Stuff like this is almost enough to make we wish I wasn’t The Government.
This is crazy… just because somebody posts about [The remainder of this post has been redacted for national security reasons]
My government is actually capable of intercepting this post?
Who knew?
…why doesn’t this BBS have HTTPS, anyway? Paging @codinghorror, or whoever…?
Don’t you know that certs issued by [redacted] have wildcard equivalents held by [redacted], [redacted], and [THIS IS YOUR FINAL WARNING]. Makes mitm’ing tls trivial.
Wait, what the hell is that outside my window!?
It’s still an active attack and can be detected if you are looking.
By pushing more communication into the active-attack-necessary realm, the adversary will become way less undetectable.
And then the so-far-somewhat-exotic state-tracking (and possibly p2p-cooperating) certificate- and IP-checking methods will become adopted in browsers, first as extensions, then in the core.
And for bonus points my method of using detached PGP signatures as a supplementary authentication mechanism can be deployed in parallel.
If I coerce verisign to either hand over their root keys or compromise their HSMs, even with cert pinning you’d never know. Only if you compared the finger print every time, but fingerprints change legitimately as well.
Certs change legitimately, that’s true. However, the problem is then just reformulated as determining if the change is legitimate or hostile. That can be done with vendor cooperation, publishing a signed signature by another channel (the PGP one with a web-of-trust is a possibility), or P2P network monitoring, which tells you if it is changed only for you (you’re under a targeted MITM) or for everybody (legitimate change, or a wide-scale MITM), and if the IP address is changed (possible DNS shenanigans, or a legitimate server moving, or load balancing) or not.
Publishing fingerprints via something like a blockchain would be interesting. But there are still non-theoretical attacks that, lure, p2p, and pgp webs of trust.
Ideas like these would make a great set of defcon talks though.
The existing infrastructure cannot be changed. We can however add external services that can be used by a subset of the users; if there are enough of the users, the attackers will have more work to do. Then there is the strategic factor of them knowing they may be being watched, and that the probability of them being seen doing their work - and losing the advantage of not being known about. That itself can serve as a powerful discouragement of anything not-highly-targeted.
Totes, but when you set up new defenses you have to keep in mind where you may shift the attacks. It’s the old, “I don’t have to outrun the bear, just the other guy” problem. And I think the security community, to its detriment, has used that strategy for too long.
So I guess what I am saying is thoughtfulness and the expectation of unintended consequences should always be baked into thought experiments like these.
Of course the attacks will be changed by changing in the defense terrain!
The direction should always be in increasing the attack cost. Security is economics; with fixed resources, the adversary can afford to do a blanket surveillance of many soft targets or targeted approach to a few. If we make the low-cost approach prohibitively costly, the landscape shifts to the second strategy, spending more resources on fewer targets. Which, assuming we aren’t high-value targets, is good for all of us.
My pizza recipes are the highest value targets >:)
Then you are a perfect reference network node with low probability of being MITMed.
I’m only commenting to ensure I am a part of this exciting event. ‘Hello, government!’
I suspec
This topic was automatically closed after 5 days. New replies are no longer allowed.