Strategies for preventing man-in-the-middle attacks

Discussion in 'privacy technology' started by Ulysses_, Mar 9, 2012.

Thread Status:
Not open for further replies.
  1. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    207
    Many activists in some countries are having their SSL connections intercepted by their own ISP's, under orders from their governments. I have been a bit of a political activist in the past in one of those countries. So man-in-the-middle attacks on my internet connections are a possibility. Unlikely, but possible.

    One strategy to counter mitm attacks is to tunnel through a free VPN. But in the path from the exit of the tunnel to the site being visited a man-in-the-middle scheme is still possible.

    Is it possible to connect to a site several times simultaneously through different free VPN tunnels, and only trust you are connecting to the right site if all the connections are identical in terms of the certificates they present? That would be a cool firefox addon.
     
    Last edited: Mar 9, 2012
  2. badkins79

    badkins79 Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    60
    Location:
    Maryland
    When you browse to a site, examine the certificate details before continuing. If the whole certificate chain looks good, and ends on a reputable certificate authority, you should be good.
     
  3. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    207
    Any strategies less reliant on personal judgement?

    Also, I have the impression the whole design with certificate authorities is broken, or rather deliberately made such that interception by corrupt governments is possible, and that is why some people recommend other means of certificate sharing that do not involve authorities but trusted friends and contacts.
     
  4. badkins79

    badkins79 Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    60
    Location:
    Maryland
    Hmm interesting question. Well if a certificate authority is hacked to steal their root private key, or the private key of an intermediate CA, then you are really pwnd. Especially if done by a government that can intercept all traffic. The same goes for weak keys that can be broken by govt supercomputers.

    Maybe a group could carefully maintain a list of known authentic website certificates. Once a websites certificate is verified by some manual process it is added to the list. When browsing to that site, the cert presented is compared to the list. If it matches you are good. If a site updates its cert, it would have to be reverified.

    It would be impractical for general browsing, but feasible if you just wanted to be safe for a handful of sites. The challenge then would be distribution of a certificate that authenticates access to the list itself, and protection of the list.
     
  5. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    This thread is just a reminder of how bad we need major changes in security authorization/authentication. Time is ticking.
     
  6. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    207
    So it boils down to how you get the certificates the first time. Maybe this first time can be from an internet cafe or a wifi hotspot or a public library etc instead of your home?

    And since the first time occurs over and over and over because certificates expire... maybe if you could find a way to be present at all those internet access points at the same time?
     
  7. badkins79

    badkins79 Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    60
    Location:
    Maryland
    Yeah the more you think about it, the harder it seems. I don't see how using a public access point would be better than home unless an organization is explicitly targeting you. If a govt wanted to MITM people to watch what is happening, it would put its hooks very high upstream to not let anyone through the cracks. You would have to spread out across different countries.
     
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    If your government has MITM certs they can decrypt the information anywhere. The only protection I can think of is to send sensitive files that you encrypt locally as a means to communicate. At that point you can establish a password in person or through some other means.
     
  9. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Leaving aside the gov't control of all Internet accesses, which really, none of us can over come if it's that powerfully done...

    At a daily use level, there have been people thinking about this issue and developing some alternatives for certificate validation.

    A Firefox add-on called Perspectives has been providing certificate validation through a set of notaries, located in all different places, with different views/paths into websites to try to remove the localized MITM attack potential.

    http://perspectives-project.org/

    If we use Perspectives in Firefox while access this forum via https, we can see the notary report that is available from them.

    Perspectives-notary-response.jpg

    Now, you don't have to just take their word for it. Since they provide one of the certificate's fingerprints, you can view the certificate you get yourself and compare that finger print. If it matches, then you can have a high degree of confidence that you are seeing the same certificate as everyone else.

    If you want to go one step further, do what is mentioned above... get the cert from your local ISP and then from some random/alternate source. Compare them and then compare against Perspectives notaries. If they are all the same, it is extremely likely that no interference has occurred. Well, short of that high level gov't control of the entire Internet access.

    Edit: Oh, in a few days, the nearly 1 year old certificate for this forum will be expiring, so, I'm going to create another self-signed certificate, which Perspectives users will cause to be flagged and monitored by their notaries. (Why self-signed? See this topic for some thoughts on that.)
     
  10. Warlockz

    Warlockz Registered Member

    Joined:
    Oct 30, 2008
    Posts:
    642
  11. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    207
    So it is not too hard for a govt to MITM the entire country, absolutely all SSL connections to be intercepted? I was counting on them not having the resources to do that. What resources are required for such a thing?
     
    Last edited: Mar 10, 2012
  12. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    207
    Ok. Would I be counting on the download of the Perspectives addon not having been intercepted, and also the download of firefox from the distro repos not having been intercepted?
     
  13. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    The things you are talking about in these last couple replies are rather extreme cases. Gov'ts actually taking over, altering and filtering the entire Internet, such that nothing ever leaks through that they haven't already modified so people won't notice... as well as them replacing all software, like Firefox, Perspectives and so on, altering any signing certificates for those programs and the posted MD5 or SHA1 checksums... The likelihood of these things happening is so remote as to be almost fiction.

    The issue is that they'd have to alter so much, and do it flawlessly so that no one notices - out of the millions of websites people could visit and the thousands of programs they can download, how could they ever alter everything without a mistake, so you'd never see any visible clues that something was wrong?

    I've never believed in the all powerful gov't agency like they depict in movies like "Enemy of The State" or the "Bourne" movies, where the agencies have absolute tracking and control powers no matter where the people go, and infinite ways to monitor, intercept and also have every video system in the world tied into their control centers, and so on... It's just too much. If the gov'ts really had all these abilities, then nothing could ever be done without them knowing, and frankly, with all that goes wrong, it seems pretty clear that they don't know even a fraction of what's going on.

    Sure there are some limited possibilities, but, I seriously doubt the extreme of them altering everything so flawlessly that you'd never know they were there in every link you click, message you send, proxy server you access, and so on.
     
  14. badkins79

    badkins79 Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    60
    Location:
    Maryland
    Well basically they just need control of all the ISPs in the country. Or they could get higher if there are a few relay hubs that all the ISPs use.
     
  15. badkins79

    badkins79 Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    60
    Location:
    Maryland
    Agreed, but it is feasible to think they could monitor just a handful of sites they care about, or tamper with a handful of the authentication programs you mentioned. But there is just too many to believe they could subvert them all.
     
  16. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    207
    Aside from the certainty that governments will get caught eventually if they massively modify downloads therefore they will never do this massively, what about abusing the certificate authority design on a large scale and only for eavesdropping purposes, never modifying data?

    Technically, does it require too much processing power to intercept and eavesdrop all ssl connections going through a national backbone if such a thing exists in a country?
     
    Last edited: Mar 10, 2012
  17. badkins79

    badkins79 Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    60
    Location:
    Maryland
    Well, they could only eavesdrop ssl connections for sites that they have keys for. Or they could be MITMing you. In either case, they wouldn't do it for EVERY site, just the ones they cared about. I honestly have no idea how much processing power they would have/need to do on a national level.
     
  18. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    207
    Apologies for the gaps in my understanding of authorization. Returning to select individuals being targeted for MITM through their ISP's, which of the following two is a better defence for such individuals?

    Strategy A:
    Install Perspectives, stay home, believe connection to notaries cannot be intercepted or fake notaries presented, trust the real notaries are telling the truth, watch for any warnings from Perspectives or browser

    Strategy B:
    Install Perspectives, visit HTTPS site from wifi hotspot 1, visit same HTTPS site from wifi hotspot 2, visit same site from home, watch for any warnings from Perspectives or browser
     
    Last edited: Mar 11, 2012
  19. badkins79

    badkins79 Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    60
    Location:
    Maryland
    Personally, I would go stategy A. Maybe do some work up front to make sure your authentication software looks good, and maybe install 1 or 2 others to be sure you didn't get the 1 that the govt did subvert.

    After that you are probably good.

    However if the govt was actually targeting you, you would have to assume your computers were already trojaned.
     
  20. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    All I do is CTRL I in FF, look at the Security tab then view the cert, so what is this cert chain you are talking about?
     
  21. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    207
    One more question. The Perspectives icon sometimes becomes a cross and then selecting "View Notary Results" I get that

    "Perspectives has not seen this certificate consistently"

    Image2.gif

    Does not having seen the certificate consistently mean that this site has been MITM'ed before? If so, how do I know it is not MITM'ed now?
     
  22. badkins79

    badkins79 Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    60
    Location:
    Maryland
    When you view the cert, there should be a details tab. Click it and it will show you the whole certificate chain. The top is the root, and the bottom is the cert for the site.
     
Loading...
Thread Status:
Not open for further replies.