Welcome Guest! To enable all features please Login or Register.



Go to last post Go to first unread
Offline News  
#1 Posted : Friday, October 17, 2014 9:40:20 AM(UTC)

Rank: Member


Groups: Administrators, Registered
Joined: 9/23/2007(UTC)
Posts: 25,073

Was thanked: 3 time(s) in 3 post(s)
Earlier this year, VPN provider Golden Frog (creators of the VyprVPN service) debuted front and center in the debate over net neutrality. One of their customers, Colin Nederkoorn, published a video showing how switching to VyprVPN increased his network performance by a factor of 10. Full Disclosure: I've run my own tests on VyprVPN, and while I did not see the 10x improvement that Mr. Nederkoorn documented, Netflix streaming speeds to my own system became much less erratic, while throughput doubled over time.

Now, Golden Frog has filed a brief with the FCC, discussing both this incident and another, more troubling problem for security advocates -- the detection of ISPs performing man-in-the-middle attacks against their own customers. According to information cited in the briefing, one wireless provider was caught blocking the use of STARTTLS encryption.

It might seem odd that Golden Frog is taking a position on this point, since ISP blockages and "traffic management" actively help create a need for its own product. As the company notes, however, "the very same Internet access providers... can throttle or block VPNs, proxies, or encryption if the Commission imposes no effective rules." The current proposed rules before Wheeler's commission do not prohibit the blocking of encryption services, leading GF to conclude that "the Netflix throttling may be the problem of today and encryption blocking the problem of tomorrow."

Why Block Email Encryption In The First Place?

STARTTLS is used to encrypt traffic sent over SMTP -- email, in other words. Because an email from Point A to Point Z may travel through a number of unsecured routers to reach its final destination,  unencrypted email is intrinsically insecure. STARTTLS was developed to mitigate this problem -- it allows for initial cleartext communication but then requests the server switch to an encrypted mode.

What Golden Frog documented was the interception and modification of multiple requests to begin using STARTTLS into an entirely different set of commands, thereby preventing the encrypted link from ever being established. According to GF, the process bears striking resemblance to a feature inside Cisco's Adaptive Security Appliance. This particular feature can be used to limit the controls and capabilities that a client can access on a server, while suppressing return messages that would indicate certain features are not engaged.

Here's what the encryption sequence should look like:

And here's what's actually happening on this provider:

The problem of overwritten encryption is potentially far more serious than an issue of Netflix throttling, even if the latter tapped consumer discontent more readily. If ISPs are allowed to perform MitM attacks against their own customers for whatever private means they've determined, without consultation or notification of said customers, than any personal attempt to secure data, for any reason, is fundamentally compromised. This could have severe impacts on companies that rely on the Internet for transfer of trade secrets or private communication.  
Offline RJeffries  
#2 Posted : Friday, October 17, 2014 10:28:55 AM(UTC)

Rank: Member


Groups: Registered
Joined: 10/13/2010(UTC)
Posts: 100
Location: NYC

Sprints Network comes to mind! #ijs

Offline mernerion  
#3 Posted : Saturday, October 18, 2014 7:57:50 AM(UTC)

Rank: Member


Groups: Registered
Joined: 6/9/2012(UTC)
Posts: 126

Are these providers going to get problems for this?

Offline CliffVincent  
#4 Posted : Sunday, October 19, 2014 3:18:06 AM(UTC)

Rank: Member


Groups: Registered
Joined: 7/28/2013(UTC)
Posts: 209

not like anyone can do anything about it. south park said it pretty well... they love bumming us out

Offline basroil3  
#5 Posted : Sunday, October 19, 2014 9:46:56 PM(UTC)

Rank: Member


Groups: Registered
Joined: 7/30/2013(UTC)
Posts: 60

This has to be in violation of federal wiretapping laws, and if not it certainly is in violation of DMCA copyright protection if you use STARTTTL to protect photographs, audio, and video you created.

Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.