this post was submitted on 27 Jun 2024
256 points (98.5% liked)

Technology

59377 readers
4666 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] tal@lemmy.today 6 points 4 months ago* (last edited 4 months ago) (1 children)

If ISP routers are anything like the west that means they control the DNS servers and the ones on router cannot be changed, and likely it blocks 1.1.1.1 and 8.8.8.8 and so on, as Virgin Media does (along with blocking secure DNS) in the UK for example, which definitely opens up a massive attack vector for an ISP to spin up its own website with a verified cert and malware and have the DNS resolve to that when users try to access it to either download the software needed to access this Grid System or if it’s a web portal - the portal itself.

Browser page integrity -- if you're using https -- doesn't rely on DNS responses.

If I go to "foobar.com", there has to be a valid cert for "foobar.com". My ISP can't get a valid cert for foobar.com unless it has a way to insert its own CA into my browser's list of trusted CAs (which is what some business IT departments do so that they cans snoop on traffic, but an ISP probably won't be able to do, since they don't have access to your computer) or has access to a trusted CA's key, as per above.

They can make your browser go to the wrong IP address, but they can't make that IP address present information over https that your browser believes to belong to a valid site.

[–] LainTrain@lemmy.dbzer0.com 2 points 4 months ago* (last edited 4 months ago) (1 children)

or has access to a trusted CA's key, as per above.

I don't see why they wouldn't, or couldn't do this if they wanted to if they were also willing to straight up resort to spreading malware, which idk about SK but that's illegal anywhere in the west under very broad laws.

EDIT: They could also do a redirect to a different URL with a valid cert I guess, though I'm sure browsers block that too. Well I'm out of ideas then, I feel bad for cybercriminals these days.

EDIT2: Wait a sec, how does government censorship work then? Like e.g. https://ttrpg.network/post/7634428 How is the government able to MITM this person? The website is HTTPS and they're using a VPN, but presumably locked to the DNS of the ISP. How are they able to block websites at all in this case with anything other than a termination of a connection (i.e. displaying a banner)?

Even without a VPN by your logic if the ISP can't present a foobar.com cert then they couldn't block it via just DNS. How do FBI takedown notices work? Shouldn't all of these throw up SSL errors and "back to safety" prompts?

[–] tal@lemmy.today 2 points 4 months ago* (last edited 4 months ago) (1 children)

I don’t see why they wouldn’t, or couldn’t do this

There are only 52 organizations that Firefox trusts to act as CAs. An ISP isn't normally going to be on there.

https://wiki.mozilla.org/CA/Included_Certificates

https://ccadb.my.salesforce-sites.com/mozilla/CACertificatesInFirefoxReport

If whatever cert is presented by a remote website doesn't have a certificate signed by one of those 52 organizations, your browser is going to throw up a warning page instead of showing content. KT Corporation, the ISP in question, isn't one of those organizations.

They can go create a CA if they want, but it doesn't do them any good unless it's trusted by Firefox (or whatever browser people use, but I'm using Firefox, and I expect that basically the same CAs will be trusted by any browser, so...)

[–] LainTrain@lemmy.dbzer0.com 2 points 4 months ago* (last edited 4 months ago) (1 children)

Thanks for the explainer, but that's not what I meant.

For example: If I, an ISP in Beijing went to BEIJING CERTIFICATE AUTHORITY Co., Ltd. which is on the list, and had my cert issued by them for foobar.com that listed them as the root trust, wouldn't that work? Because the service operating there currently is illegal and I need to take it down, i don't see how or why they could refuse. If they can't do this for ISPs, then certainly law enforcement should be able to force them to comply, I would assume.

If I then went to abuse that cert and spread malware on my fake cloned site, then what are the affected users going to do, call the cops and tell them the illegal seedbox is down?

This is the only way I can see governments being able to display blocked website notices, takedown notices and other MITM insertions demonstrably happening in all sorts of countries without triggering a "back to safety" warning in most browsers.

This has to be possible, because otherwise the observable results don't make any sense.

I'm not necessarily saying they did the attack this way instead of just simply spreading malicious torrents which is far easier, but I don't see why they wouldn't be able to do this.

[–] Zeoic@lemmy.world 1 points 4 months ago (1 children)

Well for one, ISPs are not the government, and two, if any CA was caught doing this, browsers like firefox would drop them. Hopefully google would too, but who knows. Thats an aweful lot of risk on their part.

[–] LainTrain@lemmy.dbzer0.com 1 points 4 months ago (1 children)

ISPs are not the government - yes, so they have to actually follow laws. And CAs caught doing what exactly, complying with the regulations of their country?

[–] Zeoic@lemmy.world 0 points 4 months ago (1 children)

Exactly, and with ISPs not being the government, they can not force CAs to do anything. And yes, if a CA complys with an insane law that allows anyone to skirt around security and privacy (their ENTIRE purpose), they will lose the faith of the public, and people will drop them. Whether it was legal or not doesn't matter much for public sentiment.

[–] LainTrain@lemmy.dbzer0.com 0 points 4 months ago (1 children)

What? That's absurd. There is no ISP that can simply not comply with the law, it doesn't matter about any faith or public because all other options have to comply with the same law so people do not have any options. This is just true in every country.

[–] Zeoic@lemmy.world 1 points 4 months ago (1 children)

Thats hilarious 😂 I can name over half a dozen of them that do it on a regular basis.

[–] LainTrain@lemmy.dbzer0.com 0 points 4 months ago (1 children)

Name one ISP that straight up breaks the law?

[–] Zeoic@lemmy.world 1 points 4 months ago (1 children)

In canada, Shaw is one that glaringly and repeatedly violates Canadian Personal Privacy laws, in fact, nearly every ISP does so with only a few exceptions. Nothing usually happens to them, and if it does its just a small slap on the wrist. Its cost of doing business to them.

In canada at the very least, an order like that from the government to a CA wouldn't even be lawful. Just have to hope the CA has decent lawyers..

[–] LainTrain@lemmy.dbzer0.com 0 points 4 months ago (1 children)

That sounds like some bs personal protection law meant to appease the proles. We're talking actual criminal law, federal crime stuff, stuff governments care about like IP violations, tax evasion or theft/murder at scale.

If an ISP or a CA protected guilty criminals in this manner such as by not issuing a cert to the FBI when they want one, it would be considered an accomplice and get stormed by the police.

[–] Zeoic@lemmy.world 1 points 4 months ago* (last edited 4 months ago) (1 children)

I think you may have gotten confused at some point in this comment chain.. That is not what we were talking about at all.

The OP was about an ISP (not a Government) trying to get a CA to give them a copy of a cert so they could setup a fake version of a website to deploy malware. In no point of this comment chain are we talking about any government agencies forcing a CA to give them a cert.

If an ISP, with no legal backing (because they are not the government) get a CA to give them a cert, and the CA does it, that CA if discovered would very much lose any reputation it had and people will no longer trust it, thus ruining the company.

My reply was pointing out how any law that allowed an ISP to gain a cert from a CA would clearly be insane, and if a CA rolled over instead of fighting it, nobody would trust them with their certs anymore.

[–] LainTrain@lemmy.dbzer0.com 0 points 4 months ago

No bro I think you're confused, the topic for the comment chain was set here: https://lemmy.dbzer0.com/comment/11568788

Re-read this and hopefully you'll understand. Peace sir. 🙏