Big Brother on a budget-Enhanced SSL Inspection

Revealing article ! which runs to 4 pages.

Just one of several DPI solutions listed in the above, is this

 

Based on a quick scan, that looks like a decent article and a good share. One of the things that greatly increased my interest in privacy back in the early 90s was a very sharp corporate network admin whose primary interest was such systems. One night we were both working late and got to talking about them and he walked me through what he had setup within our small tech firm. What surprised me was how good the system was at capturing and presenting information in a useful form. You could easily view things at the company level but also zoom in to the individual machine/employee level. There were custom scoring rules to accomplish standard as well as specialized monitoring tasks. Want to see employees ranked by say their history of non work related network activity first thing in the morning... click. Want to see stats for sites visited by Joe this past week, click. Due to storage and processing constraints it was geared towards somewhat coarse statistics, but the potential for finer grained stuff was obviously there. Even back then.

The one thing that I've never been able to shake is the automated scoring. So many times I've heard people dismiss privacy concerns on a "no one cares what you are doing and they don't have time to watch you" type basis. Once the infrastructure is in place, which used to be a major challenge in heavy traffic scenarios, scoring people on whatever rules you can think up is easy. A big problem being that humans make mistakes, accuracy of such scores is questionable, and those who are affected don't have an opportunity to review or challenge their scores.

Edit: Then again, as long as YOU are the one with the toys and not THEM it isn't so bad. I just had to sniff my own SSL connection over my own network and was mighty glad I could do it!

 

Never browse with browser that someone else could have put a cert in.

PD

 

Good Advice. However, wouldn't that in practice reduce to never browse with a browser? Nothing to worry about though...

"Although Trustwave claimed this was a "common practice" within the industry, it is not clear how widespread the practice is among other certificate authorities, and very few CAs are talking. "This is a highly unusual activity," said Mark Bower, vice president of Voltage Security.

A "Hardware Provider" approached Comodo with a "sizeable offer" to issue a subordinate root certificate that could be used for "intercepting" purposes, but the company declined because "it didn't fit our philosophy of end-user protection," Melih Abdulhayoglu, president and CEO of Comodo, wrote in an email."

 

Exactly. Any CA can do what Trustwave did and I would bet my house some of them have already given such "privileges" to U.S. spy agencies.

The only way to be secure with SSL is to use self-signed certificates and then verify the certificate yourself (a la in person).

For instance, let's say Clone Ranger runs a super secret Wilder's subforum. He generates his own self-signed SSL cert for it. Then I go and meet CloneRanger at his home in nowheresville, USA and verify the cert in person. Then I sign Clone's certificate with my own digital certificate (GPG key, etc). Now I can be sure when I return home and visit his site that I am not being MITM'ed.

Then when other people visit Clone's site, they can check the cert and see that I signed it and verified it as legit. I have become sort of a CA. People can choose to trust me or not. This is known as a Web of Trust and is how PGP/GPG operates. The more people that verify Clone's certificate in person, the better.

This is more work than most people want to do, but it's the only way to ensure security. If you rely on CA's to "do the right thing" you are being naive.

 

I agree with you, but the end user can only do what they can do. I trust Mozilla to try to keep these compromised certs out, or the TBB etc. But I'm not a 'cert expert'. I like your self signed model...I use it on my email server. I remember Steve Gibson talking about going through the cert list and deleting the ones like "Hong Kong Post Office", etc... Many people have been saying the cert model is hopelessly 'broken' (Moxie Marlinspike, etc...).

PD