User: Password:
|
|
Subscribe / Log in / New account

HTTPS interception in Nokia's mobile browser

HTTPS interception in Nokia's mobile browser

Posted Jan 28, 2013 18:01 UTC (Mon) by nim-nim (subscriber, #34454)
In reply to: HTTPS interception in Nokia's mobile browser by hummassa
Parent article: HTTPS interception in Nokia's mobile browser

I didn't wrote you could not manage certificates. I wrote that due to various pas mis-decisions, the proxy has to spoof https web sites certificates behind the user and the browser's backs to work, instead of having a clear proxy certificate chain they are aware of, and can choose to trust (or not, one could implement pretty complex trust policies in browser extensions if needed).

As for the "don't touch https connexions" that's an increasingly unrealistic request, given that:

1. entities *do* have confidential informations they don't trust their users not to leak (and with good reason, some will post anything on any public web site without thinking of the consequences, especially when they've reached an organisational level where they feel immune to IT policies)

2. big web sites have started to crypt everything, killing cache performances if you ignore https (and they profile you anyway, so don't be duped – https is not improving your privacy there, killing proxies is also a way to protect their data gathering from anonymising intermediaries. Direct user access is best, especially when the user is IT-illiterate)

3. all the junkware vendors have started tunnelling every kind of dubious traffic on port 443, since they've discovered that was way easier than answering their customers' questions when their customers' security teams discovers said junkware is trying to breach the firewall via a forbidden port. (see also, websockets)

4. I'm quite sure spammers and phishers will make good use of crypto to hide their tracks as soon as there are enough https nodes to exploit

In other words, "don't touch https" means giving up on any firewall-like defence perimeter, trusting users will behave when they have no IT security culture, trusting no software installed on your system is going to leak data or even backdoor you via network accesses masquerading as https, trusting no web site you access is going to grossly abuse bandwidth and latency by serving badly-optimised content, etc

Does this level of trust seem compatible with the world we live in?


(Log in to post comments)

HTTPS interception in Nokia's mobile browser

Posted Jan 28, 2013 19:06 UTC (Mon) by hummassa (subscriber, #307) [Link]

1. (users having confidential information the org does not want to leak) computers with access to such information should not be internet-connected; keep on reading...

2. yes, caching proxies are pretty much dead.

3. blocking ports does not work; one can always put one tunnel inside another (some years ago, a coworker had a simple http-80-GET/POST tunnel installed connecting his machine to his home machine, and from there, he was free). And THAT is why I said in #1 above that computers with confidential information should not be internet-connected.

4. I didn't understand what you meant with this; what can phishers and spammers do with https that they can't do with http? And MITM proxies just HELP phishers and spammers because your browser cannot veto the original certificate and more: you introdute a SPOF because if one pwns the proxy, you have the entire organization open to phishing and spoofing addresses (*).

> In other words, "don't touch https" means giving up on any firewall-like defence perimeter, trusting users will behave when they have no IT security culture, trusting no software installed on your system is going to leak data or even backdoor you via network accesses masquerading as https, trusting no web site you access is going to grossly abuse bandwidth and latency by serving badly-optimised content, etc

Repeating: firewall-like defence perimeter via proxy does not work, introduces a SPOF and your confidential data is never safe if it is in an internet-connected computer. You open yourself and your organization to millions of dollars in liability by MITMing https because you can be inadvertently opening a backdoor to secure, money-transacting websites.

HTTPS interception in Nokia's mobile browser

Posted Jan 28, 2013 19:24 UTC (Mon) by nim-nim (subscriber, #34454) [Link]

> 1. (users having confidential information the org does not want to leak)
> computers with access to such information should not be internet-
> connected; keep on reading...

You're living in lala-land

> 2. yes, caching proxies are pretty much dead.

ROTFL. The biggest thing that happened Internet-side those past years are smartphones, and if you think ISPs let them connect to the Internet without proxyfication, you're naïve

> 3. blocking ports does not work; one can always put one tunnel inside
> another (some years ago, a coworker had a simple http-80-GET/POST tunnel
> installed connecting his machine to his home machine, and from there, he
> was free). And THAT is why I said in #1 above that computers with
> confidential information should not be internet-connected.

It worked well-enough for years. Perfect security does not exist. This is no reason to give up on security (and if not: live by your ideals and post you CC number and passcode everywhere since CC processor security is not perfect)

> 4. I didn't understand what you meant with this; what can phishers and
> spammers do with https that they can't do with http?

Once a crypto tunnel is established there is no reason to rely on urls to transmit information. Most spam/phishing detection software relies heavily on url patterns to catch it

> you introdute a SPOF because if one pwns the proxy, you have the entire
> organization open to phishing and spoofing addresses (*).

Why do you assume proxy operators can not operate compute farms like everyone else?

Besides: mail already works hop-to-hop. I don't see the defenders of https purity complain smtps and imaps are unsecure

> You open yourself and your organization to millions of dollars in
> liability by MITMing https because you can be inadvertently opening a
> backdoor to secure, money-transacting websites.

Straw-man argument. Find us a single case when that happened. Leaks by naïve users, or infection via network accesses, OTOH, are to common to be even reported anymore.

HTTPS interception in Nokia's mobile browser

Posted Jan 28, 2013 19:33 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]

> ROTFL. The biggest thing that happened Internet-side those past years are smartphones, and if you think ISPs let them connect to the Internet without proxyfication
Actually, they do. TCP/HTTP proxies used to be all the rage about 5 years ago, but now almost nobody uses them. And I worked as a network engineer in a telecom company (a while ago). Proxying breaks too much stuff for too little benefit and besides the limit right now is the air interface, not the backbone networks.

> Besides: mail already works hop-to-hop. I don't see the defenders of https purity complain smtps and imaps are unsecure
Transparently doing smtps proxying would be.

HTTPS interception in Nokia's mobile browser

Posted Jan 28, 2013 20:20 UTC (Mon) by nim-nim (subscriber, #34454) [Link]

> Actually, they do. TCP/HTTP proxies used to be all the rage about 5 years
> ago, but now almost nobody uses them. And I worked as a network engineer
> in a telecom company (a while ago). Proxying breaks too much stuff for
> too little benefit and besides the limit right now is the air interface, > not the backbone networks.

The air interface also benefits from more compact traffic (see why Nokia or Opera set up their system, see why Google is working on SPDY now)> Besides: mail already works hop-to-hop.

>> I don't see the defenders of https purity complain smtps and imaps are
>> unsecure
> Transparently doing smtps proxying would be.

No one legitimate would do https proxying transparently if there was another choice. People condemning transparent https proxying also refuse to give another choice (because that would be 'unsecure') even while the other choice works everyday with smtps (an smtp relay is just a mail proxy under another name)

HTTPS interception in Nokia's mobile browser

Posted Jan 28, 2013 21:54 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]

>The air interface also benefits from more compact traffic (see why Nokia or Opera set up their system, see why Google is working on SPDY now)
Yup, and provider-level proxying doesn't do a squat in these cases.

>Besides: mail already works hop-to-hop.
And interhop transport is definitely not proxied.

>No one legitimate would do https proxying transparently if there was another choice.
There is another choice - secure your damn endpoints and stop pretending that an edge-level firewall can protect against anything more trivial than an employee browsing Facebook.

HTTPS interception in Nokia's mobile browser

Posted Jan 29, 2013 9:41 UTC (Tue) by nim-nim (subscriber, #34454) [Link]

>> The air interface also benefits from more compact traffic (see why Nokia
>> or Opera set up their system, see why Google is working on SPDY now)
> Yup, and provider-level proxying doesn't do a squat in these cases.

Please explain why. Because there is zip technical differences between

website (badly optimized traffic)→ Akamai → smartphone and
website (badly optimized traffic)→ proxy → smartphone

> There is another choice - secure your damn endpoints

Anyone who pretends he is able to secure thousands of endpoints (especially end-user endpoints where the user will actively work against any securing to get the latest shiny stuff) is a damn liar. The best you can do is to try to secure them, and that includes securing their network accesses too (which is infinitely easier as there are less nodes to take care of, they don't have en-users connecting locally)

>> Besides: mail already works hop-to-hop.
> And interhop transport is definitely not proxied.

Do you realise how meaningless your sentence is? You can't have an intermediary without another hop

HTTPS interception in Nokia's mobile browser

Posted Jan 29, 2013 17:21 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link]

>Please explain why. Because there is zip technical differences between
Then perhaps you should study networking? Nokia's browser (and Opera Mini) decompress traffic using specifically modified client. They do NOT need (or want) proxies on the provider level.

> Anyone who pretends he is able to secure thousands of endpoints (especially end-user endpoints where the user will actively work against any securing to get the latest shiny stuff) is a damn liar.
And anyone who presents an edge firewall as something except a window dressing is a fraudster.

HTTPS interception in Nokia's mobile browser

Posted Jan 29, 2013 18:42 UTC (Tue) by nim-nim (subscriber, #34454) [Link]

The 'specially modified client' just plugs into a proxy that compresses the traffic before hitting the air interface. As do all the spdy-capable proxies which are starting to hit the market. So what is your point exacly?

HTTPS interception in Nokia's mobile browser

Posted Jan 28, 2013 22:44 UTC (Mon) by anselm (subscriber, #2796) [Link]

People condemning transparent https proxying also refuse to give another choice (because that would be 'unsecure') even while the other choice works everyday with smtps (an smtp relay is just a mail proxy under another name)

If you want mail that is end-to-end secure you need something along the lines of PGP or S/MIME, which happens in the MUA and amounts to HTTPS. The hop-by-hop »proxying« that SMTP servers do does nothing for message security because, even with SMTP-over-TLS (SMTPS is no longer a thing), while the traffic between the various servers may be encrypted the messages are processed and queued on the servers themselves in clear text.

HTTPS interception in Nokia's mobile browser

Posted Jan 29, 2013 9:48 UTC (Tue) by nim-nim (subscriber, #34454) [Link]

The point is, there is zero technical reason https could not follow the same security model as e-mail. That would make proxy MITM-ing un-necessary.

You send your traffic to the relay, it can inspect and modify it, if the relay operator wants to inspect it and you send a crypted message, it can refuse to carry it, the rest is negociation between the operator and you, no need for SSL breaking like on HTTPS.

HTTPS interception in Nokia's mobile browser

Posted Jan 29, 2013 13:16 UTC (Tue) by khim (subscriber, #9252) [Link]

The point is, there is zero technical reason https could not follow the same security model as e-mail.

Sure. That's why it works in exactly the same way: HTTPS does not care about intermediate steps. But if text is not signed by a correct key then it refuses to work. The same way as PGP and S/MIME always worked.

The only difference is that mail is send-and-forget thus it's harder to enforce S/MIME and/or PGP (if you refuse to read unencrypted mail then you often lose the important info). But still a lot of confidential docs where I work are sent encrypted so what's the difference between mail and HTTPS?

HTTPS interception in Nokia's mobile browser

Posted Jan 29, 2013 13:43 UTC (Tue) by nim-nim (subscriber, #34454) [Link]

It does not work exactly the same way.

With mail you can say 'you are on a restricted network, use smtp server foo as relay, everything else will be blocked' (and then the user can choose to use the relay or not, and the relay can choose to relay or not depending on its settings)

With http you have to MITM to get the same result.

HTTPS interception in Nokia's mobile browser

Posted Jan 29, 2013 13:49 UTC (Tue) by khim (subscriber, #9252) [Link]

With http you have to MITM to get the same result.

If you don't want to open encrypted message then simple routing rule will be enough and there are proxy autodiscovery mechanisms, if you do want to open encrypted message then you must somehow convince me to replace key in my PGP or S/MIME client - the same as with HTTPS.

So I can not see the difference. Well, except for one: you need to specify relay for the mail, while proxy can be autodiscovered. I don't think it such a big difference.

HTTPS interception in Nokia's mobile browser

Posted Feb 7, 2013 19:44 UTC (Thu) by Jandar (subscriber, #85683) [Link]

> The air interface also benefits from more compact traffic (see why Nokia or Opera set up their system, see why Google is working on SPDY now)> Besides: mail already works hop-to-hop.

Altering any data without consent is a criminal act in my country.

HTTPS interception in Nokia's mobile browser

Posted Jan 28, 2013 19:59 UTC (Mon) by hummassa (subscriber, #307) [Link]

> You're living in lala-land

You are telling me that computers with access to Confidential data can be internet-connected and *I* am living in lala-land. Ok.

You actually have some good arguments in your post. This is not one of them. :-D

> Once a crypto tunnel is established there is no reason to rely on urls to transmit information. Most spam/phishing detection software relies heavily on url patterns to catch it

I still can not parse this. Care to explain?

> ROTFL. The biggest thing that happened Internet-side those past years are smartphones, and if you think ISPs let them connect to the Internet without proxyfication, you're naïve

http proxyfication? maybe. even so, so many in the web is dynamic content those days, I don't think the benefit is as big as you suppose. https proxyfication? I highly doubt it. Just for the kick of it, I will download and check my smartphone's certificates, and get back to you.

HTTPS interception in Nokia's mobile browser

Posted Jan 28, 2013 20:26 UTC (Mon) by nim-nim (subscriber, #34454) [Link]

>> You're living in lala-land

>You are telling me that computers with access to Confidential data can be >internet-connected and *I* am living in lala-land. Ok.

>You actually have some good arguments in your post. This is not one of >them. :-D

You continue to be dense. Do you really think people in corporate admin have no access to confidential data? Do you really expect them to work without Internet access? When a lot of them are supposed to interact with the external environment? (and that's just one example)

>> Once a crypto tunnel is established there is no reason to rely on urls >> to transmit information. Most spam/phishing detection software relies >> heavily on url patterns to catch it

> I still can not parse this. Care to explain?

After the https handshake there is no obligation to use http at all inside the tunnel

> http proxyfication? maybe. even so, so many in the web is dynamic
> content those days, I don't think the benefit is as big as you suppose.
> https proxyfication? I highly doubt it. Just for the kick of it, I will
> download and check my smartphone's certificates, and get back to you.

media files still weight more than text. Even if your isp is not proxyfying https, that does not mean it's not proxyfing http, and when web sites switch from http to https proxies switch too

HTTPS interception in Nokia's mobile browser

Posted Jan 28, 2013 21:38 UTC (Mon) by dlang (subscriber, #313) [Link]

>>> Once a crypto tunnel is established there is no reason to rely on urls to transmit information. Most spam/phishing detection software relies heavily on url patterns to catch it

>> I still can not parse this. Care to explain?

> After the https handshake there is no obligation to use http at all inside the tunnel

It's worse than that, almost no firewalls even force you to do the https handshake, they just allow anything that's on port 443 through, so you can use any protocol at all.

There are a handful of good firewalls (sidewinder being one) and IDS systems that will still watch port 443 traffic and alert you if they see something that doesn't look like https on that port, but if you go that far, you really do need to go further and have a full https mitm proxy/filter

As for the thought that you don't have confidential information on a Internet connected device, do you really think that executives who have all sorts of confidential information on their systems (including a ton of stuff in their e-mail about financial data of the company, plans for the future, etc) are not going to be connected to the Internet at some point?

There are places for isolated networks, but corporate desktops are not one of them.

HTTPS interception in Nokia's mobile browser

Posted Jan 28, 2013 21:48 UTC (Mon) by raven667 (subscriber, #5198) [Link]

In practice people don't bother to take precautions to protect sensitive data, that doesn't mean its not a good idea or possible, also there is an implicit assumption of risk that is being taken when executives run around with sensitive data on their laptops that they then lose. I suppose it depends on their assumption of risk and how radioactive/poisonous the data they handle is, between some stock speculator getting an earnings report a day early or a HIPPA violation and public disclosure.

HTTPS interception in Nokia's mobile browser

Posted Feb 1, 2013 11:28 UTC (Fri) by basdebakker (guest, #60977) [Link]

Executives with desktops? Are you serious?

Our company has web filters, including HTTPS proxies that do a MITM with a certificate that they install in your browser.

Then our executives take their laptops and connect them to their home network, the airport network, etc. So do I.

HTTPS interception in Nokia's mobile browser

Posted Feb 1, 2013 11:39 UTC (Fri) by hummassa (subscriber, #307) [Link]

> Then our executives take their laptops and connect them to their home network, the airport network, etc. So do I.

Meaning a two-bit hacker can compromise any data in those laptops at any time he wants, and all the proxying/MITMing infrastructure is just security theatre...

HTTPS interception in Nokia's mobile browser

Posted Feb 1, 2013 14:33 UTC (Fri) by anselm (subscriber, #2796) [Link]

Meaning a two-bit hacker can compromise any data in those laptops at any time he wants, and all the proxying/MITMing infrastructure is just security theatre...

Not if all the internet access from those machines goes through a VPN back to the company (and the proxying/MITM infrastructure) even if they are in the home or airport network.

HTTPS interception in Nokia's mobile browser

Posted Feb 1, 2013 21:08 UTC (Fri) by khim (subscriber, #9252) [Link]

Of course it does not do that! VPNs are often incompatible with weird airport/hotel setups. Sometimes "Internet access" means just "http proxy access" and if stuff does not work in this setting executives become quite angry.

HTTPS interception in Nokia's mobile browser

Posted Feb 1, 2013 21:53 UTC (Fri) by anselm (subscriber, #2796) [Link]

VPNs are often incompatible with weird airport/hotel setups.

Whatever. I travel rather a lot and have yet to find an airport/hotel setup that couldn't be made to work with our VPN. Running OpenVPN on TCP port 443 with the client in http-proxy mode helps. If all else fails then at least in-country there is always 3G which supports OpenVPN just fine, thank you very much.

HTTPS interception in Nokia's mobile browser

Posted Feb 2, 2013 13:38 UTC (Sat) by hummassa (subscriber, #307) [Link]

Once you connected to the airport network (usually unencrypted, at least for the handshakes), what makes you think he hacker fifty feet behind you can't see your Facebook cookies, poison one of your apps, or do something that makes him access the juicy bits on your local email folders? And if you think 1% of the executives is careful enough or knowledgeable enough to avoid those kinds of traps, even in post-SabOx world, I do have a bridge or two to sell you. Espionage is simple these days; if your data isn't locked, it is not just yours.

HTTPS interception in Nokia's mobile browser

Posted Jan 29, 2013 0:56 UTC (Tue) by hummassa (subscriber, #307) [Link]

> You continue to be dense. Do you really think people in corporate admin have no access to confidential data? Do you really expect them to work without Internet access? When a lot of them are supposed to interact with the external environment? (and that's just one example)

From a security standpoint if your data is really sensitive, you put it on a computer without internet access, in a very isolated, preferably physically isolated, network. If you need internet access to work, you do that from another computer on the side.

If your data is mildly sensitive, you can have "logical" "firewall" protections around it. But if you get cracked (and those guys get cracked all the time...) you can only look sad.

> After the https handshake there is no obligation to use http at all inside the tunnel

after http header there is no obligation, too.

In any case, the Internet routes around the damage, and this means that MITM can be easily detected via client certificates: before logon, server issues a challenge, proxy cannot sign the challenge with valid client certificate, access denied. If MITMing https proxies start becoming the norm, they will be routed around.

HTTPS interception in Nokia's mobile browser

Posted Jan 29, 2013 9:58 UTC (Tue) by nim-nim (subscriber, #34454) [Link]

> In any case, the Internet routes around the damage,

On a corporate (or school, or prison, or whatever) network you are not connected to the Internet, you are connected to a private network. All the Internet interconnections are controlled by the network operator. No amount of posturing will change the fact that the one who owns the gateways has ultimate power on the traffic they carry (it can just drop it if people start playing games).

HTTPS interception in Nokia's mobile browser

Posted Jan 29, 2013 11:22 UTC (Tue) by hummassa (subscriber, #307) [Link]

> No amount of posturing will change the fact that the one who owns the gateways has ultimate power on the traffic they carry

YES! Tell this to the RIAA so they can go bully AT&T, Comcast, &c. instead of nine-year-old girls. Oh, wait.

> it can just drop it if people start playing games

If it can see that people started playing games. Years pass before this kind of traffic is detected as "suspicious":

POST /index.html?sessionid=alksdjffkdaslfjakldffa
size=x&contents=yyyyyy

<html><body>
<[[CDATA[>packet contents for the reply<]]]>
</body></html>

And, as I said, banks Do Not Want you to MITM their https connections. They *will* start challenging client certificates if it comes to that, because they can't afford the risk otherwise.

HTTPS interception in Nokia's mobile browser

Posted Jan 29, 2013 12:40 UTC (Tue) by nim-nim (subscriber, #34454) [Link]

>> No amount of posturing will change the fact that the one who owns the
>> gateways has ultimate power on the traffic they carry

> YES! Tell this to the RIAA so they can go bully AT&T, Comcast, &c. instead
> of nine-year-old girls. Oh, wait

Actually, this is another reason why proxy interception exists on the workplace, as some users are too dumb not to engage in law-breaking activities there. That does not make company lawyers laugh a little bit.

>> it can just drop it if people start playing games
> If it can see that people started playing games.

People will only invest in specific filtering rules is they are worth the bother. Your example is not widespread, therefore it is not worth detecting so far.

> And, as I said, banks Do Not Want you to MITM their https connections.

And as I wrote before, such claims are worthless without any hard data to back them up. Show us a single case involving banks and proxies and we can talk.

HTTPS interception in Nokia's mobile browser

Posted Jan 29, 2013 13:24 UTC (Tue) by khim (subscriber, #9252) [Link]

Show us a single case involving banks and proxies and we can talk.

A few banks I've worked with never supported HTTPS as a means to secure transactions - exactly because they can be hijacked so easily. They either offered their own programs or separate devices to sign the transactions. What's surprising is that these Internet-disconnected devices are making a comeback: I know they were receinly reintroduced at least in Raiffeisen.

Does it look like endorcement of MITM-in-https to you?

HTTPS interception in Nokia's mobile browser

Posted Jan 28, 2013 21:19 UTC (Mon) by raven667 (subscriber, #5198) [Link]

>> 1. (users having confidential information the org does not want to leak)
>> computers with access to such information should not be internet-
>> connected; keep on reading...
>You're living in lala-land

Separating out your sensitive data processing from your general internet access is a highly sensible precaution when you don't want your sensitive data to be exfiltrated The fact that many organizations allow email and web on their sensitive machines is what makes spear phishing so easy (see RSA). Sensitive information is much easier to protect if its kept in a controlled environment and you use remote desktop technology to access it.

The only way you could say this is lala-land is just to point out that most organizations take nearly zero precautions for protecting their data and then just stand around looking sad when something bad happens.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds