websites.
HTTPS interception in Nokia's mobile browser Posted Jan 28, 2013 19:24 UTC (Mon) by nim-nim (subscriber, #34454) [Link]
> 1. (users having confidential information the org does not want to leak)
> computers with access to such information should not be internet- > connected; keep on reading...
You're living in lala-land
> 2. yes, caching proxies are pretty much dead.
ROTFL. The biggest thing that happened Internet-side those past years are smartphones, and if you think ISPs let them connect to the Internet without proxyfication, you're naïve
> 3. blocking ports does not work; one can always put one tunnel inside
It worked well-enough for years. Perfect security does not exist. This is no reason to give up on security (and if not: live by your ideals and post you CC number and passcode everywhere since CC processor security is not perfect)
> 4. I didn't understand what you meant with this; what can phishers and
Once a crypto tunnel is established there is no reason to rely on urls to transmit information. Most spam/phishing detection software relies heavily on url patterns to catch it
> you introdute a SPOF because if one pwns the proxy, you have the entire
Why do you assume proxy operators can not operate compute farms like everyone else?
Besides: mail already works hop-to-hop. I don't see the defenders of https purity complain smtps and imaps are unsecure
> You open yourself and your organization to millions of dollars in
Straw-man argument. Find us a single case when that happened. Leaks by naïve users, or infection via network accesses, OTOH, are to common to be even reported anymore.
HTTPS interception in Nokia's mobile browser Posted Jan 28, 2013 19:33 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]
> ROTFL. The biggest thing that happened Internet-side those past years are smartphones, and if you think ISPs let them connect to the Internet without proxyfication
Actually, they do. TCP/HTTP proxies used to be all the rage about 5 years ago, but now almost nobody uses them. And I worked as a network engineer in a telecom company (a while ago). Proxying breaks too much stuff for too little benefit and besides the limit right now is the air interface, not the backbone networks.
> Besides: mail already works hop-to-hop. I don't see the defenders of https purity complain smtps and imaps are unsecure
HTTPS interception in Nokia's mobile browser Posted Jan 28, 2013 20:20 UTC (Mon) by nim-nim (subscriber, #34454) [Link]
> Actually, they do. TCP/HTTP proxies used to be all the rage about 5 years
> ago, but now almost nobody uses them. And I worked as a network engineer > in a telecom company (a while ago). Proxying breaks too much stuff for > too little benefit and besides the limit right now is the air interface, > not the backbone networks.
The air interface also benefits from more compact traffic (see why Nokia or Opera set up their system, see why Google is working on SPDY now)> Besides: mail already works hop-to-hop.
>> I don't see the defenders of https purity complain smtps and imaps are
No one legitimate would do https proxying transparently if there was another choice. People condemning transparent https proxying also refuse to give another choice (because that would be 'unsecure') even while the other choice works everyday with smtps (an smtp relay is just a mail proxy under another name)
HTTPS interception in Nokia's mobile browser Posted Jan 28, 2013 21:54 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]
>The air interface also benefits from more compact traffic (see why Nokia or Opera set up their system, see why Google is working on SPDY now)
Yup, and provider-level proxying doesn't do a squat in these cases.
>Besides: mail already works hop-to-hop.
>No one legitimate would do https proxying transparently if there was another choice.
HTTPS interception in Nokia's mobile browser Posted Jan 29, 2013 9:41 UTC (Tue) by nim-nim (subscriber, #34454) [Link]
>> The air interface also benefits from more compact traffic (see why Nokia
>> or Opera set up their system, see why Google is working on SPDY now) > Yup, and provider-level proxying doesn't do a squat in these cases.
Please explain why. Because there is zip technical differences between
website (badly optimized traffic)→ Akamai → smartphone and
> There is another choice - secure your damn endpoints
Anyone who pretends he is able to secure thousands of endpoints (especially end-user endpoints where the user will actively work against any securing to get the latest shiny stuff) is a damn liar. The best you can do is to try to secure them, and that includes securing their network accesses too (which is infinitely easier as there are less nodes to take care of, they don't have en-users connecting locally)
>> Besides: mail already works hop-to-hop.
Do you realise how meaningless your sentence is? You can't have an intermediary without another hop
HTTPS interception in Nokia's mobile browser Posted Jan 29, 2013 17:21 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link]
>Please explain why. Because there is zip technical differences between
Then perhaps you should study networking? Nokia's browser (and Opera Mini) decompress traffic using specifically modified client. They do NOT need (or want) proxies on the provider level.
> Anyone who pretends he is able to secure thousands of endpoints (especially end-user endpoints where the user will actively work against any securing to get the latest shiny stuff) is a damn liar.
HTTPS interception in Nokia's mobile browser Posted Jan 29, 2013 18:42 UTC (Tue) by nim-nim (subscriber, #34454) [Link]
The 'specially modified client' just plugs into a proxy that compresses the traffic before hitting the air interface. As do all the spdy-capable proxies which are starting to hit the market. So what is your point exacly?
HTTPS interception in Nokia's mobile browser Posted Jan 28, 2013 22:44 UTC (Mon) by anselm (subscriber, #2796) [Link] People condemning transparent https proxying also refuse to give another choice (because that would be 'unsecure') even while the other choice works everyday with smtps (an smtp relay is just a mail proxy under another name) If you want mail that is end-to-end secure you need something along the lines of PGP or S/MIME, which happens in the MUA and amounts to HTTPS. The hop-by-hop »proxying« that SMTP servers do does nothing for message security because, even with SMTP-over-TLS (SMTPS is no longer a thing), while the traffic between the various servers may be encrypted the messages are processed and queued on the servers themselves in clear text.
HTTPS interception in Nokia's mobile browser Posted Jan 29, 2013 9:48 UTC (Tue) by nim-nim (subscriber, #34454) [Link]
The point is, there is zero technical reason https could not follow the same security model as e-mail. That would make proxy MITM-ing un-necessary.
You send your traffic to the relay, it can inspect and modify it, if the relay operator wants to inspect it and you send a crypted message, it can refuse to carry it, the rest is negociation between the operator and you, no need for SSL breaking like on HTTPS.
HTTPS interception in Nokia's mobile browser Posted Jan 29, 2013 13:16 UTC (Tue) by khim (subscriber, #9252) [Link] The point is, there is zero technical reason https could not follow the same security model as e-mail. Sure. That's why it works in exactly the same way: HTTPS does not care about intermediate steps. But if text is not signed by a correct key then it refuses to work. The same way as PGP and S/MIME always worked. The only difference is that mail is send-and-forget thus it's harder to enforce S/MIME and/or PGP (if you refuse to read unencrypted mail then you often lose the important info). But still a lot of confidential docs where I work are sent encrypted so what's the difference between mail and HTTPS?
HTTPS interception in Nokia's mobile browser Posted Jan 29, 2013 13:43 UTC (Tue) by nim-nim (subscriber, #34454) [Link]
It does not work exactly the same way.
With mail you can say 'you are on a restricted network, use smtp server foo as relay, everything else will be blocked' (and then the user can choose to use the relay or not, and the relay can choose to relay or not depending on its settings)
With http you have to MITM to get the same result.
HTTPS interception in Nokia's mobile browser Posted Jan 29, 2013 13:49 UTC (Tue) by khim (subscriber, #9252) [Link] With http you have to MITM to get the same result. If you don't want to open encrypted message then simple routing rule will be enough and there are proxy autodiscovery mechanisms, if you do want to open encrypted message then you must somehow convince me to replace key in my PGP or S/MIME client - the same as with HTTPS. So I can not see the difference. Well, except for one: you need to specify relay for the mail, while proxy can be autodiscovered. I don't think it such a big difference.
HTTPS interception in Nokia's mobile browser Posted Feb 7, 2013 19:44 UTC (Thu) by Jandar (subscriber, #85683) [Link]
> The air interface also benefits from more compact traffic (see why Nokia or Opera set up their system, see why Google is working on SPDY now)> Besides: mail already works hop-to-hop.
Altering any data without consent is a criminal act in my country.
HTTPS interception in Nokia's mobile browser Posted Jan 28, 2013 19:59 UTC (Mon) by hummassa (subscriber, #307) [Link]
> You're living in lala-land
You are telling me that computers with access to Confidential data can be internet-connected and *I* am living in lala-land. Ok.
You actually have some good arguments in your post. This is not one of them. :-D
> Once a crypto tunnel is established there is no reason to rely on urls to transmit information. Most spam/phishing detection software relies heavily on url patterns to catch it
I still can not parse this. Care to explain?
> ROTFL. The biggest thing that happened Internet-side those past years are smartphones, and if you think ISPs let them connect to the Internet without proxyfication, you're naïve
http proxyfication? maybe. even so, so many in the web is dynamic content those days, I don't think the benefit is as big as you suppose. https proxyfication? I highly doubt it. Just for the kick of it, I will download and check my smartphone's certificates, and get back to you.
HTTPS interception in Nokia's mobile browser Posted Jan 28, 2013 20:26 UTC (Mon) by nim-nim (subscriber, #34454) [Link]
>> You're living in lala-land
>You are telling me that computers with access to Confidential data can be >internet-connected and *I* am living in lala-land. Ok.
>You actually have some good arguments in your post. This is not one of >them. :-D
You continue to be dense. Do you really think people in corporate admin have no access to confidential data? Do you really expect them to work without Internet access? When a lot of them are supposed to interact with the external environment? (and that's just one example)
>> Once a crypto tunnel is established there is no reason to rely on urls >> to transmit information. Most spam/phishing detection software relies >> heavily on url patterns to catch it
> I still can not parse this. Care to explain?
After the https handshake there is no obligation to use http at all inside the tunnel
> http proxyfication? maybe. even so, so many in the web is dynamic
media files still weight more than text. Even if your isp is not proxyfying https, that does not mean it's not proxyfing http, and when web sites switch from http to https proxies switch too
HTTPS interception in Nokia's mobile browser Posted Jan 28, 2013 21:38 UTC (Mon) by dlang (✭ supporter ✭, #313) [Link]
>>> Once a crypto tunnel is established there is no reason to rely on urls to transmit information. Most spam/phishing detection software relies heavily on url patterns to catch it
>> I still can not parse this. Care to explain?
> After the https handshake there is no obligation to use http at all inside the tunnel
It's worse than that, almost no firewalls even force you to do the https handshake, they just allow anything that's on port 443 through, so you can use any protocol at all.
There are a handful of good firewalls (sidewinder being one) and IDS systems that will still watch port 443 traffic and alert you if they see something that doesn't look like https on that port, but if you go that far, you really do need to go further and have a full https mitm proxy/filter
As for the thought that you don't have confidential information on a Internet connected device, do you really think that executives who have all sorts of confidential information on their systems (including a ton of stuff in their e-mail about financial data of the company, plans for the future, etc) are not going to be connected to the Internet at some point?
There are places for isolated networks, but corporate desktops are not one of them.
HTTPS interception in Nokia's mobile browser Posted Jan 28, 2013 21:48 UTC (Mon) by raven667 (subscriber, #5198) [Link]
In practice people don't bother to take precautions to protect sensitive data, that doesn't mean its not a good idea or possible, also there is an implicit assumption of risk that is being taken when executives run around with sensitive data on their laptops that they then lose. I suppose it depends on their assumption of risk and how radioactive/poisonous the data they handle is, between some stock speculator getting an earnings report a day early or a HIPPA violation and public disclosure.
HTTPS interception in Nokia's mobile browser Posted Feb 1, 2013 11:28 UTC (Fri) by basdebakker (guest, #60977) [Link]
Executives with desktops? Are you serious?
Our company has web filters, including HTTPS proxies that do a MITM with a certificate that they install in your browser.
Then our executives take their laptops and connect them to their home network, the airport network, etc. So do I.
HTTPS interception in Nokia's mobile browser Posted Feb 1, 2013 11:39 UTC (Fri) by hummassa (subscriber, #307) [Link]
> Then our executives take their laptops and connect them to their home network, the airport network, etc. So do I.
Meaning a two-bit hacker can compromise any data in those laptops at any time he wants, and all the proxying/MITMing infrastructure is just security theatre...
HTTPS interception in Nokia's mobile browser Posted Feb 1, 2013 14:33 UTC (Fri) by anselm (subscriber, #2796) [Link] Meaning a two-bit hacker can compromise any data in those laptops at any time he wants, and all the proxying/MITMing infrastructure is just security theatre... Not if all the internet access from those machines goes through a VPN back to the company (and the proxying/MITM infrastructure) even if they are in the home or airport network.
HTTPS interception in Nokia's mobile browser Posted Feb 1, 2013 21:08 UTC (Fri) by khim (subscriber, #9252) [Link] Of course it does not do that! VPNs are often incompatible with weird airport/hotel setups. Sometimes "Internet access" means just "http proxy access" and if stuff does not work in this setting executives become quite angry.
HTTPS interception in Nokia's mobile browser Posted Feb 1, 2013 21:53 UTC (Fri) by anselm (subscriber, #2796) [Link] VPNs are often incompatible with weird airport/hotel setups. Whatever. I travel rather a lot and have yet to find an airport/hotel setup that couldn't be made to work with our VPN. Running OpenVPN on TCP port 443 with the client in http-proxy mode helps. If all else fails then at least in-country there is always 3G which supports OpenVPN just fine, thank you very much.
HTTPS interception in Nokia's mobile browser Posted Feb 2, 2013 13:38 UTC (Sat) by hummassa (subscriber, #307) [Link]
Once you connected to the airport network (usually unencrypted, at least for the handshakes), what makes you think he hacker fifty feet behind you can't see your Facebook cookies, poison one of your apps, or do something that makes him access the juicy bits on your local email folders? And if you think 1% of the executives is careful enough or knowledgeable enough to avoid those kinds of traps, even in post-SabOx world, I do have a bridge or two to sell you. Espionage is simple these days; if your data isn't locked, it is not just yours.
HTTPS interception in Nokia's mobile browser Posted Jan 29, 2013 0:56 UTC (Tue) by hummassa (subscriber, #307) [Link]
> You continue to be dense. Do you really think people in corporate admin have no access to confidential data? Do you really expect them to work without Internet access? When a lot of them are supposed to interact with the external environment? (and that's just one example)
From a security standpoint if your data is really sensitive, you put it on a computer without internet access, in a very isolated, preferably physically isolated, network. If you need internet access to work, you do that from another computer on the side.
If your data is mildly sensitive, you can have "logical" "firewall" protections around it. But if you get cracked (and those guys get cracked all the time...) you can only look sad.
> After the https handshake there is no obligation to use http at all inside the tunnel
after http header there is no obligation, too.
In any case, the Internet routes around the damage, and this means that MITM can be easily detected via client certificates: before logon, server issues a challenge, proxy cannot sign the challenge with valid client certificate, access denied. If MITMing https proxies start becoming the norm, they will be routed around.
HTTPS interception in Nokia's mobile browser Posted Jan 29, 2013 9:58 UTC (Tue) by nim-nim (subscriber, #34454) [Link]
> In any case, the Internet routes around the damage,
On a corporate (or school, or prison, or whatever) network you are not connected to the Internet, you are connected to a private network. All the Internet interconnections are controlled by the network operator. No amount of posturing will change the fact that the one who owns the gateways has ultimate power on the traffic they carry (it can just drop it if people start playing games).
HTTPS interception in Nokia's mobile browser Posted Jan 29, 2013 11:22 UTC (Tue) by hummassa (subscriber, #307) [Link]
> No amount of posturing will change the fact that the one who owns the gateways has ultimate power on the traffic they carry
YES! Tell this to the RIAA so they can go bully AT&T, Comcast, &c. instead of nine-year-old girls. Oh, wait.
> it can just drop it if people start playing games
If it can see that people started playing games. Years pass before this kind of traffic is detected as "suspicious":
POST /index.html?sessionid=alksdjffkdaslfjakldffa
<html><body>
And, as I said, banks Do Not Want you to MITM their https connections. They *will* start challenging client certificates if it comes to that, because they can't afford the risk otherwise.
HTTPS interception in Nokia's mobile browser Posted Jan 29, 2013 12:40 UTC (Tue) by nim-nim (subscriber, #34454) [Link]
>> No amount of posturing will change the fact that the one who owns the
>> gateways has ultimate power on the traffic they carry
> YES! Tell this to the RIAA so they can go bully AT&T, Comcast, &c. instead
Actually, this is another reason why proxy interception exists on the workplace, as some users are too dumb not to engage in law-breaking activities there. That does not make company lawyers laugh a little bit.
>> it can just drop it if people start playing games
People will only invest in specific filtering rules is they are worth the bother. Your example is not widespread, therefore it is not worth detecting so far.
> And, as I said, banks Do Not Want you to MITM their https connections.
And as I wrote before, such claims are worthless without any hard data to back them up. Show us a single case involving banks and proxies and we can talk.
HTTPS interception in Nokia's mobile browser Posted Jan 29, 2013 13:24 UTC (Tue) by khim (subscriber, #9252) [Link] Show us a single case involving banks and proxies and we can talk. A few banks I've worked with never supported HTTPS as a means to secure transactions - exactly because they can be hijacked so easily. They either offered their own programs or separate devices to sign the transactions. What's surprising is that these Internet-disconnected devices are making a comeback: I know they were receinly reintroduced at least in Raiffeisen. Does it look like endorcement of MITM-in-https to you?
HTTPS interception in Nokia's mobile browser Posted Jan 28, 2013 21:19 UTC (Mon) by raven667 (subscriber, #5198) [Link]
>> 1. (users having confidential information the org does not want to leak)
>> computers with access to such information should not be internet- >> connected; keep on reading... >You're living in lala-land
Separating out your sensitive data processing from your general internet access is a highly sensible precaution when you don't want your sensitive data to be exfiltrated The fact that many organizations allow email and web on their sensitive machines is what makes spear phishing so easy (see RSA). Sensitive information is much easier to protect if its kept in a controlled environment and you use remote desktop technology to access it.
The only way you could say this is lala-land is just to point out that most organizations take nearly zero precautions for protecting their data and then just stand around looking sad when something bad happens.
HTTPS interception in Nokia's mobile browser Posted Jan 25, 2013 12:27 UTC (Fri) by osma (subscriber, #6912) [Link] The proxy is used to speed up mobile browsing by using compression. It is similar to what is done by the Opera Mini browser, which Pandya also noted in his first report. But, Nokia was also using the proxy for HTTPS traffic, which meant that it was decrypting the incoming stream at the proxy and re-encrypting it, using the real destination's key, before sending it onward. This gives the impression that Opera Mini would not have done the same trick with decryption, compression and reencryption in its proxy server. But it does, mainly because the Opera Mini client is not a full web browser at all and doesn't work without the proxy part. The only difference is that Opera has been a little bit more open about what it's doing, and the reasons for that. Technically both browsers did the same thing, sacrificing some security and privacy in the name of efficiency (less data to transfer over mobile networks, faster rendering on a resource-constrained device etc.).
|
|||||||||||||