Forums
| BadPhorm - When good ISPs go bad! :: Forums :: Phorm Discussion :: Phorm Talk |
|
<< Previous thread | Next thread >> |
| Phorm cannot intercept our private SSL communications can they? | ||
| Go to page >> | |
|
Moderators: Jim Murray, narcosis, felixcatuk, Sammy
|
| Author | Post | ||
| BadPhormula |
| ||
  Registered Member #188 Joined: Sun Mar 16 2008, 05:00PMPosts: 148 | Phorm cannot intercept our private SSL (encrypted) communications can they? Or 'can' they? After all once you are in the heart of the network anythings possible. Of course Phorm being the trustworthy bastions of our privacy they would never employ this kind of kit would they? http://www.netronome.com/web/guest/products/ssl_appliance credit: Flowrebmit CF forum [ Edited Sat Apr 26 2008, 02:38AM ] | ||
| Back to top | | ||
| EtherDreams |
| ||
| Registered Member #185 Joined: Fri Mar 14 2008, 09:27PMPosts: 100 | Doesn't that require the addition of a root certificate in the browser's certificate store? I'm not real familiar with certificates and this is just a guess... in such cases does the MITM generate the keys/certificate for each target site, and in order for those certificates to be trusted they are signed by the root certificate mentioned above? I wonder if application software, of the "run this to setup your ISP connection" variety, could add a root certificate without a major security warning popping up? | ||
| Back to top | | ||
| BadPhormula |
| ||
| Registered Member #188 Joined: Sun Mar 16 2008, 05:00PMPosts: 148 | EtherDreams wrote ... Doesn't that require the addition of a root certificate in the browser's certificate store? I'm not real familiar with certificates and this is just a guess... in such cases does the MITM generate the keys/certificate for each target site, and in order for those certificates to be trusted they are signed by the root certificate mentioned above? I wonder if application software, of the "run this to setup your ISP connection" variety, could add a root certificate without a major security warning popping up? Dunno. There is a specification sheet available on the website and if you register they will let you have their transparent SSL proxy whitepaper. Maybe we should ask Ben Laurie, he's the SSL expert. http://www.links.org [ LINK to Ben's website ] | ||
| Back to top | | ||
| PhormalWarning |
| ||
 Registered Member #242 Joined: Sun Mar 23 2008, 03:59PMPosts: 30 | Yes, this will need you to get a root certificate onto the client's machine. This is of course easy to do inside a company where all PCs are corporately controlled. Many companies deploy their own root CAs anyway for internal use. Not so easy to get one onto your home PC (unless Microsoft or Dell or someone does a deal with Phorm). Once an untrusted root CA is on your machine, the box in the middle can spoof being any SSL site without any warnings popping up by faking the site's SSL certificate on the fly and so SSL is completely broken. | ||
| Back to top | | ||
| davews |
| ||
| Registered Member #142 Joined: Sun Mar 09 2008, 06:47PMPosts: 19 | Yes although it has been suggested that the Phorm servers could set themselves up as a man in the middle secure web server the certificate you ended up with on your own computer would be from Phorm and not from your bank etc. Any decent web browser will alert you to this discrepancy and you would be a fool to proceed (but we all know that many people will just click the accept button). More significantly, if Phorm were found out to be forging certificates from other people there would be an almighty uproar. Realistically I don't think they ever would do this!! | ||
| Back to top | | ||
| BadPhormula |
| ||
| Registered Member #188 Joined: Sun Mar 16 2008, 05:00PMPosts: 148 | I posted a message on Ben Laurie's blog regarding SSL and Phorm. Here is Ben's reply "Can Phorm Intercept SSL?" http://www.links.org/?p=321 [ LINK ] | ||
| Back to top | | ||
| madslug |
| ||
| Registered Member #266 Joined: Tue Apr 01 2008, 12:11PMPosts: 143 | Ummm - can someone please put Ben Laurie's answer into a language I can understand? I read it as a Yes / No The way I see this is that search engines are able to cache https pages even though MSN and Yahoo! stay with the http version in their indexes while Google will happily display the https cache too. If someone with the budget of Google can't stop googlebot from looking at and caching https then I have an even lower confidence in any other script. | ||
| Back to top | | ||
| EtherDreams |
| ||
| Registered Member #185 Joined: Fri Mar 14 2008, 09:27PMPosts: 100 | Somewhat OT, but has anyone heard of a tool for checking installed certificates against those that ship with IE or Firefox or whatever in order to identify any that aren't shipped by default and thus should be reviewed by the user? | ||
| Back to top | | ||
| PhormalWarning |
| ||
| Registered Member #242 Joined: Sun Mar 23 2008, 03:59PMPosts: 30 | madslug wrote ... I read it as a Yes / No He puts forward three basic alternatives. 1) Find a way to get a root certificate onto the user's machine as discussed above. 2) Install the Phorm box at the web server end (i.e. every web server) or else get web server operators to deliver their private keys to Phorm. Fairly impractical on a large scale. 3) Phorm becomes a trusted root CA in themselves. Unlikely to be possible. So basically it's a no with the exception that the user could be confused into installing a new root CA by failing to understand what's going on or by misplacing trust in someone e.g. BT pushes out a software "update" that installs a certificate. He cites the example of the tax office requiring people to install a root certificate. I'm unsure if this is correct. I know they require you to have a personal certificate, but this is different. That's used to identify you to the web server and is perfectly legitimate. | ||
| Back to top | | ||
| madslug |
| ||
| Registered Member #266 Joined: Tue Apr 01 2008, 12:11PMPosts: 143 | Thanks PhormalWarning. Much clearer now. I hope that software updates are not pushed out. I will stick with an ISP that only requires I enter a username and password into the router. I have never quite understood those ISPs that send a 'little program' that sits on users' computers. | ||
| Back to top | | ||
| Go to page >> | |
Powered by e107 Forum System