Re: [perpass] A reminder, the Network is the Enemy...

Ted Lemon <mellon@fugue.com> Wed, 20 November 2013 20:57 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 003F11AE13E for <perpass@ietfa.amsl.com>; Wed, 20 Nov 2013 12:57:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.426
X-Spam-Level:
X-Spam-Status: No, score=-2.426 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.525, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2IF_V2JuRaUI for <perpass@ietfa.amsl.com>; Wed, 20 Nov 2013 12:57:52 -0800 (PST)
Received: from toccata.fugue.com (toccata.fugue.com [204.152.186.142]) by ietfa.amsl.com (Postfix) with ESMTP id CF3311AE159 for <perpass@ietf.org>; Wed, 20 Nov 2013 12:57:52 -0800 (PST)
Received: from [10.0.10.40] (c-174-62-147-182.hsd1.nh.comcast.net [174.62.147.182]) by toccata.fugue.com (Postfix) with ESMTPSA id 378462380CB4; Wed, 20 Nov 2013 15:57:44 -0500 (EST)
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1822\))
From: Ted Lemon <mellon@fugue.com>
In-Reply-To: <9B79CCC3-853E-42F4-8390-ED0EE019C275@icsi.berkeley.edu>
Date: Wed, 20 Nov 2013 15:57:43 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <B4A3135B-1391-4794-BE23-D823962C294C@fugue.com>
References: <9B79CCC3-853E-42F4-8390-ED0EE019C275@icsi.berkeley.edu>
To: Nicholas Weaver <nweaver@icsi.berkeley.edu>
X-Mailer: Apple Mail (2.1822)
Cc: perpass <perpass@ietf.org>
Subject: Re: [perpass] A reminder, the Network is the Enemy...
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass/>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Nov 2013 20:57:55 -0000

On Nov 20, 2013, at 3:42 PM, Nicholas Weaver <nweaver@icsi.berkeley.edu> wrote:
> We need to consider the network transporting our data as an active attacker, not just one which can observer/wiretap, but one that is both outside our control and willing to serve as a vehicle for attacking the end systems.  Its always been this way, but the recent behavior of the NSA/GCHQ has ensured that the pleasant fiction of the network's lack of hostility is no longer acceptable.

The thing that hit me from this article that I really just hadn't fully understood previously is that any web site that displays personalized information per user that can be easily parsed now serves as a way to do a targeted attack on an individual or on individuals who work for an organization.

So if you read slashdot or tumblr, for example, both of which display personally identifying information on their home pages if you are logged in, then an MiTM attacker can listen on the link the server is connected to and trigger on HTTP responses to you, and then attack you specifically, without revealing the attack to anyone else.

So this starts as a pervasive passive attack, essentially, and then turns into an active attack only for the targeted user or users.

This can be mitigated in several ways—obviously https-everywhere will address the problem, but also if the web site simply doesn't display personally identifying information in their outgoing traffic, then the passive attack isn't possible.

Of course, if the attacker knows your IP address, then they don't need to scrape the HTTP response, but attackers don't necessarily have that information, particularly if what they are doing is illegal in the country you live in.   So there's real value in being aware of this threat model and trying to mitigate it.

Specifically, maybe the IETF (or someone) should be recommending that web sites not display personally identifying information about logged-in users except over TLS connections.   Certainly we should document this threat model and try to raise awareness about it.