SSL -- security solution or security problem?
|
| Author | Content |
|---|---|
| penguinist Sep 01, 2016 11:42 AM EDT |
This article focuses on a problem that businesses face when their internal data is secretly extracted over SSL connections. The fact that the packets are encrypted makes the exploit more difficult to detect and mitigate. I'm not facing that problem, but I am facing a similar one. Recently I have sadly come to the conclusion that my trusty Nokia N9 "Linux phone" had aged to the point where we were ready for an upgrade. The hardware was years out of date, and once Microsoft destroyed Nokia we have no further hope of upgraded Linux phones (sad, sad) from Nokia (how can this be if MS really loves Linux). So I went to a OnePlus 3 phone for some state-of-the-art hardware. OnePlus seems to be quite user oriented in that they provide an unlocked bootloader and even support a "community OS" effort on their forums. While they don't take warranty responsibility if you destroy the software on your phone, they do recognize that many or most of their users will want to have control and they offer friendly tips. Also forum discussions around rooting and alternate OS deployments are supported if not encouraged. More than that I couldn't ask of an Android phone manufacturer. The downside of this, however, is that I'm now back into the Android mess again. Each time I've faced Android I've attempted (days of work) to gain control of the OS in a way similar to the control I enjoy on my Linux desktops/servers/notebooks/IoT systems. For me a key element of control is data monitoring so that I can identify apps which are leaking my private data and either remove them or block them at my firewall. Each time I've attempted to secure Android I've failed, and one of the big reasons for my failure is ironically SSL. When we install an Android app that uses SSL to communicate with it's home server (call it "the Cloud" if you like) my packet monitor is powerless to see what part of my private data is being made available to this provider. That's an unsolved problem for me right now, but I continue to refuse to just throw up my hands like so many other users have and surrender control to Google and the App providers. One bright point in this Android ecosystem is the F-Droid repository. F-Droid holds only FOSS apps. Each app in the F-Droid repository comes with source that can be inspected and with a FOSS license that is clearly identified. Kudos to F-Droid!! Now if I can only figure out a way to decrypt and track those pesky SSL packets coming from the rest of those closed apps (and the OS itself) then I would be happy. |
| dotmatrix Sep 01, 2016 3:18 PM EDT |
Here: http://docs.mitmproxy.org/en/stable/howmitmproxy.html |
| jdixon Sep 01, 2016 4:51 PM EDT |
> http://docs.mitmproxy.org/en/stable/howmitmproxy.html Neat. I suppose I should have known there would be an open source implementation. |
| mbaehrlxer Sep 04, 2016 2:48 AM EDT |
@penguinist: if you succeed in making this work, i'd love to see a writeup of how you achieved it. greetings, eMBee. |
| BernardSwiss Sep 04, 2016 9:22 PM EDT |
Seconded -- with enthusiasm |
Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]
Becoming a member of LXer is easy and free. Join Us!