Thread: Neo900 and privacy
View Single Post
shawnjefferson is offline shawnjefferson
2014-01-30 , 03:29
Posts: 254 | Thanked: 509 times | Joined on Nov 2011 @ Canada
#1
Didn't want to clutter up the main thread, so moved my response here:

Originally Posted by nokiabot View Post
We should be focusing more on user data privacy not gsm data as gsm is always compromised as its ment to be whatever yo do as you cant be sure if you type google.com and you see a secure google page as the operater can always have a fake dns server which filters extracts the data before its even sent to actual google.com.
The operator or ISP can certainly man-in-the-middle your DNS queries (most of the time your using their DNS servers) and deliver whatever IP address they feel like for any name you request. Some do exactly that for non-existent domain names for instance instead of a NXDOMAIN record. There's a high level of trust you have to have in your DNS servers.

But with a secure site (https), there are a couple of mechanisms that should tip the user off if someone is trying to spoof a site, and also several layers of trust.

1. Your browser is going to check that the certificate matches the dns name of the server you are requesting a session with.

2. The browser is going to verify that the certificate is trusted by your browser (ie. is signed by one of the trusted CAs.) These Certificate Authorities are trusted to not sign fraudulent certificates, nor provide certificates to people who do not own those domains. (Once in a while this trust level breaks down, due to these CAs being hacked, and then the CAs certificate gets revoked.)

If those checks don't succeed, you should get a message from the browser that something is wrong with the certificate and if you continue, you're taking a risk.

There's really only a couple of ways that I'm aware of that a secure site can be successfully spoofed:

- A trusted CA is hacked into and a certificate signed for whichever domain name the attacker is trying to spoof and then this certificate is used in the attack.

- Somehow the attacker gets their own CA certificate into your trusted CA list on your computer/browser. This is how in corporate environments SSL sessions can be monitored by corporate proxies. If you own all the endpoints, you can install your own trusted CA certificates and the browser is quite happy with that.

Of course, if you are the US gov, and you have forced google.com to just hand over their SSL private keys, you can just decrypt any SSL sessions for which you have packet captures. (Also another tool that corporate IT security departments use to protect their own web servers; SSL decryption and inspection at wire speeds.)
 

The Following 3 Users Say Thank You to shawnjefferson For This Useful Post: