Freedom of the Press releases an automated, self-updating report card grading news-sites on HTTPS


#1

Originally published at: http://boingboing.net/2016/12/15/freedom-of-the-press-releases.html


#2

Before anyone asks:

Yes, we absolutely want to go HTTPS-by-default. I’d love to turn it on today if I could. But the advertising landscape (you know, the stuff that pays for us to be here in the first place) does not yet allow for such a thing. Yet.

Best I can offer you, for now, is to browse https://boingboing.net/ at your leisure. As soon as we can flip the switch and have everyone there by default, we will.


#3

Perhaps adding a grade or component that indicates if the network connection is vulnerable to snooping and spoofing would also be helpful.

Your SSL/HTTPS traffic is not as private, nor as secure, as you think it is. It is increasingly common for corporate IT security overlords and private network providers (your place of work, your public library, the local coffee shop with blazing fast WiFi) to use MITM (man-in-the-middle) attacks for what they label “deep packet inspection” or “data loss prevention” (a.k.a. DLP) and other SSL or HTTPS “visibility” and similarly named security warm-fuzzy new-speak misnomers for initiatives to break and capture all your HTTPS traffic, decrypt it and store it for them to inspect at their leisure, then re-encrypt it and send it on.

This includes your access and passwords to banking, private e-mail, social media and all other servers you access. If it traverses their devices or network, they’re probably capturing it.

This is done by forcing you to accept the corporate certificate(s) as valid - you’ll often see an error the 1st time you try to visit an SSL site (good primers can be found by searching for SSL spoofing, MITM, DLP, deep packet inspection, etc.) and then spoofing to have the corporate snoop and logging server / router accepted by both the client browser and the “secure” web server.

This is the man-in-the-middle, equivalent to your post delivery person reading all your inbound and outbound mail, then re-sealing it and sending it on as if nothing had been done.

Good example here: https://it.slashdot.org/story/14/03/05/1724237/
The organization “performs a Man-In-The-Middle attack on all of their employees, interrupting HTTPS communications via a network coordinated reverse-proxy with false certificate generation. [The] assumption is that the [organization] logs all HTTPS traffic this way, capturing banking records, passwords, and similar data on their employees.”

There are myriad vendors who sell this as an appliance to connect to your network, a plug-in for existing router/proxy/server/logging/firewall hardware, or increasingly as cloud based services.

While I laud this effort to protect web traffic and make news and other important sites transparent and accountable for providing good encryption, and we do need more of it, and should support it and demand good secure connections to servers we trust for information; we also need everyone to be aware that if they’re using a device or a network owned by someone else, the network and/or device owner is very likely (and completely technically capable) of capturing, decrypting and storing and using all your internet traffic, even when it is SSL/HTTPS encrypted.

The real security community has known for at least 10 years that this was both possible and undesirably dangerous because by weakening the client/browser-to-server encryption chain they make the entire network, all involved devices and software and traffic that traverses it vulnerable to that same attack and far less secure (in the name of making it seem more secure: “security theatre” anyone?).

There are protections from this like third party trusted proxy VPN services and implementations of SSL/HTTPS that will not accept nor honor forged or spoofed certificates, but they are the minority and many of the DLP and their like appliances and services are implemented to block traffic that can’t be intercepted and decrypted.

The U.S. Department of Homeland Security (DHS) had required all U.S. government agencies to implement this technology to monitor and inspect all traffic to and from all agencies, departments and bureaus. While this might seem reasonable there are two problems with this:

First, many federal workers are not informed that when they use a government computer or network - even on their break or lunch time or after hours, which is authorized in many government agencies with rural and remote office sites - to access banking, pay bills, check private e-mail or read the news, all their traffic, even SSL/HTTPS traffic - including usernames/passwords - is captured, decrypted, inspected and stored.

Second, for the same reasons this trick works, it makes those same networks more vulnerable to malicious attackers who can also break the encryption chain by compromising any node and its certificates or which certificates it trusts.

Most employers and private networks that connect to the internet do the same.

When using a corporate device or network, there is often a “splash banner” with either a notice or a link to a notice that informs you that all your activities can and will be monitored and by using the device and/or network, you consent to this monitoring. This also includes having traffic you may have considered “secure” decrypted and inspected by both automated tools and the network security staff of the network owner.

So, be aware that though HTTPS is good and a step in the right direction, it doesn’t guarantee privacy. And it’s not as “safe” or “for your own good” as the vendors and organizations and the real people behind the decisions to do this would have you believe.

Forewarned is forearmed. Knowledge is power. Know.


#4

Also use the EFF’s https everywhere addon.


#5

I’ve been asked to do this from time to time. If you control the DNS, and you have the ability to execute code on desktop PCs (this is typically the case in big corporate networks) it’s not real hard. It takes a fair bit of compute power, and then you get into the problem of what data to collect and where to store it and how to index and report on it… but once you can insert bogus certificate authorities into the users’ browsers, you can just generate certs as you need them.


#6

Works great, absolutely seamless, and I haven’t found any sites that aren’t compatible.


#7

I used to notice many sites dropping https once you were within their walls so it’s great for preventing that i find. Some domains are somewhat broken with https though, but it’s easy to disable the ones you don’t want.


#8

This topic was automatically closed after 5 days. New replies are no longer allowed.