• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Finally VPNs will soon be illegal (in the UK, maybe)

Page 2 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.
I am entirely unsure why people are upset about this.

Party stores like 7-11 are not allowed to display pornagraphic magazines in plain sight, and cannot sell them to the underaged.

Why, exactly, should the internet pornography industry be any different?

In fact, it's far easier for children to turn on the computer than it is for them to walk down to the local liquor store.
 
Pulsar said:
I am entirely unsure why people are upset about this.

Party stores like 7-11 are not allowed to display pornagraphic magazines in plain sight, and cannot sell them to the underaged.

Why, exactly, should the internet pornography industry be any different?

In fact, it's far easier for children to turn on the computer than it is for them to walk down to the local liquor store.
Click to expand...

Because VPNs are privacy tools, not pornography websites?

Until they pull a China and start throttling all SSL in and out of the country, the SSTP and OpenVPN based services are safe.
 
Pulsar said:
I am entirely unsure why people are upset about this.
Click to expand...

Because it's not lawmakers jobs to be parents. If parents don't want their kids viewing porn there are numerous ways to secure THEIR computers. Why should people of legal age have to jump through hoops to protect somebody else's kids if the parents are unwilling to do it? You kids, your responsibility. Period.
 
drebo said:
Even barring that, SSL is easy to man-in-the-middle. All the country has to do is mandate that their own root certificate is installed in all browsers and operating systems, and then they can inspect your SSL traffic without you being the wiser (no browser warnings indicating the cert isn't trusted, etc.) At that point, they'll be able to see your VPN that's encapsulated inside SSL. The way this works is that a device between your computer and the server intercepts the SSL traffic, decrypts it, and then reencrypts it with its own certificate. If its own certificate is trusted by your system, you will not receive a warning. Companies do this all the time, and it's fairly trivial to set up.

So, no, it's not difficult to get around.
Click to expand...

Your "man in the middle" process is wrong. It assumes that they can decrypt the data and read it because they use a root CA they distributed. The data would not be encrypted using their root CA, it would be encrypted using the CA of the VPN service, which is unknown.

Much like the NSA, they could intercept the data, store it, and retransmit it without either party knowing, but if it is properly encrypted, it cannot be read.

Source: I run 16 VPN servers.
 
GagHalfrunt said:
Because it's not lawmakers jobs to be parents. If parents don't want their kids viewing porn there are numerous ways to secure THEIR computers. Why should people of legal age have to jump through hoops to protect somebody else's kids if the parents are unwilling to do it? You kids, your responsibility. Period.
Click to expand...

Jump through hoops?

Sign up for Internet, tick "do not enable filters" box.
 
Acanthus said:
Your "man in the middle" process is wrong. It assumes that they can decrypt the data and read it because they use a root CA they distributed. The data would not be encrypted using their root CA, it would be encrypted using the CA of the VPN service, which is unknown.

Much like the NSA, they could intercept the data, store it, and retransmit it without either party knowing, but if it is properly encrypted, it cannot be read.

Source: I run 16 VPN servers.
Click to expand...

For SSL/TLS, the public key/private key infrastructure is trivial to place a man in the middle. All you need is a device capable of inspecting the initial handshake and bam, you're done.

Several firewall vendors (for instance, Palo Alto) already have devices that can do it at line speed.

The point of the root cert is for the benefit of the client and has nothing to do with decrypting the data from the server.
 
drebo said:
For SSL/TLS, the public key/private key infrastructure is trivial to place a man in the middle. All you need is a device capable of inspecting the initial handshake and bam, you're done.

Several firewall vendors (for instance, Palo Alto) already have devices that can do it at line speed.

The point of the root cert is for the benefit of the client and has nothing to do with decrypting the data from the server.
Click to expand...

So you are suggesting that DH, RSA, and ECDH handshakes can be trivially broken? Because it takes supercomputers months to break a 512-bit key... let alone a full 2048 bit.

Or are we just talking about X509 signed certificates?
 
Acanthus said:
So you are suggesting that DH, RSA, and ECDH handshakes can be trivially broken? Because it takes supercomputers months to break a 512-bit key... let alone a full 2048 bit.

Or are we just talking about X509 signed certificates?
Click to expand...


the firewall acts as a full proxy and makes the outside connection on behalf of the computer. the computer is presented with a "trusted" cert from the fw and doesn't give half of a fsck where it came from if the company has installed a cert that the computer is told to 'trust'.
 
Lithium381 said:
the firewall acts as a full proxy and makes the outside connection on behalf of the computer. the computer is presented with a "trusted" cert from the fw and doesn't give half of a fsck where it came from if the company has installed a cert that the computer is told to 'trust'.
Click to expand...

if the company has installed a cert that the computer is told to 'trust'.
 
Acanthus said:
Your "man in the middle" process is wrong. It assumes that they can decrypt the data and read it because they use a root CA they distributed. The data would not be encrypted using their root CA, it would be encrypted using the CA of the VPN service, which is unknown.
Click to expand...

No, he's correct. The process works like this:

1) You attempt to connect to a.com
2) Attacker intercepts your connection and prevents it from reaching a.com
3) Attacker pretends to be a.com by creating a fake a.com certificate
4) Since the attacker is a trusted CA on your computer, the certificate appears to be valid
5) Attacker makes his own connection to a.com
6) You think you're talking directly to a.com, but you're actually talking to the attacker, who then forwards the data to a.com after inspecting it

You could still detect this by checking the certificate chain, but most people wouldn't know how. And if this were implemented by a law, it would be public knowledge anyway.
 
Venix said:
No, he's correct. The process works like this:

1) You attempt to connect to a.com
2) Attacker intercepts your connection and prevents it from reaching a.com
3) Attacker pretends to be a.com by creating a fake a.com certificate
4) Since the attacker is a trusted CA on your computer, the certificate appears to be valid
5) Attacker makes his own connection to a.com
6) You think you're talking directly to a.com, but you're actually talking to the attacker, who then forwards the data to a.com after inspecting it

You could still detect this by checking the certificate chain, but most people wouldn't know how. And if this were implemented by a law, it would be public knowledge anyway.
Click to expand...

where does the attacker get the fake signed certificate? You're also assuming the client is not using a secure DNS or the attacker is on a LAN with the client (or resides at the ISP itself) to be able to intercept the traffic. The client may not be using DNS at all, but a direct IP, to get around that you would need ARP poisoning, which is essentially LAN access. Not to mention with OpenVPN you have the HMAC firewall to deal with.

It is not nearly as simple as "you just hack em, lol"

You guys are pulling an underpants gnomes list here.
 
Last edited:
Venix said:
As I said, it creates it. Can you elaborate on your confusion about this?

This isn't some unsubstantiated theory. Plenty of routers and parental control products (e.g. Net Nanny) filter HTTPS traffic this way.
Click to expand...

This means the certificate is already installed on the client.... It isn't creating a new trusted certificate pretending to be a website because it doesnt have access to that websites root CA.

All your process is doing is installing software on the client that accepts CAs created by the "net nanny" it is not generating a certificate that impersonates another site.

I think where we are diverging is assuming that the attackers CA is installed on the client.
 
Last edited:
Venix said:
As I said, it creates it. Can you elaborate on your confusion about this?
Click to expand...

I'm more interested in you elaborating on how they "create it".

Unless the attacker has somehow compromised a trusted CA or the target computer, I don't see how "create it" is going to work.
 
Lifted said:
I'm more interested in you elaborating on how they "create it".

Unless the attacker has somehow compromised a trusted CA or the target computer, I don't see how "create it" is going to work.
Click to expand...

The conversation has assumed from the beginning that the attacker (the government) has installed a trusted certificate authority on the client computer.

From the first post about the topic: "All the country has to do is mandate that their own root certificate is installed in all browsers and operating systems"

From my previous post: "Since the attacker is a trusted CA on your computer"
 
Alright, it seems that we just had a fundamental misunderstanding on what we were talking about.

I was specifically referring to VPNs, and the MITM attack that involves actually compromising a cert to impersonate a server or a website.

The example you gave works if the attacker has a trusted CA on the client. I misunderstood what you were saying, and was referring specifically to the context of VPNs because that was what the OP was about.

However, getting a trusted CA on the client is the hard part. Even if the government mandates it, there will be open-source browsers and patches to simply remove / block / install other software to go around it.

If there was a foolproof way around X509, China would be all over it.
 
No doubt sites, browsers, and browser add-ons would find a way to verify the cert and alert the user if the fingerprint doesn't match. This could be as simple as storing the fingerprint in a file at the sites root, or in the header of every html page, and the browser/add-on would verify the cert against it.
 
Acanthus said:
Alright, it seems that we just had a fundamental misunderstanding on what we were talking about.

I was specifically referring to VPNs, and the MITM attack that involves actually compromising a cert to impersonate a server or a website.

The example you gave works if the attacker has a trusted CA on the client. I misunderstood what you were saying, and was referring specifically to the context of VPNs because that was what the OP was about.

However, getting a trusted CA on the client is the hard part. Even if the government mandates it, there will be open-source browsers and patches to simply remove / block / install other software to go around it.

If there was a foolproof way around X509, China would be all over it.
Click to expand...

Yep, that clears things up.

I agree on the huge caveats of mandating something like that. I could only see it sort-of working if it were paired with total surveillance of all data and severe criminal penalties for noncompliance. Even then, there are a ton of workarounds for truly committed people.
 
CPA said:
Why the fuck do I care about UK laws? Everyone knows they don't have freedom of speech so they can censor whatever they want. This won't happen, fortunately, in the US.
Click to expand...

Why do you assume that anyone cares whether you care about UK laws or not?
 
Wow, I could see this happen in the US, but sad to see the UK is becoming like the US when it comes to this stuff.

I like how they use porn as a "for the children" excuse, but we all know it's because they don't like the fact that VPNs make it harder to spy on people.
 
Last edited:
Veliko said:
Why do you assume that anyone cares whether you care about UK laws or not?
Click to expand...

Why do you assume anyone cares about whether you care about whether I care about UK laws or not?

Oh, that's right, it's a forum. No one has to care. Jeez Louise.
 
The UK had free speech once, my parents told me about it. Now we can't protest without a licence, they even arrest groups discussing protests before they go out and do it. The press is fleeced at the airport and hard drives of journalists destroyed for telling us about illegal actions by our government against the populace. This problem is small biscuit compared to the overriding rights violations occurring in this once democratic country.

Less than 50% of people even vote now, we all mostly know its a scam (elections, voting, protesting, talking to our representatives) but some still hold out a dream the UK might one day again in the future become a democracy. Alas this might be my last message, they do after all monitor all communication and I might just be detained and tortured under terrorist laws. Frankly child porn and internet filtering aren't high on my list of atrocities a police state is enacting!
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top