We selected the following articles as some of the more interesting pieces of news on the subject of SSL and network security this week.
Revealed: ISPs Already Violating Net Neutrality To Block Encryption And Make Everyone Less Safe OnlineOn Techdirt, Mike Masnick reports on evidence that not only are broadband ISPs throttling Netflix to their users, but that it looks like some are actively foiling the encryption efforts of their customers. VPN Golden Frog has provided research to the FCC on the topic of net neutrality. In the research they provide compelling evidence about bandwidth throttling and even more worrisome, evidence regarding how ISPs can block encryption. Golden Frog writes, “(This research) shows that a wireless broadband Internet access provider is interfering with its users’ ability to encrypt their SMTP email traffic. This broadband provider is overwriting the content of users’ communications and actively blocking STARTTLS encryption. This is a man-in-the-middle attack that prevents customers from using the applications of their choosing and directly prevents users from protecting their privacy. “
Golden Frog explains that the mobile wireless provider tweaks a server’s “250-STARTTLS” response which would otherwise tell the client about the server’s encryption capability. When the client doesn’t receive the proper STARTTLS acknowledgement, it proceeds without encryption. If the client still attempts to use the STARTTLS command, the wireless ISP intercepts the client’s commands to the server and changes it too, resulting in an error message.
Masnick states, “As Golden Frog points out, this is ‘conceptually similar’ to the way in which Comcast was throttling BitTorrent back in 2007 via packet reset headers, which kicked off much of the last round of net neutrality concerns. The differences here are that this isn't about blocking BitTorrent, but encryption, and it's a mobile internet access provider, rather than a wired one. This last point is important, since even the last net neutrality rules did not apply to wireless broadband, and the FCC is still debating if it should apply any new rules to wireless.” The article concludes by pointing out that weak net neutrality rules could serve to encourage other shenanigans by ISPs that would undermine encryption and online privacy.
'The Snappening' Hack May Leak Up to 200,000 Sensitive Snapchat PhotosTwo third-party SnapChat apps—SnapSave and SnapSaved—are being blamed for a leak of tens of thousands of sensitive SnapChat photos. Paula Mejia of Newsweek reports that “The so-called “Snappening” was first blogged about by social media strategist Kenny Withers on Thursday, who estimated that hundreds of thousands of photos had been hacked by 4chan users. On Monday, The Daily Beast confirmed that a 13.6 GB file containing approximately 90,000 stolen photos and 9,000 videos were posted on a website called viralpop.com over the weekend. The site was quickly deleted, but not before the content was downloaded and widely shared across the internet on sites like 4chan and Reddit. The images were mostly of people from Europe, and many were explicit in nature.” SnapChat released a statement saying that third-party apps that capture the images passing through their app violate the terms of use and SnapChat was not at fault for the stolen images.
Law Enforcement Has Declared War on Encryption It Can’t BreakDan Gillmor of Slate reports on the ongoing debate around Google and Apple’s announcements that they will begin encrypting smartphone data by default. Attorney General Eric Holder and FBI Director James Comey are among the officials who have gone public to decry the new encryption plans. Gillmor opines, “Their goal can't only be to get Apple and Google to roll back this latest move, because as many people have pointed out, almost all of what people keep on their phones is also stored in various corporate cloud computers that law enforcement can pry open in a variety of ways, including a subpoena, secret order in alleged national security cases, or outright hacking. No, the longer-range objective seems plain enough. This is the launch of the latest, and most alarming, attack on the idea of encryption itself—or at least encryption the government can't easily crack. In particular, as the latest push to control crypto makes clear, law enforcement wants so-called back doors into users' devices: technology that users can't thwart, just in case the police want to get in.” Gillmor concludes that allowing the government to mandate backdoors in software will ultimately make everyone less safe because developers have never demonstrated the ability to create foolproof backdoors that can’t be exploited by criminal hackers.
This POODLE Bites: New Vulnerability Found on ServersThis week Google researches discovered the POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability in SSL 3.0. See our earlier post to get all the details and learn how to eliminate the threat from your network.