[kwlug-disc] "In the new Canada, the web browses you"

Bob Jonkman bjonkman at sobac.com
Sun Aug 14 02:12:00 EDT 2011


> Largely, we only care that the traffic of this conversation not be 
> sniffable by the ISP. Getting into the, are we really on the site it 
> says it is, is a whole 'nuther thread. 

OK, but if we can't verify that we're really on the site it says it is, 
how do we know we're not secretly on the ISP's site, who's now sniffing 
all our traffic?

--Bob.

On Sat 13 Aug 2011 04:30:39 PM EDT  unsolicited wrote:
>
>
> Chris Irwin wrote, On 08/13/2011 2:31 PM:
>> On Fri, Aug 12, 2011 at 06:30:27PM -0400, unsolicited wrote:
>>> Mind you ... you're right ... with ssl (https) ... isn't listening
>>> in at the ISP all but pointless?
>>
>> Not really. Most of the difficulty of executing a man-in-the-middle
>> attack is getting in the middle, a non-issue for your ISP.
>
> OK, fair enough, I wasn't considering MITM, but I saw nothing in the 
> articles discussing that. OTOH, I do wonder if we haven't just stepped 
> into a form of digital lock breaking, which then becomes state 
> sponsorship of it. Truth stranger than fiction, again.
>
>> There was a presentation a BlackHat 2009 using a MITM attack to rewrite
>> 'https://..." urls to "http://..." urls, ...
>
> I remember that discussion coming up in the (our) lug.
>
>> Even if you trusted every certificate vendor in your browser (or 
>> removed those you don't), can you trust their infrastructure?
>>
>>     CA hacked to provide fraudulent certificates.
>>     
>> https://www.eff.org/deeplinks/2011/03/iranian-hackers-obtain-fraudulent-https
>
> OK, but, for the purposes of this thread, we largely don't care.
>
> Largely, we only care that the traffic of this conversation not be 
> sniffable by the ISP. Getting into the, are we really on the site it 
> says it is, is a whole 'nuther thread.
>
> And ... how many of us have turned off the browser warnings about 
> mixed un/encrypted pages. So, again, we're not paying as much 
> attention as we probably should that the site really is the site, and 
> the signer itself is trustable. Score another for marketing and 
> VeriSign, I suppose. (I wonder how much budget they put towards just 
> maintaining their credibility, proper use of logos on sites, etc.)
>
>
>>> Thinking of the English riots, talk of BlackBerry sniffing whatever
>>> ... just having a sense of the preponderance of data going
>>> somewhere, like a facebook site, and the ability to get to that site
>>> directly oneself, seems sufficient. No need to crack the data
>>> itself, just, where it's going. And if you see bad stuff (facebook),
>>> then you're listening for what's headed that way.
>>
>> Anybody remember when Blackberry told (I believe) India and UAE that it
>> was absolutely impossible to allow snooping on blackberry traffic, 
>> and there was a possible risk of blackberries being blacklisted in 
>> the country due to that? Now they are willing to co-operate fully. Hmm.
>
> Right, but my expectation was that RIM would open up the ability to 
> plain text see the traffic at the BES point. In very specific 
> circumstances. Is that how it went down?
>
> Given the Google / China experience, I don't expect RIM had much 
> choice, shareholder wise.
>
> I will wonder, however, if that episode will lead to the eventual 
> demise of the BB. In essence, they showed their security is not 
> absolute in all cases, and with SSL end to end on PDA's (I presume) 
> showing that alternate security strategies take you to the same place, 
> the BB competitive advantage isn't as strong as it was - making 
> i<thing> / Android viable choices even on the security front.
>
> Anyways, the debate point here, for England / riots is ... slippery 
> slope.
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org



More information about the kwlug-disc mailing list