Man in the middle, then and now

When the internet started, a long long time ago, things were a bit more trusting. This isn’t all that surprising as the internet actually started as ARPANET which was a research network created with funding from the US department of defense.

The network of networks experiment, that later became the internet, was in its infancy and the level of trust was actually relatively high. In the intervening years we still see from time to time references about some technology along with the inevitable quote that this bit of technology springs from a more trusting time.

One important example of this is the DNS service. This service is the address book of the internet and an important piece of infrastructure. Why isn’t that service more secure? Well that is because of the origins of the internet.

It was this level of trust that has caused more than one security problem over the last 40 or so years. I cannot find the actual researcher who first came up with the theoretical possibility of the man-in-the-middle attack.

It isn’t really that complicated to understand. In a man in the middle attack, someone secretly relays and possibly alters your communications with another party.

Over the years this process has become so simple that you can use this technique to view what your victim is viewing with just a 5 minute tutorial on youtube.

The problem was known fairly early on and nobody really wanted to other people to view what they were doing so came the introduction of HTTPS.

It is still possible to see where people are going but with this new level of encryption it is not possible to see what exactly is being communicated. It is necessary that the web site has a signed certificate to verify its authenticity. Thus is it possible to verify that you are communicating directly with the person or site that you think you are. This is a good solution unless somebody comes up with a way to circumvent this.

Uh oh

Anything that can be done can be worked around. If you install another certificate for the man in the middle it would allow that person or organization to decrypt the users HTTPS traffic, examine it and then encrypt it again with this certificate. This would completely undo the security of using HTTPS. If this were in place it would no longer be possible to trust a web page or email had not been altered or read.

Nobody in their right mind would volunteer to be part of such a technical solution. Would they?

Small time experiment

Such a solution would work if there were a “small” coordinated effort from the local ISP’s forwarding all traffic to a central point.

This situation is no longer a piece of fiction due to the actions of the Kazakhstan government. Just a few days ago, July 17 2019, came a change that required the local ISP’s to install the government certificate and the government has begun to intercept all HTTPS traffic.

https://www.zdnet.com/article/kazakhstan-government-is-now-intercepting-all-https-traffic/

It is undoubtedly an experiment that is being closely monitored by other governments around the world. It is not too far of a leap to governments or security apparatus petitioning their local politicians that such efforts are necessary due to terrorism concerns. It is unclear if such a change would cause an uproar but there have been a lot of other changes that have been done in the name of security.

USA

  • Patriot act and domestic spying
  • Dept of Homeland security
  • Military Tibunals and Guantanamo bay

Flights

  • Liquids ban
  • TSA locks
  • Millimeter wave full body scanners
  • Removing shoes and belts
  • Terrorist watchlist
  • Extra scanning of phones, tablet and laptops

Other

  • Increased surveillance via CCTV

This is not an extensive list but even so some of these changes have even been analyzed and the results have not proven that these security results to be effective.

https://www.aclu-wa.org/blog/pull-plug-patriot-act

We can only hope that full-time surveillance of the internet will be too expensive and opposed by democratic thinkers.

This entry was posted in security. Bookmark the permalink.