From Sophos Naked Security:
Gogo forges YouTube SSL certificate to throttle high-bandwith usage on flights
I will explain the seriousness of this to less technical readers. In many environments proxy servers are deployed at various points in the network. One of the main functions of a proxy server is to control access t the internet.
When a proxy is used to control internet access it can decrypt SSL/TLS communications. The way this this done is by assigning a "decryption certificate" on the proxy. This allows the proxy to be seen by the client (your lap/desktop, mobile device, tablet ...) as a trusted device. When configured this way the proxy server is able to decrypt SSL/TLS encrypted data.
If you haven't figured it out already this is essentially a man-in-the-middle (MITM) attack. Since the proxy sees the unencrypted traffic it is able to see usernames, passwords, PINS and all other data that goes through it. Some organizations do this for legitimate purposes. The main reason this design is used in organizations is to detect malware using encrypted data stream to communicate with its command and control server(s).
The problem lies in what is done with the unencrypted data in the proxy and who has access to it. If the decrypted data is only stored long enough for analysis or only a select few individuals are allowed to access the server this is not too much of a concern. (Note: many privacy advocates will disagree with me on this and will have valid arguments. For the purposes of this blog I am only discussing the technical aspects of this technology. If you wish to discuss the privacy implications please do so in the Comments section.) If, on the other hand, the unencrypted data is stored for a long period of time or there are a large number of admins/analysts/engineers with access to the proxy server this can be problematic. The IT staff with access can easily get the data stored on the proxy which may included the username/password combinations discussed earlier.
No comments:
Post a Comment