Relevant to this thread, but OT to the charter of this list. On Sat, Jan 12, 2013 at 5:46 AM, Jeffrey Walton <[email protected]> wrote: > On Sat, Jan 12, 2013 at 4:27 AM, ianG <[email protected]> wrote: >> On 11/01/13 02:59 AM, Jon Callas wrote: >>> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Others have said pretty much the same in this thread; this isn't an MITM >>> attack, it's a proxy browsing service. >>> >>> There are a number of "optimized" browsers around. Opera Mini/Mobile, >>> Amazon Silk for the Kindle Fire, and likely others. Lots of old "WAP" >>> proxies did pretty much the same thing. The Nokia one is essentially Opera. >>> >>> These optimized browsers take your URL, process it on their server and >>> then send you back an "optimized" page. >> >> Oh, I see. So basically they are breaking the implied promise of the https >> component of the URL. >> >> In words, if one sticks https at the front of the URL, we are instructing >> the browser as our agent to connect securely with the server using SSL, and >> to check the certs are in sync. >> >> The browser is deciding it has a better idea, and is redirecting that URL to >> a cloud server somewhere. >> >> (I'm still just trying to understand the model. Yes, I'm surprised, I had >> never previously heard of this.) > It's right up there with the PenTesters using BurpSuite to to destroy > a secure channel. I look at the PenTest reports and shake my head in > disbelief that no one took exception to what the PenTesters did....
Whoa...hold on there Jeff. I'm hoping that I'm misunderstanding your last statement about what the pen testers did to "destroy a secure channel". Are you implying that _authorized_ PenTesters using software such as BurpSuite (or Fiddler2 or Paros Proxy, or any other software that leverages the browser's _forward_ proxy ability is violation of some law or morals? If so, I would wholeheartedly disagree. They are not capturing arbitrary HTTPS traffic of others, but only that originating from their own browser. How is that any different from doing it from a brower plug-in, such as Tamper Data in Firefox? [Note: I'm not debating if some arbitrary person tries to pen test their bank or some other application that the have not been properly authorized to do. That is a different store entirely and is a violation of the law, but probably NOT because is is "destroying a secure channel"...DMCA not withstanding.] There is a big difference in forward proxies and reverse proxies. A forward proxy is (generally) under your control. When it is not under the user's control which appears the case here, that is completely different. It matters little (to me at least) that Nokia has probably buried this under the fine print legalese of their TOS. But IMHO, that's a far cry from a pen tester configuring their browser's forward proxy capability to use BurpSuite or Fiddler2, or some other proxy. Keep in mind that it's not only pen testers who do this, but many web application developers use these tools as well to aid them in debugging their web applications. -kevin -- Blog: http://off-the-wall-security.blogspot.com/ "The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We *cause* accidents." -- Nathaniel Borenstein _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
