Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cyberoam Packet Inspection Devices Open Traffic To Third Parties

Posted by Unknown on from the security-through-oh-screw-it dept.

New submitter jetcityorange tipped us to a nasty security flaw in Cyberoam packet inspection devices. The devices are used by employers and despotic governments alike to intercept communications; in the case of employers probably for relatively mundane purposes (no torrenting at work). However, the CA key used to issue fake certificates so that the device can intercept SSL traffic is the same on every device, allowing every Cyberoam device to intercept traffic that passed through any other one. But that's not all: "It is therefore possible to intercept traffic from any victim of a Cyberoam device with any other Cyberoam device - or, indeed, to extract the key from the device and import it into other DPI devices, and use those for interception. Perhaps ones from more competent vendors."

7 of 29 comments (clear)

  1. Why should they be competent by Coeurderoy · · Score: 3

    after all their clients are either incompetent or evil....

    What would be really interesting would be a simple consumer level tool to detect DPI with crypto interception...
    So at least you know how much your ISP loves you....

    1. Re:Why should they be competent by Coeurderoy · · Score: 4, Funny

      I do apologize, I should have written something real useful like "first post", but it is the first time it happens to me, so I forgot :)

    2. Re:Why should they be competent by Jeremiah+Cornelius · · Score: 4, Interesting

      The most interesting aspect of this story, NOT HIGHLIGHTED IN THE SUMMARY, is that this was discovered by volunteers on the TOR project - and was being used as a compromise of a TOR node.

      --
      "Flyin' in just a sweet place,
      Never been known to fail..."
  2. This is suprising? by houstonbofh · · Score: 4, Insightful

    People are surprised that a device that hacks it's way in to ssl communication is insecure? Contrary to popular belief, people that specialise in tearing down walls are not the best wall builders.

    1. Re:This is suprising? by houstonbofh · · Score: 3, Informative

      It is part of a egress filter. If you do not accept the cert, you just do not get out...

  3. Derp! by girlintraining · · Score: 4, Insightful

    This just in: End to end encryption which does not form trust via a third party (like a certificate authority) still the best way of securing communications. The certificate authority system has been flawed from day one. IPSEC is still the way to go, along with secure DNS, but as you will note... companies and governments have been dragging their feet on it. A good indication that something is secure is that laws are passed against its use.

    --
    #fuckbeta #iamslashdot #dicemustdie
  4. They have to inject the cert first by Animats · · Score: 3, Informative

    I don't think this is a cert issuer trusted by major browsers. Unless some "toolbar" or a corporate installation has managed to put this cert into your browser (which happens), this attack may be ineffective against browsers.