[LINK] Filter to cause World Wide Wait

Richard Chirgwin rchirgwin at ozemail.com.au
Thu Oct 30 16:23:32 AEDT 2008 

<evil grin>
Wasn't I just being told something about encryption and the Internet and
security of votes and ... (just joking)
</evil grin>

OK ... speaking now from the journalist point of view, there are two
problems.
- Vendors routinely make claims like this, sometimes honestly (ie,
within the business network), at other time dishonestly (we know it's
true but the journalist won't), and at other times ignorantly (do you
expect the Vice President Corporate Communications to have all the fine
details of the technology? Last week he was working at a wireless access
point vendor...)

- Unless the journalist is paying very close attention, there's no real
"red flag" to suggest that detail needed checking (ie, "exactly how can
the filters read secure traffic?")

- And then where do you go to check it? The vendor which is already on
the record claiming that the filter breaks HTTPS traffic?

In too many places and cases, a journalist has *not a hope* of piercing
the veil of spin, because it's so hard to work out who you can ask and
get a solid, reliable answer ...

RC

Stephen Wilson wrote:
> There's an odd line about breaking open security that I don't understand 
> in this report ...
>
> Bernard Robertson-Dunn wrote:
>   
>> Filter to cause World Wide Wait
>> Jennifer Dudley-Nicholson
>> October 30, 2008
>> The Australian
>> http://www.australianit.news.com.au/story/0,24897,24575125-15306,00.html
>>     
>
> <snip>
>
>   
>> Electronic Frontiers Australia board member Colin Jacobs warned the web 
>> filter could also unwittingly make the internet unsafe for financial 
>> transactions by breaking the secure encryption used by banks online.
>>
>> Five of the six web filters tested by the Australian Media and 
>> Communications Authority this year were able to filter websites using 
>> the secure protocol HTTPS, which would leave financial details exposed 
>> to the internet service provider in charge of operating the filter.
>>
>> "If they sit in the middle and get between your web browser and the 
>> bank's server it really breaks open the security and leaves the details 
>> open to attack," he said.
>>     
>
> But the filter cannot break into the HTTPS stream without knowing the 
> session key.  That would require an extra arrangement for keys to be 
> relayed to the filter from the *server*.  Yikes!?  Not even the ISPs 
> would have these keys would they?
>
> What the ACMA report actually says is that "five of the six products are 
> capable of filtering HTTPS traffic" which to me sounds like they were 
> reading from a product spec, rather than reporting an actual test 
> result.  That is, the ACMA test didn't seem to actually run any filters 
> in a mode where they really filtered HTTPS content.
>
> Does anyone know of a set-up where filters are getting HTTPS keys from 
> somewhere?  Or is it just a cute theoretical capability in these 
> products' brochures, never actually put into practice?
>
> Cheers,
>
> Steve Wilson
>
> Lockstep
> www.lockstep.com.au.
>
>
>
>
>
>
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link
>
>

More information about the Link mailing list