Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google's Obfuscated TCP

Posted by kdawson on from the shake-hands-when-you-say-that dept.

agl42 writes "Obfuscated TCP attempts to provide a cheap opportunistic encryption scheme for HTTP. Though SSL has been around for years, most sites still don't use it by default. By providing a less secure, but computationally and administratively cheaper, method of encryption, we might be able to increase the depressingly small fraction of encrypted traffic on the Internet. There's an introduction video explaining it."

6 of 392 comments (clear)

  1. Trusts DNS instead of CA signature by mikenap · · Score: 5, Insightful

    So, basically we have the same concept as SSL, except instead of trusting the CA signature on the certificate, we trust DNS.

    Forging a CA signature on a certificate would be a BIG DEAL.
    Forging a DNS entry, especially with ISP cooperation(read government snooping), is DEAD SIMPLE.

    So we replace real security with, well, a CPU hog that's only a smidge better than running everything in the clear. It only keeps out the MOST casual, lazy, and uninterested snooper.

  2. Re:Firefox isn't helping by QuasiEvil · · Score: 5, Insightful

    SSL without a trusted certificate provides NO additional security over communicating in the clear. AT ALL.

    Bzzzt, wrong, thanks for playing.

    Yes, the man in the middle attack is very real. However, it takes a great deal more work to set up than a simple sniffer, because you have to either capture/block/proxy/rewrite packets so that each side thinks it's speaking with the other, or spoof the DNS somehow.

    On the other hand, a simple network sniffer can capture almost everything send in the clear, no special network tricks needed.

    Authentication requires encryption. Encryption does not require authentication, but should then be considered somewhere between truly secure and just wide open. Call it a nice-to-have that prevents casual sniffers from picking up passwords to your home server, reading your webmail, and the like.

    Your assertion assumes that there are no casual crackers/script kiddies out there who won't immediately escalate to some invasive and rather difficult MITM attack, or that sniffing is not a real danger. I'd argue that 90% of the insidious activity comes from just sniffing cleartext off the wire, and that more sophisticated attacks are significantly rarer. Encrypting the over the wire traffic is a way of mitigating a significant portion of that risk.

  3. Re:Firefox isn't helping by Free+the+Cowards · · Score: 5, Insightful

    So stop displaying the lock symbol! Nothing requires you to treat "real" SSL and self-signed SSL identically. It should be obvious that the current standard approach of making them look exactly the same except for a scary warning that appears the first time you hit a self-signed site is broken. But nobody cares about doing better because it's the "standard".

    --
    If you mod me Overrated, you are admitting that you have no penis.
  4. Re:Firefox isn't helping by vux984 · · Score: 5, Insightful

    Most users are too dumb to check for SSL, good luck getting them to discern insecure, 'insecure but can't be eavesdropped', and secure.

    Fair enough. So don't put the secure green lock up for self signed SSL. Put up a totally different icon in some neutral color like blue. If they click on it it says, the connection is encrypted and can't be eavesdropped but there is no gaurantee you are talking to who you think you are.

    Hell, most users would be shocked to find out you can eavesdrop on their traffic in the first place.

    Good point! Maybe firefox 3 should pop up a huge error screen every time you try to connect to a site with plain http. It could say something like:

    The server you are connecting to is insecure. Maybe there is a configuration error on the server. Or maybe someone is trying to impersonate it. Oh, and by the way, not only that, but any communication with them maybe trivially intercepted by any 3rd party...

    Are you sure you want to communicate with them?

    Then it could have friendly buttons like:

    "Hell no get me out of here." or "Ok, I don't mind getting pnwed!"

  5. Re:Firefox isn't helping by KermodeBear · · Score: 5, Insightful

    I dunno. I just click "Okay" until the windows go away and I can see the website.

    --
    Love sees no species.
  6. Arrgghh! No more videos! by Anonymous Coward · · Score: 5, Insightful

    If you watch the "video"

    If you watch the video, your brain will leak out through your ears. It's terrible. Why produce a video which seems to be a black screen with a dark blue line wiggling when the person talks? Why pick a person with a crappy British accent and a speech impediment? Who's going to understand? Why flash up a couple of words here and there like "SSL" and "HTTP"? Why produce such a steaming pile of crap and call it an "introductory video"?

    Instead, whoever is the video star in this could have written down their ideas in plain text. That would allow for easy reading and comprehension by people all over the world. Maybe I can read quickly. Maybe I don't want to sit around waiting for you to lisp and stammer through your presentation. Maybe I'd understand it better if I read it than if I heard it on a crappy video. Maybe I don't want to waste my bandwidth downloading several megabytes of video, where the same information in plain text might be a few kilobytes.