Friday 4 November 2016

Symptoms of Cotton Wool

It's kinda humorous actually. So lets go look at Google's "Web Security" team, courtesy of Wired magazine:

Google's Chrome Hackers Are About To Upend Your Idea Of Web Security

Very first thing on the page is a photo of four chicks.

Oh yeah. Welcome to the world of cotton-wool.

So okay, the gist of it is: these four chicks want non-secure websites to come up in Chrome with the message: "Not Secure". Which is a pretty-good idea actually, for their stated purpose of attempting to push the WWW to use HTTPS instead of open HTTP traffic.

Where it all falls down though, is three simple words: "transparent https proxy".

We have one at work. Even when connecting to my bank to signin and do transfers, etc - even though it shows a padlock, as being secure - my work can see exactly what I'm doing, exactly what the passwords are, exactly every-bloody-thing.

My work is a man-in-the-middle attack in action, every second of the day, if they want to be.

Think that the ISPs aren't? Or couldn't be, if they wanted to?

Go ahead, womyn. Try to swathe the world in cotton wool.

You have already failed.


  1. Surely it's the other way around. A transparent https proxy converts your unsafe http requests on port 80 into https requests on 443. If your browser is connecting to that proxy via https, your traffic is being encrypted by the desktop itself, and the proxy would no more be able to decode it than anything else would be.

    1. No. We run one at work, they fucked up the implementation first try - all of a sudden all the HTTPS traffic was blocked as being an untrusted certificate. About 30 minutes of chaos before they switched it off.

      Got it right the second time though.

      They had some fun setting things up with DHCP and the wpad.dat file too. Was difficult getting it through their heads that some equipment required a specific ip-address. Eventually they decided to reserve DHCP addresses for those bits of equipment.