Justin du Coeur (jducoeur) wrote,
Justin du Coeur
jducoeur

Unsettlingly good snooping attack revealed

This is mostly of interest to the tech crowd, but if you're seriously into the Internet business, it's well worth reading. Ars Technica is reporting a new mechanism for attacking the BGP protocol, one of the central protocols underlying the Internet.

The article gives the broad outline, but the upshot is apparently that a skilled hacker could, in theory, sniff pretty much arbitrary Internet traffic. This is *really* bad news if someone builds it into a form that the script kiddies can use. While it's possible to use the Internet securely if you're careful, the reality is that most of it is sent with no particular security. Instead, most of it has always depended on "security through obscurity", and the fact that it's just plain a lot of work to sniff traffic.

More importantly, traffic sniffing has historically been easiest at the client end -- sitting in a Starbucks and grabbing the Wifi traffic floating around. That can be bad, but it's also very ad hoc -- the traffic is whatever the target user happens to be playing with, and it requires a good deal of human intervention to do much with it. Most of it is useless to the hacker.

But consider the implications of the new attack. If I'm understanding it correctly, it would theoretically allow the attacker to more or less silently eavesdrop on much or all of the traffic heading to a particular website. That means that the attacker can build automated tools that are tuned to that site, and really exploit any security weaknesses in the site -- potentially far more devastating.

Just to provide a concrete example: while I assume that the login process for LiveJournal is secure (I've never checked), the rest of your interactions are sent in the clear. (HTTPS doesn't even work with LJ, far as I know -- someone correct me if I'm wrong.) So if someone wanted to, they could theoretically intercept everything you send to LJ -- every posting, regardless of its security setting. Depending on exactly how the attack works (I confess, I'm still hazy on some of the details), it might also be possible for them to read your entire flist, including the private bits. And unlike snooping you specifically, they could do this for *all* of LiveJournal -- basically sweeping up all the information wholesale, to use as they like. Unlike sniffing Wifi in Starbucks, it's a very efficient spying vector.

So like I said -- unsettling. I'm not entirely clear on the fine details yet, and the scope of the danger will depend on that. But suffice it to say, HTTPS and other end-to-end encryption technologies are probably about to become a lot more important, because we may have to assume that someone is now *likely* to be listening to anything you say online. It's always been theoretically possible, but it sounds like the odds just went way up...
Tags: technology
Subscribe
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 9 comments