Texting is a form of the spoken word, not writing. If you look at it in terms of how it is used, etc. The spoken word is generally ephemeral, for comm...
August 3, 2014
Childhood Memories, Coincidences and a Dog named for a Monkee
May 6, 2012
The twitterverse erupted today when a popular talk show host expressed his disdain at the prospect of Idris Elba, a black actor of modest following, w...
Black James Bond?
December 24, 2014
Who is Snooping?
August 7, 2013
Americans have lately become aware that sometimes their phone calls and web data might be looked at by spies and spooks in our government, and this has outraged many. In a companion article, “Wither Privacy?” I explained how monitoring of communications, not just by government, but many individuals, has been the norm throughout history.
One theme I expanded upon therein was my belief that, popular press induced panics aside, our personal communications is probably more secure than it has ever been for a variety of reasons primarily related to advancing technology. Wireless phone calls are no longer carried in the clear, for example, where neighbors can all too easily eavesdrop.
Where one still feels concern about keeping confidential things confidential, sophisticated tools exist to keep our secrets, and I recommended some of those tools, such as TrueCrypt and others. Between modern technologies in general and the judicious use of tools such as Public Key Cryptography we can keep our data safe. Mostly. A determined snoop, especially one with governmental resources, can probably best any step we take, but not without considerable effort. It would be a determined spook who unlocked a TrueCrypt volume, for example.
Advancing technology has also done a lot to secure our web activities. In the early days of the web, nearly all traffic was carried in the clear. Anyone with even some basic tools could easily intercept web traffic and see what we saw. Spoofing an entire web site was quite possible. It was relatively trivial to make someone think they were on a given web site, when instead they were interacting with a pirate site of the bad guy's own making.
Some years back, there was a news story about some enterprising thief who built an ATM machine. It looked exactly like a bank ATM machine. He placed it in front of the bank and unsuspecting customers would come along, insert their card, enter their PIN, and then be told this machine was out of service and to use another machine. The customer would then dutifully step over to the next machine and complete their transaction, unaware that their account information along with their PIN had just been stolen. With the stolen information, the thief could make a counterfeit ATM card and easily empty the customer's account.
This is EXACTLY what could all too easily happen when web traffic was carried in the clear. The bad guy could reroute your traffic to a bogus site and get you to enter your password, and then redirect you to the real site, having stolen your password. Fortunately, the network designers quickly realized that this was a problem and used the tools of Public Key Cryptography to encrypt connections while the web was still young. Today we are accustomed to looking for the little padlock symbol, and the HTTPS (The S is added for “Secure”) in the URL when we log in to our bank or other sensitive site.
Connections established by the secure technology are encrypted via something called SSL, for “Secure Sockets Layer” and yes, it is really quite secure. Intercepting an SSL data stream and decrypting it is for the most part, impossible. Even the NSA Supercomputers can't really do it.
You can trust an SSL Connection. Or Can You??? Well, the real answer is, mostly, but not completely.
Employers, educational institutions and others have always employed monitoring and filtering systems to watch what the users are doing on the network. Libraries for example, often have Porn filters to keep patrons away from porn sites, and so on. When the traffic was all in the clear, this was easy. The occasional SSL encrypted bank session or such did not concern anyone.
For several years, the computational resources, both on the user's PC and the site's server, required to establish and maintain an SSL connection were fairly significant, so they were used only for data sensitive enough to justify it. Banks and the like used it, but most ordinary web sites did not. But again advancing technology has made this “cost” of employing secure connections less onerous, and more and more web sites are switching to secured, encrypted connections for most, if not all traffic.
Moving more and more Internet traffic to encrypted status is great for Internet users who like their privacy, but a royal pain for those who would monitor such traffic. Network traffic monitoring and filtering is increasingly “blinded” by the use of HTTPS connections. The FBI in particular is frustrated by this, and has a name for what is happening. They refer to it as the “Going Dark Problem” as for them the Internet is effectively “going Dark” all around them as they are able to monitor less and less.
The hole in the process that allows anyone with the resources to monitor encrypted Internet traffic is simple. When a secure connection is established, a signed security certificate is presented by the web site. That certificate is validated by a “Certificate Authority”. Inserting a bogus “Certificate Authority” into the system is all it takes to validate any bogus security certificate.
Here, in non-technical terms, is how it works. First, the snoop arranges to insert their bogus certificate authority into the users computer. This isn't as hard as you might think, but if the snoop has government resources, perhaps they only need to subvert legitimate certificate authorities.
Second, they re-route your traffic through their monitoring tools, or proxy. This breaks the secure connection between your computer and the web site, but they simply establish a new one. With their proxy in the loop, you have a secure connection between your computer and their proxy. Your lock symbol is locked and you are none the wiser. They then establish a secure connection from the proxy to the web site. The web site sees this as valid, and they are happily secure. The only problem is, the certificate presented to your browser is WRONG, and does not match the certificate issued by the web site. But that is ok, as the Certificate Authority has vouched for the bogus certificate, so no one is aware of the failure.
You are blissfully secure in knowing you are using a secure connection, but IT'S ALL A LIE. You are only securely connected to the monitoring proxy!!
How real is this scenario? VERY! Check out this ZDNET story of how Nokia did exactly this, and got caught!
This sort of attack is called “Man in the Middle” and is used far more than most realize, or would believe. Man in the Middle attacks are easily spotted, IF you check the actual certificate and verify it is from your bank and not some intermediary. But really, who is going to do that?
There is another type of Certificate that addresses this weakness, that, in effect “double checks” the certificate's validity for you. It is called an “Extended Validation” or EV Certificate. When your web site uses an EV Certificate, the URL in the address bar turns GREEN to indicate this presence. An EV Certificate cannot be spoofed!
Well, unless, that is, you are using what has long been known as the worst browser on the planet. Internet Explorer does not properly validate and support EV Certificates. Therefore I most strongly recommend that you NEVER use Microsoft's browser for any web transaction that you need to be secure. Friends don't let Friends Use IE.
If you use Chrome, or Firefox, and you have the lock symbol and a green URL, you can trust your web session is secure. If you go to a site known to use EV Certificates (most banks and brokerages do for example) and DO NOT see the green URL, your connection is untrustworthy, and you should NOT use it.
An Extended Validation (EV) certificate, if you are on Firefox or Chrome, can, for the present, be trusted as secure. That may change as the snoops are always searching for new ways to intercept our information. For now however, it is as good and it gets. A Green URL Bar means you are safe.
Security researcher Steve Gibson has an extensive explanation of web security, SSL HTTPS and EV Certificates, and offers tools to test web sites for valid certificates. If you are interested in learning more about this topic, I highly recommend reading his pages at https://www.grc.com/fingerprints.htm
This article is intentionally superficial and non-technical, aimed at the non-technical user. I have intentionally omitted lots of details that are important and interesting to those of us more “into” the technology side of things. For the gory details, Steve has the Nitty that is Gritty. Give his pages a skim at least.