Ask HN: Am I allowed to reverse engineer an Internet service and blog about it?
I've been working lately with a reverse proxy to pen test our own app and I actually see some very interesting network traffic on both my laptop and my phone. I would like to investigate services I use and blog about how they work. I find it being very instructive but fear potential legal consequences.
Examples of such services are iCloud, Dropbox, Facebook, etc..
7 comments
[ 0.22 ms ] story [ 34.1 ms ] threadPossibly and in some cases, however this might run afoul of the laws that prohibit defeating computer security schemes.
My point is that the answer is not simple, and a behavior that may be completely acceptable for case A might be a felony in case B.
Source: http://www.law.cornell.edu/uscode/text/18/2701
Quote: "(a) Offense.— Except as provided in subsection (c) of this section whoever—
(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or
(2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished as provided in subsection (b) of this section."
You can reverse engineer protocols for the purposes of interoperability in Europe. However there are various fine print details that matter and changes in the last few years. The wikipedia page has a summary and references to the legislation http://en.wikipedia.org/wiki/Reverse_engineering#European_Un...
However if those services have been written correctly they will be using SSL and you shouldn't be able to see what is going on with network sniffers (other than DNS names and traffic analysis).
That means reverse engineering the software which is hard and time consuming (eg you need to know assembly and using debuggers at that level). Some like Skype use anti-reverse engineering techniques. Tools like IDA help as a starting point.
However chances are that all that software you downloaded had some sort of click agreement that you agreed to saying you won't reverse engineer the software. That adds another layer of legal issues you need to address.
SSL is not obfuscation, it is about maintaining a chain of trust.
(1) For a test I used my bank which had all sorts of RSA checked and similar logos all over the "secured" pages. Needless to say those logos remained even though I was going through a man in the middle.