SSL Won't Protect You From ISP Snooping


The US Government signed through a change which effectively allows ISPs to sell American's internet browsing history or use it for its own ends.

Apart from being a significant privacy risk, there are also security implications. Your password secured accounts are potentially wide open to abuse. Forget HTTPS as a defence mechanism. Your ISP undoubtedly has the tools to perform a man in the middle attack and extract any information they want from your emails, social media accounts and instant messaging.

Did you think your SSL encrypted sessions were secure? Unfortunately not. SSL interception appliances like Blue Coat ProxySG, IBM Datapower or even Microsoft's own Forefront Threat Protection allow an ISP to effectively proxy any secure connection and inspect packets passing through.

In corporate environments this is achieved by creating a trusted certificate authority on corporate PCs. For an ISP creating its own CA and relying on user's ignorance of the certificate warnings works just as well. Alternatively these devices can disable HTTPS connections from the PC and then initiate the webserver certificate exchange from its own network device. Again relying on users missing the absent padlock icon in their browser address bar.

For any browser based traffic this completely removes the protection that HTTPS might be perceived to offer.

It also gives your ISP the ability to easily mine information and sell it to interested parties.

The only real protection is the use of a private VPN client, but this means a drop off in performance, reliability and the introduction of another third-party with an interest in selling off your private information.

Right now for Americans the only protection is to stick with apps which are encrypted end to end and which are much harder to spoof. Anything else on the web is fair game for their ISP.

0 comments: