Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Gmail 'hacking' - some perspective

From: "Dave Farber" <dave () farber net>
Date: Fri, 10 Aug 2007 05:43:53 +0900


-----Original Message-----
From: Strata R Chalup [mailto:strata () virtual net] 
Sent: Friday, August 10, 2007 5:37 AM
To: Dave Farber
Subject: Fwd: [IP] Gmail 'hacking' - some perspective

Hi Dave,

Roelof Temmingh brings up some excellent points about the security issues,
and about SSL.  An issue that doesn't get much press regarding SSL
'security' is that one's network (wireless or non) could be doing
transparent proxying of SSL.

Folks get a false sense of security from having 'secure' web connections and
little shiny "is this the right picture?" front ends to sites like banks and
credit card companies.  So they log into the free wireless at the local
coffeeshop, public park, piggyback off a neighbor's network, etc, thinking
they're not at risk.  Surprise!  Their 'gateway' could in fact be a
transparent proxy that is phishing them up the wazoo. 

Read Jon Udell's April 2007 article about enhancing corporate security with
an SSL proxy (Webwasher), and now imagine that your local wireless provider,
or the neighbor whose open WLAN you're using, has an SSL proxy.  They have
your goodies, when you think you're doing SSL straight through.   If they're
proxying everything via an altered SOCKS or similar setup, they can catch
the certificate authority lookups, the whole nine yards.  Control the
gateway and you control reality.  

If there is anybody out there in security who thinks 'oh, that is not going
to happen, it is not worth the trouble', well, that's what they thought
about logging for SYN/ACK pairs and the first 40 characters too.  I think
there's a real market opportunity there for an 800-pound gorilla like Google
to do something about it.  There's also a market space out there for folks
willing to run point of origin based encryption proxies for a niche market.
I'd go do it myself if I wanted to go play ISP/ASP, but 24x7 support is a
young man's game.

best regards,
Strata
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
* Artist, Gardener, Engineer, Slacker, Bodhisattva  *
* Strategic IT Consulting   |  strata () virtual net *
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*


-------------------------------------------
Archives: http://v2.listbox.com/member/archive/247/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com
Previous By Date Next
Previous By Thread Next

Current thread: