Skip to content

Man in the Middle Attack – British Government has Sir Tim Berners Lee against it’s SSL Bumping plans


What is the UK Snoopers Charter?

The UK govt is proposing a bill, to allow a “man in the middle attack”, (a hacking attack) against every one of it’s 61 million citizens, via compromised routers at the ISP.

The Routers at your ISP, will issue  a “fake certificate” and pretend to be the bank, your lawyer, Amazon etc.  And the govt will pretend to be you, to your bank.

Why would the UK Govt do this?

SSL Bumping means the govt can bypass all encryption and read our de-encrypted emails.   However this applies to all situations including medical data, client/lawyer correspondence, banking and financial transfers.

The ISP will store this data for a year.

What’s wrong with that?

  • The ISP will become a honeytrap for hackers across the world.
  • Celebrities data would be hacked – the Murdoch scandals would pale into insignifcance with this.  We’d have to get Leveson ready for another enquiry.
  • You could not secure or safeguard this volume of data.
  • Our finance data would be unencrypted.
  • Digital signatures would be challenged in court – the UK govt signed the document on your behalf.
  • Non Repudiation – those wishing to get out of a contract could claim they did not sign the contract.  This would be true – as the British Govt had signed the contract with a fake certificate.

Oh yes, lawyers across the world could cancel contracts with any British company… as it was signed by the govt, not the person you’d contacted with.

SSL Bumping is the most ludicrous idea I’ve heard of in a long while, and I’m delighted that Wales and Sir Tim Berners Lee are standing against this law.

  1. Funny enough, I was thinking about the same thing the other day when writing about the ‘snoopers charter’, and the following technical problems:

    * The finance data would be encrypted between the local machine and the ISP. What happens between the ISP and the bank is anyone’s guess.
    * How would the ISP differentiate between invalid trusted/self signed certificates and malicious ones? Would the connection be dropped, or would it risk another man-in-the-middle attack?
    * What happens to the certification authorities that went along with this? Nobody would trust them ever again, because their certs wouldn’t mean anything.
    * Who is liable when banks or their customers lose huge amounts of money?

    I’m not sure if it’s possible, though, as there’s a handshaking process between the client and server before any encrypted connection’s established. The mismatch between the server name and the certificate (valid or not) would be flagged by most browsers. It means the average person would have to decide whether to continue with a transaction after being presented with a warning the connection’s been compromised.

    Excellent point about the signatures, signing and non-repudiation. I don’t think anyone else has considered that yet.


    • A German magazine covered Squid and SSL bumping… it suddenly struck me, that’s how or why the UK govt are so quiet on the decryption issue – they won’t decrypt, they’ll do a MITM attack on us!! Bypassing all encryption needs.

      Here’s the background on SSL Bumping:
      Squid-in-the-middle decryption and encryption of straight CONNECT and transparently redirected SSL traffic, using configurable CA certificates. While decrypted, the traffic can be analyzed, blocked, or adapted using regular Squid features such as ICAP and eCAP.

      /!\ By default, most user agents will warn end-users about a possible man-in-the-middle attack.

      {X} WARNING: {X} HTTPS was designed to give users an expectation of privacy and security. Decrypting HTTPS tunnels without user consent or knowledge may violate ethical norms and may be illegal in your jurisdiction. Squid decryption features described here and elsewhere are designed for deployment with user consent or, at the very least, in environments where decryption without consent is legal. These features also illustrate why users should be careful with trusting HTTPS connections and why the weakest link in the chain of HTTPS protections is rather fragile. Decrypting HTTPS tunnels constitutes a man-in-the-middle attack from the overall network security point of view. Attack tools are an equivalent of an atomic bomb in real world: Make sure you understand what you are doing and that your decision makers have enough information to make wise choices.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: