D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]



On 20 Nov 2013, at 12:24, Martijn Grooten <dcglug@xxxxxxxxxxxxxxxxxx> wrote:

> On Wed, 20 Nov 2013, Simon Waters wrote:
>>> Another good reason to use HTTPS.
>> Https will stop the average 12 year old doing this.
> Not so sure. I know a lot of HTTPS is broken, but not to the point where an 
> adversary controlling the cables can inject packets in real time.
> That's the whole thing: simply because traffic between Belgacom and LinkedIn and 
> Slashdot goes via Cornwall, GCHQ can just sit there and inject packets when it 
> wants to. At least that's what I understand to have happened.
> You can of course do things with forged certificates and routing traffic through 
> your servers, but that is a lot more difficult to do and easier to detect.

Granted it is slightly harder, but if you have the influence to get certificates 
signed as needed, it isn't orders of magnitude harder. Still boils down to read and 
rewrite packets on the wire, desktop AV software already does it in old PCs.

Sure it can be spotted - hands up all of you who use certificate pinning or some 
sort of certificate notary explicitly (Chrome does some by default I believe, and 
Claws mail client)?

In practice where it has happened on quite broad scale it isn't always spotted 
quickly, especially if it is done well, e.g. the only thing difference is the inner 
details of the certificate, so you have to fingerprint both to spot the difference.
The Mailing List for the Devon & Cornwall LUG
FAQ: http://www.dcglug.org.uk/listfaq