[kwlug-disc] "In the new Canada, the web browses you"

Sat Aug 13 16:30:39 EDT 2011

Chris Irwin wrote, On 08/13/2011 2:31 PM:
> On Fri, Aug 12, 2011 at 06:30:27PM -0400, unsolicited wrote:
>> Mind you ... you're right ... with ssl (https) ... isn't listening
>> in at the ISP all but pointless?
> 
> Not really. Most of the difficulty of executing a man-in-the-middle
> attack is getting in the middle, a non-issue for your ISP.

OK, fair enough, I wasn't considering MITM, but I saw nothing in the 
articles discussing that. OTOH, I do wonder if we haven't just stepped 
into a form of digital lock breaking, which then becomes state 
sponsorship of it. Truth stranger than fiction, again.

> There was a presentation a BlackHat 2009 using a MITM attack to rewrite
> 'https://..." urls to "http://..." urls, ...

I remember that discussion coming up in the (our) lug.

> Even if you trusted every certificate vendor in your browser (or 
> removed those you don't), can you trust their infrastructure?
> 
>     CA hacked to provide fraudulent certificates.
>     https://www.eff.org/deeplinks/2011/03/iranian-hackers-obtain-fraudulent-https

OK, but, for the purposes of this thread, we largely don't care.

Largely, we only care that the traffic of this conversation not be 
sniffable by the ISP. Getting into the, are we really on the site it 
says it is, is a whole 'nuther thread.

And ... how many of us have turned off the browser warnings about 
mixed un/encrypted pages. So, again, we're not paying as much 
attention as we probably should that the site really is the site, and 
the signer itself is trustable. Score another for marketing and 
VeriSign, I suppose. (I wonder how much budget they put towards just 
maintaining their credibility, proper use of logos on sites, etc.)

>> Thinking of the English riots, talk of BlackBerry sniffing whatever
>> ... just having a sense of the preponderance of data going
>> somewhere, like a facebook site, and the ability to get to that site
>> directly oneself, seems sufficient. No need to crack the data
>> itself, just, where it's going. And if you see bad stuff (facebook),
>> then you're listening for what's headed that way.
> 
> Anybody remember when Blackberry told (I believe) India and UAE that it
> was absolutely impossible to allow snooping on blackberry traffic, and 
> there was a possible risk of blackberries being blacklisted in the 
> country due to that? Now they are willing to co-operate fully. Hmm.

Right, but my expectation was that RIM would open up the ability to 
plain text see the traffic at the BES point. In very specific 
circumstances. Is that how it went down?

Given the Google / China experience, I don't expect RIM had much 
choice, shareholder wise.

I will wonder, however, if that episode will lead to the eventual 
demise of the BB. In essence, they showed their security is not 
absolute in all cases, and with SSL end to end on PDA's (I presume) 
showing that alternate security strategies take you to the same place, 
the BB competitive advantage isn't as strong as it was - making 
i<thing> / Android viable choices even on the security front.

Anyways, the debate point here, for England / riots is ... slippery slope.