Interesting People mailing list archives
Re: Gmail 'hacking' - some perspective
From: "Dave Farber" <dave () farber net>
Date: Fri, 10 Aug 2007 05:43:53 +0900
-----Original Message----- From: Strata R Chalup [mailto:strata () virtual net] Sent: Friday, August 10, 2007 5:37 AM To: Dave Farber Subject: Fwd: [IP] Gmail 'hacking' - some perspective Hi Dave, Roelof Temmingh brings up some excellent points about the security issues, and about SSL. An issue that doesn't get much press regarding SSL 'security' is that one's network (wireless or non) could be doing transparent proxying of SSL. Folks get a false sense of security from having 'secure' web connections and little shiny "is this the right picture?" front ends to sites like banks and credit card companies. So they log into the free wireless at the local coffeeshop, public park, piggyback off a neighbor's network, etc, thinking they're not at risk. Surprise! Their 'gateway' could in fact be a transparent proxy that is phishing them up the wazoo. Read Jon Udell's April 2007 article about enhancing corporate security with an SSL proxy (Webwasher), and now imagine that your local wireless provider, or the neighbor whose open WLAN you're using, has an SSL proxy. They have your goodies, when you think you're doing SSL straight through. If they're proxying everything via an altered SOCKS or similar setup, they can catch the certificate authority lookups, the whole nine yards. Control the gateway and you control reality. If there is anybody out there in security who thinks 'oh, that is not going to happen, it is not worth the trouble', well, that's what they thought about logging for SYN/ACK pairs and the first 40 characters too. I think there's a real market opportunity there for an 800-pound gorilla like Google to do something about it. There's also a market space out there for folks willing to run point of origin based encryption proxies for a niche market. I'd go do it myself if I wanted to go play ISP/ASP, but 24x7 support is a young man's game. best regards, Strata *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* * Artist, Gardener, Engineer, Slacker, Bodhisattva * * Strategic IT Consulting | strata () virtual net * *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* ------------------------------------------- Archives: http://v2.listbox.com/member/archive/247/=now RSS Feed: http://v2.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- Gmail 'hacking' - some perspective Dave Farber (Aug 09)
- <Possible follow-ups>
- Re: Gmail 'hacking' - some perspective Dave Farber (Aug 09)
- Re: Gmail 'hacking' - some perspective Dave Farber (Aug 09)