Re: Comcast man-in-the-middle attack

[jon schatz <jon () divisionbyzero com>]

On Thu, 2002-02-07 at 20:33, J Edgar Hoover wrote:
> This allows them to not only log all http requests, but to also log the
> response. Apparently they aren't using it to maximize bandwidth, because it's not
> configured to serve cached data.

How do you know that it's not configured to serve up cached content?

> And yes, they have purchased a lot of the specific, unique hardware that
> is required to do all this logging.

Once again, where's your inside knowledge of this?

> If a comcast victim/customer sends a packet to port 80 at any IP address,
> it is intercepted by the Inktomi Traffic-Server, the contents of the
> packet are examined for the GET url and the "Host:" field. The Inktomi
> Traffic-Server then sends the http request on to your destination from
> it's address with modified content and headers. It then caches the
> returned data, changes both the header and the content, and sends the
> packet to your machine with the spoofed IP of the server you had
> requested.

This is standard behavior for a transparent web proxy. Nothing new here.
These have been around for a while, and Inktomi is not the only company
to deploy one. Hell, you can do this with squid and ipchains:

http://www.linuxpowered.com/archive/mini/TransparentProxy.html#toc5

> This allows them to monitor and change (or insert ads into) what
> you read.

It most certainly does. How do you know that they aren't already? They
probably aren't though, because as of 6 months ago, none of the major
players had the ability to insert content into requests. (more on this
later). 

> Interestingly, regardless of what IP you address the packet to, the
> Inktomi Traffic-Server reads the Host: field to determine where to send
> the packet. 

Once again, standard behavior for a proxy request. Most (if not all)
proxies are dependant on a partial HTTP/1.1. implementation, and without
the host header, all would be lost...

> US Code TITLE 18, PART I, CHAPTER 119, Sec. 2511. (2) (a) (i)
> "...a provider of wire communication service to the public shall not
> utilize service observing or random monitoring except for mechanical or
> service quality control checks."

AFAIK, this isn't snooping. I don't see the big deal. Most dialup users
are surfing transparently through a cache; the next big thing is
supposedly edge appliances that do this as a feature. 

Disclaimer: I do have inside knowledge. Not of Inktomi, but of a former
employer who manufactured a multi protocol transparent proxy capable of
real-time modification of content. It was pretty sweet technology.

> Does federal law only apply when a little guy snoops on a big  
> corporation? Where are the feds now?

They're monitoring this whole exchange through the carnivore they
installed at mae-[east|central|west] :-)

-jon

-- 
jon () divisionbyzero com || www.divisionbyzero.com
gpg key: www.divisionbyzero.com/pubkey.asc
think i have a virus?: www.divisionbyzero.com/pgp.html
"You are in a twisty little maze of Sendmail rules, all confusing."

Attachment: signature.asc
Description: This is a digitally signed message part