HTTPS is effective only when fully and properly implemented. For this to
happen, the client (and the user) must be aware of how HTTPS works, and how
things are supposed to behave when everything is as it should.
I can, in practice, see three obvious weaknesses, and therefore three ways
to defeat HTTPS as a method of securing a connection to a web service.
There are others, both more effective and less so, but these are the most
obvious ones:
1. A MITM attack with a self-signed certificate. This will generate a
security alert in the user's browser, but many users are ignorant and will
ignore this. This is the least effective and most conspicuous attack, but
it is cheap and easy.
2. A MITM attack with no certificate at all. Let me elaborate on this. When
a user wants to go to e. g. Twitter, she usually types "twitter.com" into
the address field. Due to the mechanics of intelligent autocompletion
(which I detest, by the way, due to issues like these), this will, in
normal cases, take her to an HTTP page, which will redirect her to the
HTTPS page. If an MITM attack is performed, the attacker could simply skip
the redirection step and manufacture a passable replica of the Twitter
login page which goes over HTTP. No certificate security warning will be
shown, because there is no secure connection to begin with. On some
browsers this will generate a "you are sending form data unencrypted over
the Internet, you moron" warning, but in most browsers this dialog has been
disabled. This is as easy as attack 1, but should have a higher rate of
success. This will, of course, not be effective at all if the user
explicitely requests an HTTPS connection. Not many do, though. Sadly, most
people expect technology to do their thinking for them.
3. A MITM attack with a perfectly valid certificate from a compromised
certificate authority. Compromising a CA is tricky business, but it is
certainly not unheard of. The point here is that *any* recognised
Certificate Authority can issue a valid certificate for, say, twitter.com.
If *one* CA is compromised, and there are loads of CAs based in shady
countries with patchy legal protection from the state, the entire chain of
trust is broken until that CA has had its root certificate revoked and that
revokation has been pushed to all clients. This is a fundamental weakness
of the CA web-of-trust system in place now, and there is little one can do
about it. Luckily, when DNSsec and DANE is finally implemented, we'll be
rid of central CAs entirely, the actual validation going through DNS
instead. This means two things: a) The above mentioned weakness will be
eliminated, and b) Certificates will be completely free to implement for
domain name owners, as the process of setting one up will be a routine DNS
procedure. When that time comes, there will be no valid excuses whatsoever
not to implement connection encryption.
Not that there are any valid excuses for that now, mind. Not implementing
TLS ("HTTPS") is despicable.
On 8 Jun 2013 10:42, "Kyle Spencer" <[email protected]> wrote:
> Well, let's think about this:
>
> 1) I highly doubt Facebook, Google, Twitter et al will give the Ugandan
> government backdoor access to their systems.
>
> 2) Most major social networking services default to HTTPS (i.e. your
> traffic to/from these platforms is encrypted) thus the content of your
> messages cannot easily be intercepted at the ISP/network level.
>
> In light of the above, it would appear that this team would be limited to:
>
> 1) Looking at publicly available content (e.g. Twitter posts, Facebook
> posts marked public, etc).
>
> 2) Cracking user account passwords or otherwise breaking into user
> accounts.
>
> 3) Tricking you into accepting them as a 'friend' on Facebook et al so
> that they can see your private posts.
>
> Anyone else have any thoughts on this?
> On Jun 8, 2013 11:31 AM, "Jake Markhus" <[email protected]> wrote:
>
>> From what I gather, this is political control extended to cyberspace.
>>
>> Sincerely
>>
>> James Makumbi
>> Billable Ltd
>> 0790834364 / 0712780817
>> http://www.coderbits.com/jmakumbi
>> http//:ug.LinkedIn.com/in/jmakumbi
>> On Jun 8, 2013 9:36 AM, "Kyle Spencer" <[email protected]> wrote:
>>
>>> I'd like to learn more about the methods they intend to use.
>>>
>>> Anyone with a clue here?
>>> On Jun 8, 2013 8:22 AM, "Jake Markhus" <[email protected]> wrote:
>>>
>>>> WHY SOCIAL MEDIA SURVEILLANCE? Just participate and contribute. The
>>>> "big brother is watching" bs bores me. Just a bunch of navel gazing people
>>>> paid to do nothing.
>>>> I would rather they setup standards and best practices for development
>>>> of government websites. I would rather they tested Ugandas service
>>>> providers and not only CERTified them but periodically checked them for
>>>> compliance. They should EMPHASIZE the use of local hosting as a first
>>>> option with failover to Switzerland. If they want a white Nordic guy, let
>>>> them host with Reinier (hi Reinier:-)).
>>>> Everybody dreams of being James bond when all we need is a decent gate
>>>> watchman.
>>>>
>>>> Sincerely
>>>>
>>>> James Makumbi
>>>> Billable Ltd
>>>> 0790834364 / 0712780817
>>>> http://www.coderbits.com/jmakumbi
>>>> http//:ug.LinkedIn.com/in/jmakumbi
>>>> On Jun 8, 2013 8:06 AM, "Neil Blazevic" <[email protected]> wrote:
>>>>
>>>>> Techpost has a story on the launch today, including a link to the
>>>>> website, http://www.ug-cert.ug/
>>>>>
>>>>>
>>>>> http://www.techpost.ug/3263/uganda-launches-cyberspace-security-programme/
>>>>>
>>>>> Worth noting their social media surveillance plans which seems to be a
>>>>> part of it.
>>>>>
>>>>> Neil
>>>>> On Jun 8, 2013 2:37 AM, "joachim Gwoke" <[email protected]> wrote:
>>>>>
>>>>>> > Message: 5
>>>>>> > Date: Thu, 6 Jun 2013 18:58:57 +0300
>>>>>> > From: Mike Barnard <[email protected]>
>>>>>> > To: Uganda Linux User Group <[email protected]>
>>>>>> > Subject: [LUG] CERT was [NITA site hacked!]
>>>>>> > Message-ID:
>>>>>> > <
>>>>>> cadhh34rfdcwr7unb-srfjsgb_4hjevlmhnlp9tgojmm6aw7...@mail.gmail.com>
>>>>>> > Content-Type: text/plain; charset="iso-8859-1"
>>>>>> >
>>>>>> > Any one know any details about this CERT team that was
>>>>>> > created.
>>>>>> >
>>>>>> > On 29 May 2013 21:38, joachim Gwoke <[email protected]>
>>>>>> > wrote:
>>>>>> >
>>>>>> > > People,
>>>>>> > > Uganda created a CERT last year( I am not joking),
>>>>>>
>>>>>>
>>>>>>
>>>>>> I recall an event last year with the Prime Minister and NITA talking
>>>>>> of the creation of CERT. My assumption was that considering what we are
>>>>>> going through this body was already created/launched by now.
>>>>>>
>>>>>> regards
>>>>>> Joachim
>>>>>> _______________________________________________
>>>>>> The Uganda Linux User Group: http://linux.or.ug
>>>>>>
>>>>>> Send messages to this mailing list by addressing e-mails to:
>>>>>> [email protected]
>>>>>> Mailing list archives: http://www.mail-archive.com/[email protected]/
>>>>>> Mailing list settings: http://kym.net/mailman/listinfo/lug
>>>>>> To unsubscribe: http://kym.net/mailman/options/lug
>>>>>>
>>>>>> The Uganda LUG mailing list is generously hosted by INFOCOM:
>>>>>> http://www.infocom.co.ug/
>>>>>>
>>>>>> The above comments and data are owned by whoever posted them
>>>>>> (including attachments if any). The mailing list host is not responsible
>>>>>> for them in any way.
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> The Uganda Linux User Group: http://linux.or.ug
>>>>>
>>>>> Send messages to this mailing list by addressing e-mails to:
>>>>> [email protected]
>>>>> Mailing list archives: http://www.mail-archive.com/[email protected]/
>>>>> Mailing list settings: http://kym.net/mailman/listinfo/lug
>>>>> To unsubscribe: http://kym.net/mailman/options/lug
>>>>>
>>>>> The Uganda LUG mailing list is generously hosted by INFOCOM:
>>>>> http://www.infocom.co.ug/
>>>>>
>>>>> The above comments and data are owned by whoever posted them
>>>>> (including attachments if any). The mailing list host is not responsible
>>>>> for them in any way.
>>>>>
>>>>
>>>> _______________________________________________
>>>> The Uganda Linux User Group: http://linux.or.ug
>>>>
>>>> Send messages to this mailing list by addressing e-mails to:
>>>> [email protected]
>>>> Mailing list archives: http://www.mail-archive.com/[email protected]/
>>>> Mailing list settings: http://kym.net/mailman/listinfo/lug
>>>> To unsubscribe: http://kym.net/mailman/options/lug
>>>>
>>>> The Uganda LUG mailing list is generously hosted by INFOCOM:
>>>> http://www.infocom.co.ug/
>>>>
>>>> The above comments and data are owned by whoever posted them (including
>>>> attachments if any). The mailing list host is not responsible for them in
>>>> any way.
>>>>
>>>
>>> _______________________________________________
>>> The Uganda Linux User Group: http://linux.or.ug
>>>
>>> Send messages to this mailing list by addressing e-mails to:
>>> [email protected]
>>> Mailing list archives: http://www.mail-archive.com/[email protected]/
>>> Mailing list settings: http://kym.net/mailman/listinfo/lug
>>> To unsubscribe: http://kym.net/mailman/options/lug
>>>
>>> The Uganda LUG mailing list is generously hosted by INFOCOM:
>>> http://www.infocom.co.ug/
>>>
>>> The above comments and data are owned by whoever posted them (including
>>> attachments if any). The mailing list host is not responsible for them in
>>> any way.
>>>
>>
>> _______________________________________________
>> The Uganda Linux User Group: http://linux.or.ug
>>
>> Send messages to this mailing list by addressing e-mails to:
>> [email protected]
>> Mailing list archives: http://www.mail-archive.com/[email protected]/
>> Mailing list settings: http://kym.net/mailman/listinfo/lug
>> To unsubscribe: http://kym.net/mailman/options/lug
>>
>> The Uganda LUG mailing list is generously hosted by INFOCOM:
>> http://www.infocom.co.ug/
>>
>> The above comments and data are owned by whoever posted them (including
>> attachments if any). The mailing list host is not responsible for them in
>> any way.
>>
>
> _______________________________________________
> The Uganda Linux User Group: http://linux.or.ug
>
> Send messages to this mailing list by addressing e-mails to:
> [email protected]
> Mailing list archives: http://www.mail-archive.com/[email protected]/
> Mailing list settings: http://kym.net/mailman/listinfo/lug
> To unsubscribe: http://kym.net/mailman/options/lug
>
> The Uganda LUG mailing list is generously hosted by INFOCOM:
> http://www.infocom.co.ug/
>
> The above comments and data are owned by whoever posted them (including
> attachments if any). The mailing list host is not responsible for them in
> any way.
>
_______________________________________________
The Uganda Linux User Group: http://linux.or.ug
Send messages to this mailing list by addressing e-mails to: [email protected]
Mailing list archives: http://www.mail-archive.com/[email protected]/
Mailing list settings: http://kym.net/mailman/listinfo/lug
To unsubscribe: http://kym.net/mailman/options/lug
The Uganda LUG mailing list is generously hosted by INFOCOM:
http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them (including
attachments if any). The mailing list host is not responsible for them in any
way.
