TOR project uncovers flaw in mass-surveillance appliance


13 Responses to “TOR project uncovers flaw in mass-surveillance appliance”

  1. Nice, so by snooping, you open the door to other snoops. This is why you use GRE tunneling.

  2. Jeremy Mesiano-Crookston says:

    I can only assume this is what killed Andy Griffith.

  3. Jim Lippard says:

    Cyberoam makes consumer and SMB Unified Threat Management (UTM) appliances which do SSL inspection by generating certificates for remote sites–as do other UTM appliances from vendors like Fortinet, Dell/SonicWALL, and Palo Alto Networks.  There’s no evidence of a “mass-survillance appliance” implicated here–the original report probably came from somebody working for an organization that is using a Cyberoam as their Internet firewall.

    My home Fortinet device does the same thing, though I reconfigured it to use a subordinate CA from my own CA instead of the default Fortinet CA which is used by all Fortinet devices.

    • dragonfrog says:

      Either way – the fact that most of these devices ship with a default, globally identical, CA cert, is just wrong.  These are companies that specialize in network security, selling to customers who mostly don’t – this is the sort of thing they should have been getting right for a decade or more.

  4. mrmcd says:

    So let me see if I understand this correctly: Cyberoam makes a DPI device, and claims they can even look into SSL connections, although the way they accomplish this is to just generate a fake certificate signed by their own device cert, and then setup an automatic man in the middle attack. The problem is that no browser actually recognizes the Cyberroam cert as trusted CA, so if you actually enable this feature, it just causes the browser to pop up a bunch of security warnings about an untrusted certificate, unless the user explicitly installs the Cyberroam CA in their browser. Presumably in a corporate environment this would be the designated desktop monkey going around and forcing every browser instance to accept the cert, so then OmegaEvilCorp LLC can then spy on employees SSL connections without a security warning tipping anyone off.

    Except here some genius at Jordan’s Ministry of Democracy Management and Interweb Obedience (or whatever) tried to use one of these devices against Tor users, but forgot the part where they have to install fake CA certs in every browser in the country. This tipped off Tor and caused them to look a bit deeper at what Cyberoam was doing. The icing on the cake is that the geniuses in India Cyberoam outsourced the development effort to used the same CA cert for every single device without an intermediate cert. This means that anyone who’s had the poisoned CA cert forced on them (such as employees of OmegaEvilCorp) could have their traffic intercepted and decrypted anywhere on the internet by anyone with access to a Cyberoam device, not just OmegaEvilCorp’s IT department. So not only is it evil, but it’s a pretty incompetent dangerous form of evil to boot. Lovely!

    I did like this footnote, though:

    [1] In the corporate setting, willing victims are often known as “employees”. Unwilling victims should not, of course, install the CA certificate, nor should they click through certificate warnings.

  5. Max Allan says:

    Surely the whole “Invalid certificate” thing would raise a concern in most people’s browsing. I mean, yes it’s trying to trick you into accepting a fake cert, but not trying very hard.
    There are a number of SSL inspection devices that do the same thing.

    I don’t know how good the Cyberoam boxes are but there are plenty of similar things that are so black boxed you’ll never get the CA cert out of it without some seriously hard work and then what have you got? An untrusted cert which you could use to decrypt something if you manage to get yourself a “man in the middle” position on someone who was stupid enough to accept the cert or if you can steal an old capture file from someone who was snooped on and the metadata about who they are etc… 
    I agree it’s not the most secure solution, but it seems pretty unlikely to be exploited. If you’re dealing with an organisation who can get that sort of information then they’ve got better ways of finding your secrets (like rubber truncheons and sodium pentathol).

    • dragonfrog says:

      Surely the whole “Invalid certificate” thing would raise a concern in most people’s browsing.

      You’d hope so, wouldn’t you?  And yet, repeated studies of actual human behaviour shows that a vanishingly small proportion of people pay any attention to them (or understand their implication).

      TOR users are probably one of the few user populations where more than a handful of users would think anything of the error.

      • TaymonBeal says:

        Of course, part of the reason for this is that the proportion of certificate errors that aren’t false positives is ridiculously small.

        A well-known report from Microsoft Research (PDF) went so far as to say that “as far as we can determine, there is no evidence of a single user being saved from harm by a certificate error, anywhere, ever.”

      • David Newman says:

        Ah, but in this case the client’s browser won’t complain because this box acts as a proxy and presents a _valid_ certificate to the client.

        Cyberoam has lots of company in doing this. Besides the vendors Jim Lippard names, Check Point, Cisco, Juniper, Barracuda, and probably others also do SSL decryption/inspection.

        Also, characterizing Cyberoam as a US company both is and isn’t right. Cyberoam’s web site notes it has US offices, but that it’s a division of Elitecore Technologies Pvt. Ltd., which is an Indian company. Elitecore’s site, in turn, notes they have VC funding from the US-based Carlyle Group.

        • dragonfrog says:

           Valid, but not trusted by default – that’s how it was discovered.

          The things are designed to be deployed in a setting where the IT admins also control all the computers, so they can distribute or revoke trusted root certs as needed.  The Jordanians got busted because they used it outside that context.

  6. For this very reason we created We do not need external certificates to validate our security, yes, we have one but it is a small cog in a much bigger machine. Basically, a Jumpto user is given their own private and encrypted cloud. From there they can peek down into the rest of the Internet or execute cloud based applications that we have developed and are slowly releasing. Proxies of all flavors, including TOR are susceptible to intrusions, Jumpto is not.

  7. Karen says:

    I completely agree with Fred Luchetti. I am a Jumpto user and enjoy complete secured browsing. I’ve tried the others which use antiquated technologies such as VPN’s.

Leave a Reply