December 12, 2007

Fears of ISP "Man in the Middle" Security Attacks

Greetings. If you need demonstrative proof of the low level of esteem to which ISPs seem to have fallen with their customers, you'd need only look at some of the responses to my posting yesterday Toward Pervasive Internet Encryption: Unshackling the Self-Signed Certificate.

A number of persons wrote to express concerns that my proposal suggesting the increased use of self-signed certificates for routine Web browsing would be vulnerable to "man in the middle" (MITM) attacks by ISPs via security certificate manipulation and substitution. I had noted the presence of MITM risk issues in a previous posting, but a few more words on this topic are in order.

While such an abhorrent behavior by ISPs is certainly technically possible, I believe it would be a mistake to underestimate the gravity of offense that would be involved with an ISP actually tampering with -- that is, forging or substituting -- security certificates of any kind.

The reason that self-signed certificates could be immediately useful is that we need to start bootstrapping rapidly toward the routine use of encrypted Web communications. Some ISPs are taking the position that unencrypted communications are fair game for them to mine and alter as they see fit.

The use of authority-signed certificates is of course preferable whenever possible. But the use of self-signed certificates for now -- even with their limitations, and until an improved certificate regime is freely available -- would still at least serve to put ISPs on notice that these data streams are encrypted and off-limits.

Any ISP that was caught playing MITM certificate substitution games on encrypted data streams without explicit authorization would certainly be thoroughly pilloried and, to use the vernacular, utterly screwed in the court of public opinion -- and quite possibly be guilty of a criminal offense as well. I doubt that even the potentially lucrative revenue streams that could be generated by imposing themselves into users' Web communications would be enough to entice even the most aggressive ISPs into taking such a risk. But if they did anyway, the negative impacts on their businesses, and perhaps on their officials personally as well, would be, as Darth Vader would say, "Impressive. Most impressive."


Posted by Lauren at December 12, 2007 10:06 AM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein