LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

HTTPS interception in Nokia's mobile browser

HTTPS interception in Nokia's mobile browser

Posted Jan 29, 2013 0:56 UTC (Tue) by hummassa (subscriber, #307)
In reply to: HTTPS interception in Nokia's mobile browser by nim-nim
Parent article: HTTPS interception in Nokia's mobile browser

> You continue to be dense. Do you really think people in corporate admin have no access to confidential data? Do you really expect them to work without Internet access? When a lot of them are supposed to interact with the external environment? (and that's just one example)

From a security standpoint if your data is really sensitive, you put it on a computer without internet access, in a very isolated, preferably physically isolated, network. If you need internet access to work, you do that from another computer on the side.

If your data is mildly sensitive, you can have "logical" "firewall" protections around it. But if you get cracked (and those guys get cracked all the time...) you can only look sad.

> After the https handshake there is no obligation to use http at all inside the tunnel

after http header there is no obligation, too.

In any case, the Internet routes around the damage, and this means that MITM can be easily detected via client certificates: before logon, server issues a challenge, proxy cannot sign the challenge with valid client certificate, access denied. If MITMing https proxies start becoming the norm, they will be routed around.

(Log in to post comments)

HTTPS interception in Nokia's mobile browser

Posted Jan 29, 2013 9:58 UTC (Tue) by nim-nim (subscriber, #34454) [Link]

> In any case, the Internet routes around the damage,

On a corporate (or school, or prison, or whatever) network you are not connected to the Internet, you are connected to a private network. All the Internet interconnections are controlled by the network operator. No amount of posturing will change the fact that the one who owns the gateways has ultimate power on the traffic they carry (it can just drop it if people start playing games).

HTTPS interception in Nokia's mobile browser

Posted Jan 29, 2013 11:22 UTC (Tue) by hummassa (subscriber, #307) [Link]

> No amount of posturing will change the fact that the one who owns the gateways has ultimate power on the traffic they carry

YES! Tell this to the RIAA so they can go bully AT&T, Comcast, &c. instead of nine-year-old girls. Oh, wait.

> it can just drop it if people start playing games

If it can see that people started playing games. Years pass before this kind of traffic is detected as "suspicious":

POST /index.html?sessionid=alksdjffkdaslfjakldffa
size=x&contents=yyyyyy

<html><body>
<[[CDATA[>packet contents for the reply<]]]>
</body></html>

And, as I said, banks Do Not Want you to MITM their https connections. They *will* start challenging client certificates if it comes to that, because they can't afford the risk otherwise.

HTTPS interception in Nokia's mobile browser

Posted Jan 29, 2013 12:40 UTC (Tue) by nim-nim (subscriber, #34454) [Link]

>> No amount of posturing will change the fact that the one who owns the
>> gateways has ultimate power on the traffic they carry

> YES! Tell this to the RIAA so they can go bully AT&T, Comcast, &c. instead
> of nine-year-old girls. Oh, wait

Actually, this is another reason why proxy interception exists on the workplace, as some users are too dumb not to engage in law-breaking activities there. That does not make company lawyers laugh a little bit.

>> it can just drop it if people start playing games
> If it can see that people started playing games.

People will only invest in specific filtering rules is they are worth the bother. Your example is not widespread, therefore it is not worth detecting so far.

> And, as I said, banks Do Not Want you to MITM their https connections.

And as I wrote before, such claims are worthless without any hard data to back them up. Show us a single case involving banks and proxies and we can talk.

HTTPS interception in Nokia's mobile browser

Posted Jan 29, 2013 13:24 UTC (Tue) by khim (subscriber, #9252) [Link]

Show us a single case involving banks and proxies and we can talk.

A few banks I've worked with never supported HTTPS as a means to secure transactions - exactly because they can be hijacked so easily. They either offered their own programs or separate devices to sign the transactions. What's surprising is that these Internet-disconnected devices are making a comeback: I know they were receinly reintroduced at least in Raiffeisen.

Does it look like endorcement of MITM-in-https to you?

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds