A simple SSL tweak could protect you from GCHQ/NSA snooping

Discussion in 'privacy technology' started by Dermot7, Jun 26, 2013.

Thread Status:
Not open for further replies.
  1. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    http://www.theregister.co.uk/2013/06/26/ssl_forward_secrecy/
     
  2. skp14

    skp14 Registered Member

    Joined:
    Oct 9, 2009
    Posts:
    56
  3. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    FWIW, in Wireshark you can:

    1) Right click on a column, select Column Preferences, then add a custom column with properties: title Ciphersuite, field type custom, field name ssl.handshake.ciphersuite. Then make that column visible.

    2) Create and apply a display filter: (ip.dst == YourIPAddress) && ssl.handshake.ciphersuite

    Then using which ever browser, email client, etc you want, initiate SSL traffic and observe the ciphersuite selected by the various servers that are contacted. This approach has some limitations, such as the Source field often won't exactly match the host in the URL due to the DNS situation, and if you are doing SSL over non-standard ports you'll want to use the "Decode as..." feature to inform Wireshark of which protocols are being used. Yet, it is one way to survey things in a non-piecemeal fashion.

    You can, if you wish, use File->Export Packet Dissections->As CSV to export those packets to a csv file, then in the csv file remove rows with duplicate Source fields, then sort things to get a boiled down list of the servers your machine contacted and the Ciphersuites that were used. Or look into cmdline/script approaches for a more elegant solution to deduping, sorting, etc.
     
  4. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
  5. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    I suppose server operators trying to keep their load down might not like such ideas, but...

    What about an addon/feature that allows you to specify, on a per-server basis, a reduced set of ciphersuites (known to be supported by the server through prior investigation)... thereby forcing the server to pick a stronger one than it would if the client offered the default set?

    Perhaps this could even be automated, such that the client first offers a small set of strongest ciphersuites and if the server doesn't support one of those than the client offers its default set. I don't know if the SSL/TLS protocol supports that on the fly or whether it would require a full restart.
     
  6. Countermail

    Countermail Registered Member

    Joined:
    Aug 7, 2009
    Posts:
    167
    Location:
    Sweden
    The article subjects: "A simple SSL tweak could protect you from GCHQ/NSA snooping" and "Perfect Forward Secrecy can block the NSA from secure web pages" is pretty misleading, what they fail to mention in both articles is that Perfect Forward Secrecy does not protect the website from a man-the-middle attack (using a CA-cert), it's only protecting against passive wiretapping.
     
Loading...
Thread Status:
Not open for further replies.