Deep Packet Inspection of SSL-Encrypted Traffic

[Renk]

This document seems worrying:

Deep Packet Inspection of Secure Socket Layer (DPI-SSL) extends SonicWALL’s Deep Packet Inspection technology to allow for the inspection of encrypted HTTPS traffic and other SSL-based traffic.

The SSL traffic is decrypted transparently, scanned for threats and then re-encrypted and sent along to its destination.

if no threats or vulnerabilities are found. DPI-SSL provides additional security, application control, and data leakage prevention for analyzing encrypted HTTPS and other SSL-based traffic.

http://www.sonicwall.com/downloads/S...ure_Module.pdf

Although not entirely clear, it looks like a kind of Man in the middle attack is performed in order to "inspect" SSL encrypted traffic:

After the appliance performs DPI-SSL inspection, it re-writes the certificate sent by the remote server and signs this newly generated certificate with the certificate specified in the Client DPI-SSL configuration.
By default, this is the SonicWALL certificate authority (CA) certificate, or a different certificate can be specified.

I wonder if the vpn -e.g. OpenVPN - are threatened by this technology.

(Probably not if the certificates are shared by potal service or by other mean than an internet connection).

[Renk]

Things are actually worse than I originally thought. Investigating about Man In The Middle Attack risk, I have found this article on Wired, and this one from EFF revealing that governments are probably faking SSL certificates.

This article refers to the following more technical document:
http://files.cloudprivacy.net/ssl-mitm.pdf

Although it can be supposed that these technics are for the moment mainly used for national security purpose only, I think the governements around the world are trying to closely monitor the Internet and the behaviour of the citizen. So I can imagine that in the next future DPI over SSL could be implemented in a much larger scale.

One of the "DPI over SSL" technic consists in performing a MITM attack, as I wrote in my first post. There exist some tools allowing to detect/prevent this kind of attack. For example the following FF addons:

Certificate Patrol
https://addons.mozilla.org/en-US/firefox/addon/6415/
This addon basically monitors all SSL connections and checks, during activation, if the exchanged certificate has changed.

Perpectives
Perspectives : Firefox Extension
This addon checks on the credibility of a certificate. The downside being that you have to reveal who you communicate with to an external service.

SSLGuard
https://addons.mozilla.org/en-US/firefox/addon/14916/
(protecting from some MITM attack).

[desodorante]

This is very interesting. Nevertheless, I guess that this will be VERY hard to implement and will most likely require a huge infrastructure (which is exactly what ISPs don't invest in )
Besides, legislation for digital information will make it even more complicated.
In any case, it is the governments and Pro-Copyright entities that we have to fear.

[anon]

This is very interesting. Nevertheless, I guess that this will be VERY hard to implement and will most likely require a huge infrastructure (which is exactly what ISPs don't invest in )

Right - shape just about any kind of large-scale traffic instead of buying equipment that can handle the load. Sadly, that's the increasing mentality of many ISPs.

Mind you, by design, your provider sees just about all the Internet traffic that goes from and to your computer. As long as remains true, they can always do some sort of middleman attack, if they want - and that will always hold true, unless you find a way to do the initial SSL negotiation outside of the Internet.

[Renk]

This is very interesting. Nevertheless, I guess that this will be VERY hard to implement and will most likely require a huge infrastructure (which is exactly what ISPs don't invest in )
Besides, legislation for digital information will make it even more complicated.

One may think so.

Or more precisecely, one may hope so.

But sophisticated and easy to use DPI technology for large scale usage are studied, and have even been sucessfully tested, eg last year in Berlin, in the EANTC laboratories, by firm Vedicis and some french right holders.You can look at the slides here

And here is a much more technical papers, by french/italian authors.

Some others lands are vey interested in this kind of technology, such as Australia, New Zealand...

And there are bad news from Canada. On Michael Geist's blog (Geist is professor at Ottawa University and is well known for his analysis about ACTA):

The so-called lawful access initiatives stalled in recent years, but my weekly technology law column (Toronto Star version, homepage version) notes that earlier this month the government tabled its latest proposal with three bills (C-50, C-51, C-52) that received only limited attention despite their potential to fundamentally reshape the Internet in Canada.(..)

The first prong mandates the disclosure of Internet provider customer information without court oversight. (...)

The second prong requires Internet providers to dramatically re-work their networks to allow for real-time surveillance. (...)

Moreover, the bill establishes a comprehensive regulatory structure for Internet providers that would mandate their assistance with testing their surveillance capabilities and disclosing the names of all employees who may be involved in interceptions (and who may then be subject to RCMP background checks).

The bill also establishes numerous reporting requirements including mandating that all Internet providers disclose their technical surveillance capabilities within six months of the law taking effect.

Michael Geist - Lawful Access Bills Would Reshape Internet in Canada

DPI is a big threat because most people will not be aware of it, because it is entirely invisible. If postal service delivers to you a letter which has been opened by someone, you can physically see that an opening took place, and you surely will protest. But if your email or your internet traffic is "open", your are not aware of that. Mainy people will be indifferent to DPI because they will not able to simply detect it when it happens.

[hontoCorti]

Mind you, by design, your provider sees just about all the Internet traffic that goes from and to your computer. As long as remains true, they can always do some sort of middleman attack, if they want - and that will always hold true, unless you find a way to do the initial SSL negotiation outside of the Internet.

Snail Mail would be possible:)

[anon]

Snail Mail would be possible:)

Sure, and you can always switch to IPoAC protocol if you don't want the packets to go through the Internet, also!