Vulnerability Development mailing list archives
Re: Comcast man-in-the-middle attack
From: jon schatz <jon () divisionbyzero com>
Date: 08 Feb 2002 10:42:23 -0800
On Thu, 2002-02-07 at 20:33, J Edgar Hoover wrote:
This allows them to not only log all http requests, but to also log the response. Apparently they aren't using it to maximize bandwidth, because it's not configured to serve cached data.
How do you know that it's not configured to serve up cached content?
And yes, they have purchased a lot of the specific, unique hardware that is required to do all this logging.
Once again, where's your inside knowledge of this?
If a comcast victim/customer sends a packet to port 80 at any IP address, it is intercepted by the Inktomi Traffic-Server, the contents of the packet are examined for the GET url and the "Host:" field. The Inktomi Traffic-Server then sends the http request on to your destination from it's address with modified content and headers. It then caches the returned data, changes both the header and the content, and sends the packet to your machine with the spoofed IP of the server you had requested.
This is standard behavior for a transparent web proxy. Nothing new here. These have been around for a while, and Inktomi is not the only company to deploy one. Hell, you can do this with squid and ipchains: http://www.linuxpowered.com/archive/mini/TransparentProxy.html#toc5
This allows them to monitor and change (or insert ads into) what you read.
It most certainly does. How do you know that they aren't already? They probably aren't though, because as of 6 months ago, none of the major players had the ability to insert content into requests. (more on this later).
Interestingly, regardless of what IP you address the packet to, the Inktomi Traffic-Server reads the Host: field to determine where to send the packet.
Once again, standard behavior for a proxy request. Most (if not all) proxies are dependant on a partial HTTP/1.1. implementation, and without the host header, all would be lost...
US Code TITLE 18, PART I, CHAPTER 119, Sec. 2511. (2) (a) (i) "...a provider of wire communication service to the public shall not utilize service observing or random monitoring except for mechanical or service quality control checks."
AFAIK, this isn't snooping. I don't see the big deal. Most dialup users are surfing transparently through a cache; the next big thing is supposedly edge appliances that do this as a feature. Disclaimer: I do have inside knowledge. Not of Inktomi, but of a former employer who manufactured a multi protocol transparent proxy capable of real-time modification of content. It was pretty sweet technology.
Does federal law only apply when a little guy snoops on a big corporation? Where are the feds now?
They're monitoring this whole exchange through the carnivore they installed at mae-[east|central|west] :-) -jon -- jon () divisionbyzero com || www.divisionbyzero.com gpg key: www.divisionbyzero.com/pubkey.asc think i have a virus?: www.divisionbyzero.com/pgp.html "You are in a twisty little maze of Sendmail rules, all confusing."
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Comcast man-in-the-middle attack J Edgar Hoover (Feb 07)
- Re: Comcast man-in-the-middle attack jon schatz (Feb 08)
- Re: Comcast man-in-the-middle attack J Edgar Hoover (Feb 08)
- Re: Comcast man-in-the-middle attack jon schatz (Feb 08)
- Re: Comcast man-in-the-middle attack J Edgar Hoover (Feb 08)
- Re: Comcast man-in-the-middle attack jon schatz (Feb 08)
- Re: Comcast man-in-the-middle attack Crist J. Clark (Feb 09)
- Re: Comcast man-in-the-middle attack Alen Capalik (Feb 09)
- Re: Comcast man-in-the-middle attack - tech J Edgar Hoover (Feb 09)
- Re: Comcast man-in-the-middle attack - ethics J Edgar Hoover (Feb 09)
- Re: Comcast man-in-the-middle attack - ethics Blue Boar (Feb 09)
- Re: Comcast man-in-the-middle attack - ethics John Hall (Feb 10)
- Re: Comcast man-in-the-middle attack J Edgar Hoover (Feb 08)
- Re: Comcast man-in-the-middle attack jon schatz (Feb 08)