Re: [perpass] perens-perpass-appropriate-response-01

[Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>]

On Dec 6, 2013, at 11:48 AM, Bruce Perens <bruce@perens.com> wrote:

> Then make the default whatever your preference is.

The default MUST BE "ALWAYS HTTPS, ALWAYS".  Period.  Anything less is abdicating user safety.


>> Especially for "javascripts and CSS" which you seem so happy to pass in the clear: You let an attacker see a SINGLE ONE of your cleartext JavaScript or CSS fetches and you are FUBAR. Game over, you're p0wned, have a nice day. 
>> 
> See your fetches? I understand MITM, etc., but see them?


Yes, SEE just one of these "inconsequential" fetches is sufficient.  If the attacker can see your fetches he can execute a man-on-the-side attack through packet injection.  A wiretap is only passive if the wiretapper doesn't want to bother spending the couple of hours of from-scratch code to turn it into an active attacker.



Lets take a concrete example.  

You, Bruce, have nothing to fear from the US government.  But hey, you're doing stuff of some economic significance, and economic significance = valid tagret.  Therefore, in this brave new world, you're a valid target to say, well, France. [1]  And France's wiretap infrastructure knows the IP you commonly use (there are several tricks to possibly find this out).

All the wiretap has to do is wait for that single inconsequential Javascript fetch from your computer to pass by the wiretap, say, as part of a completely innocent and unrelated Air France ad campaign that happened to be on a web page you happened to visit.

When it sees the TCP packet containing the HTTP GET, it spoofs an injected reply packet back to you.  If your browser gets the spoofed reply first (and it will, the spoofed reply has a head start in the race), it acts on the spoofed reply.

This spoofed reply contains a small piece of Javascript which creates a little, tiny 1x1 hidden iFrame that opens onto France's exploit server [2], which now runs a full suite of code in your browser to p0wn you.  

Actually doing packet injection is downright trivial:  I've written up a TCP packet injector in a few hours on a lark, and several years ago it was a staple of Defcon WiFi pranks, say, by turning every large image into goat.se. Off the shelf tools and a little glue are pretty much sufficient for any country to do this [3]. 

In the past, it was only the purvue of pranksters and censorship (the Great Firewall).  And, it turns out the NSA.  Thanks to the NSA, now the future of packet injection is not, well, bright, but readily available to a whole UN worth of attackers.

So yes, a single fetch seen by the adversary is sufficient if the adversary wants to attack you.  If you are lucky, your adversary is all countries your traffic traverses except your own.




[1] I selected Country B, err, France for a reason in this.  http://www.foreignpolicy.com/articles/2013/07/01/espionage_moi_france

But pick your country.  

[2] The NSA's software suite for this is called FOXACID.  Everybody else just uses Metasploit's Browser Autopwn, its the same thing. 

[3] For those without the exploit expertise, please contact your local FinFly, Hacking Team, and Vupen sales representatives.  They'd be happy to help provide malcode and exploits to tie into your Metasploit autopwn system. The packet injector itself?  Just have an undergrad write it.  Its a good lab exercise for a networking class.

--
Nicholas Weaver                  it is a tale, told by an idiot,
nweaver@icsi.berkeley.edu                full of sound and fury,
510-666-2903                                 .signifying nothing
PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc