Recent Features
| |||||||||||||
HTTPS interception in Nokia's mobile browserHTTPS interception in Nokia's mobile browserPosted Jan 28, 2013 19:59 UTC (Mon) by hummassa (subscriber, #307)In reply to: HTTPS interception in Nokia's mobile browser by nim-nim Parent article: HTTPS interception in Nokia's mobile browser
> You're living in lala-land
You are telling me that computers with access to Confidential data can be internet-connected and *I* am living in lala-land. Ok.
You actually have some good arguments in your post. This is not one of them. :-D
> Once a crypto tunnel is established there is no reason to rely on urls to transmit information. Most spam/phishing detection software relies heavily on url patterns to catch it
I still can not parse this. Care to explain?
> ROTFL. The biggest thing that happened Internet-side those past years are smartphones, and if you think ISPs let them connect to the Internet without proxyfication, you're naïve
http proxyfication? maybe. even so, so many in the web is dynamic content those days, I don't think the benefit is as big as you suppose. https proxyfication? I highly doubt it. Just for the kick of it, I will download and check my smartphone's certificates, and get back to you.
(Log in to post comments)
HTTPS interception in Nokia's mobile browser Posted Jan 28, 2013 20:26 UTC (Mon) by nim-nim (subscriber, #34454) [Link]
>> You're living in lala-land
>You are telling me that computers with access to Confidential data can be >internet-connected and *I* am living in lala-land. Ok.
>You actually have some good arguments in your post. This is not one of >them. :-D
You continue to be dense. Do you really think people in corporate admin have no access to confidential data? Do you really expect them to work without Internet access? When a lot of them are supposed to interact with the external environment? (and that's just one example)
>> Once a crypto tunnel is established there is no reason to rely on urls >> to transmit information. Most spam/phishing detection software relies >> heavily on url patterns to catch it
> I still can not parse this. Care to explain?
After the https handshake there is no obligation to use http at all inside the tunnel
> http proxyfication? maybe. even so, so many in the web is dynamic
media files still weight more than text. Even if your isp is not proxyfying https, that does not mean it's not proxyfing http, and when web sites switch from http to https proxies switch too
HTTPS interception in Nokia's mobile browser Posted Jan 28, 2013 21:38 UTC (Mon) by dlang (✭ supporter ✭, #313) [Link]
>>> Once a crypto tunnel is established there is no reason to rely on urls to transmit information. Most spam/phishing detection software relies heavily on url patterns to catch it
>> I still can not parse this. Care to explain?
> After the https handshake there is no obligation to use http at all inside the tunnel
It's worse than that, almost no firewalls even force you to do the https handshake, they just allow anything that's on port 443 through, so you can use any protocol at all.
There are a handful of good firewalls (sidewinder being one) and IDS systems that will still watch port 443 traffic and alert you if they see something that doesn't look like https on that port, but if you go that far, you really do need to go further and have a full https mitm proxy/filter
As for the thought that you don't have confidential information on a Internet connected device, do you really think that executives who have all sorts of confidential information on their systems (including a ton of stuff in their e-mail about financial data of the company, plans for the future, etc) are not going to be connected to the Internet at some point?
There are places for isolated networks, but corporate desktops are not one of them.
HTTPS interception in Nokia's mobile browser Posted Jan 28, 2013 21:48 UTC (Mon) by raven667 (subscriber, #5198) [Link]
In practice people don't bother to take precautions to protect sensitive data, that doesn't mean its not a good idea or possible, also there is an implicit assumption of risk that is being taken when executives run around with sensitive data on their laptops that they then lose. I suppose it depends on their assumption of risk and how radioactive/poisonous the data they handle is, between some stock speculator getting an earnings report a day early or a HIPPA violation and public disclosure.
HTTPS interception in Nokia's mobile browser Posted Feb 1, 2013 11:28 UTC (Fri) by basdebakker (guest, #60977) [Link]
Executives with desktops? Are you serious?
Our company has web filters, including HTTPS proxies that do a MITM with a certificate that they install in your browser.
Then our executives take their laptops and connect them to their home network, the airport network, etc. So do I.
HTTPS interception in Nokia's mobile browser Posted Feb 1, 2013 11:39 UTC (Fri) by hummassa (subscriber, #307) [Link]
> Then our executives take their laptops and connect them to their home network, the airport network, etc. So do I.
Meaning a two-bit hacker can compromise any data in those laptops at any time he wants, and all the proxying/MITMing infrastructure is just security theatre...
HTTPS interception in Nokia's mobile browser Posted Feb 1, 2013 14:33 UTC (Fri) by anselm (subscriber, #2796) [Link] Meaning a two-bit hacker can compromise any data in those laptops at any time he wants, and all the proxying/MITMing infrastructure is just security theatre... Not if all the internet access from those machines goes through a VPN back to the company (and the proxying/MITM infrastructure) even if they are in the home or airport network.
HTTPS interception in Nokia's mobile browser Posted Feb 1, 2013 21:08 UTC (Fri) by khim (subscriber, #9252) [Link] Of course it does not do that! VPNs are often incompatible with weird airport/hotel setups. Sometimes "Internet access" means just "http proxy access" and if stuff does not work in this setting executives become quite angry.
HTTPS interception in Nokia's mobile browser Posted Feb 1, 2013 21:53 UTC (Fri) by anselm (subscriber, #2796) [Link] VPNs are often incompatible with weird airport/hotel setups. Whatever. I travel rather a lot and have yet to find an airport/hotel setup that couldn't be made to work with our VPN. Running OpenVPN on TCP port 443 with the client in http-proxy mode helps. If all else fails then at least in-country there is always 3G which supports OpenVPN just fine, thank you very much.
HTTPS interception in Nokia's mobile browser Posted Feb 2, 2013 13:38 UTC (Sat) by hummassa (subscriber, #307) [Link]
Once you connected to the airport network (usually unencrypted, at least for the handshakes), what makes you think he hacker fifty feet behind you can't see your Facebook cookies, poison one of your apps, or do something that makes him access the juicy bits on your local email folders? And if you think 1% of the executives is careful enough or knowledgeable enough to avoid those kinds of traps, even in post-SabOx world, I do have a bridge or two to sell you. Espionage is simple these days; if your data isn't locked, it is not just yours.
HTTPS interception in Nokia's mobile browser Posted Jan 29, 2013 0:56 UTC (Tue) by hummassa (subscriber, #307) [Link]
> You continue to be dense. Do you really think people in corporate admin have no access to confidential data? Do you really expect them to work without Internet access? When a lot of them are supposed to interact with the external environment? (and that's just one example)
From a security standpoint if your data is really sensitive, you put it on a computer without internet access, in a very isolated, preferably physically isolated, network. If you need internet access to work, you do that from another computer on the side.
If your data is mildly sensitive, you can have "logical" "firewall" protections around it. But if you get cracked (and those guys get cracked all the time...) you can only look sad.
> After the https handshake there is no obligation to use http at all inside the tunnel
after http header there is no obligation, too.
In any case, the Internet routes around the damage, and this means that MITM can be easily detected via client certificates: before logon, server issues a challenge, proxy cannot sign the challenge with valid client certificate, access denied. If MITMing https proxies start becoming the norm, they will be routed around.
HTTPS interception in Nokia's mobile browser Posted Jan 29, 2013 9:58 UTC (Tue) by nim-nim (subscriber, #34454) [Link]
> In any case, the Internet routes around the damage,
On a corporate (or school, or prison, or whatever) network you are not connected to the Internet, you are connected to a private network. All the Internet interconnections are controlled by the network operator. No amount of posturing will change the fact that the one who owns the gateways has ultimate power on the traffic they carry (it can just drop it if people start playing games).
HTTPS interception in Nokia's mobile browser Posted Jan 29, 2013 11:22 UTC (Tue) by hummassa (subscriber, #307) [Link]
> No amount of posturing will change the fact that the one who owns the gateways has ultimate power on the traffic they carry
YES! Tell this to the RIAA so they can go bully AT&T, Comcast, &c. instead of nine-year-old girls. Oh, wait.
> it can just drop it if people start playing games
If it can see that people started playing games. Years pass before this kind of traffic is detected as "suspicious":
POST /index.html?sessionid=alksdjffkdaslfjakldffa
<html><body>
And, as I said, banks Do Not Want you to MITM their https connections. They *will* start challenging client certificates if it comes to that, because they can't afford the risk otherwise.
HTTPS interception in Nokia's mobile browser Posted Jan 29, 2013 12:40 UTC (Tue) by nim-nim (subscriber, #34454) [Link]
>> No amount of posturing will change the fact that the one who owns the
>> gateways has ultimate power on the traffic they carry
> YES! Tell this to the RIAA so they can go bully AT&T, Comcast, &c. instead
Actually, this is another reason why proxy interception exists on the workplace, as some users are too dumb not to engage in law-breaking activities there. That does not make company lawyers laugh a little bit.
>> it can just drop it if people start playing games
People will only invest in specific filtering rules is they are worth the bother. Your example is not widespread, therefore it is not worth detecting so far.
> And, as I said, banks Do Not Want you to MITM their https connections.
And as I wrote before, such claims are worthless without any hard data to back them up. Show us a single case involving banks and proxies and we can talk.
HTTPS interception in Nokia's mobile browser Posted Jan 29, 2013 13:24 UTC (Tue) by khim (subscriber, #9252) [Link] Show us a single case involving banks and proxies and we can talk. A few banks I've worked with never supported HTTPS as a means to secure transactions - exactly because they can be hijacked so easily. They either offered their own programs or separate devices to sign the transactions. What's surprising is that these Internet-disconnected devices are making a comeback: I know they were receinly reintroduced at least in Raiffeisen. Does it look like endorcement of MITM-in-https to you?
|
|||||||||||||