{"id":475,"date":"2008-11-24T22:22:07","date_gmt":"2008-11-24T21:22:07","guid":{"rendered":"http:\/\/daniel.haxx.se\/blog\/?p=475"},"modified":"2008-11-25T09:35:22","modified_gmt":"2008-11-25T08:35:22","slug":"snooping-on-government-https","status":"publish","type":"post","link":"https:\/\/daniel.haxx.se\/blog\/2008\/11\/24\/snooping-on-government-https\/","title":{"rendered":"Snooping on government HTTPS"},"content":{"rendered":"

As was reported by some Swedish bloggers<\/a>, and I found out thanks to kryptoblog<\/a>, it seems the members of the Swedish parliament<\/a> all access the internet via a HTTP proxy. And not only that, they seem to access HTTPS sites using the same proxy and while a lot of the netizens of the world do this, the members of the Swedish parliament have an IT department that is more big-brotherish than most: they decided they “needed” to snoop on the network traffic even for HTTPS connections – and how do you accomplish this you may ask?<\/p>\n

Simple! The proxy simply terminates the SSL connection, then fetches the remote HTTPS document and run-time generates a “faked” SSL cert for the peer that is signed by a CA that the client trusts and then delivers that to the client. This does require that the client has got a CA cert installed locally that makes it trust certificates signed by the “faked” CA but I figure the parliament’s IT department “help” its users to this service.<\/p>\n

Not only does this let every IT admin there be able to snoop on user names and passwords etc, it also allows for Man-In-The-Middle<\/a> attacks big-time as I assume the users will be allowed to go to HTTPS sites using self-signed certificates – but they probably won’t even know it!<\/p>\n

The motivation for this weird and intrusive idea seems to be that they want to scan the traffic for viruses and other malware.<\/p>\n

If I were a member of the Swedish parliament I would be really upset and I would uninstall the custom CA and I would seriously consider accessing the internet using an ssh tunnel<\/a> or similar. But somehow I doubt that many of them care, and the rest of them won’t be capable to take counter-measures against this.<\/p>\n","protected":false},"excerpt":{"rendered":"

As was reported by some Swedish bloggers, and I found out thanks to kryptoblog, it seems the members of the Swedish parliament all access the internet via a HTTP proxy. And not only that, they seem to access HTTPS sites using the same proxy and while a lot of the netizens of the world do … Continue reading Snooping on government HTTPS<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,133,45],"tags":[417,428,426],"class_list":["post-475","post","type-post","status-publish","format-standard","hentry","category-it-politics","category-security","category-web","tag-it-politics","tag-security","tag-web"],"_links":{"self":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/475","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/comments?post=475"}],"version-history":[{"count":0,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/475\/revisions"}],"wp:attachment":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media?parent=475"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/categories?post=475"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/tags?post=475"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}