over the weekend, i almost became a victim of a man-in-the-middle attack. while staying in castro urdiales, i changed into a different hotel on friday. the hotel had free (password protected) wireless internet, as many hotels do have. what was different to other hotels was what happened when i wanted to check my emails via imaps, i.e. imap over ssl, which means that my communication with my email servers are encrypted. my email program informed me that the cerficiates changed and asked me whether i want to store the new certificate. this happened for both imap servers i’m using, namely my own and the one of my institute. i was somewhat surprised – sometimes the institute’s server gets a new certificate, but my own server? without me, the admin, doing anything? i checked the certificates, to find out that essentially nothing changed, except the (rsa) public key, and that the signer changed to “FortiGate CA”. fortigate is the flagship product of an american company called fortinet; this is apparently (related to) secure wireless (wlan) equipment.
part of their software/hardware seems to be something which tries to scan email. scanning unencrypted email communication (via smtp, pop3, imap, …) is easy – as there is no encryption. but they also try to check encrypted communications with email servers. for that, they have to break or circumvent encryption. the easiest way to do that is a man-in-the-middle attack: send traffic through a proxy, and in case someone wants to connect to a imaps server (identified by access to port number 993, i assume), act as if you are the imaps server, send a faked certificate including your own public key, so that the user is transmitting its data to you. then connect to the “real” imaps server and forward the data to it. works pretty well. except that suddenly, you, the client, gets presented with a different public key. if you (more precisely: your email software) stored the certificate (which includes the public key) and compares the certificate it obtains from the proxy (thinking it is the email server) with the stored one, it will note that something changed. and it will hopefully complain to you, the user, and ask you what to do. ask you whether the new certificate is acceptable or not.
if you accept the new certificate, or the software you’re using does it for you (guess that’s “user friendly”, so you don’t have to care about stuff like certificates), the proxy server will read all your communication with the imaps server. some combinations of servers and clients will even ensure that your password is send plaintext (assuming the ssl encryption between client and server), which means that in this case, the proxy server knows your email password. in case the proxy server is used in a malicious way, someone can steal or abuse your data. (especially as passwords are often used for different accounts). more importantly, once the connection is open and you authenticated to the email server, the proxy server can use the open connection to do anything it likes with your email account – it can access all emails stored on your account on that server.
i assume (hope?) that the fortigate software/hardware is not doing this. but anyway, such behavior is very, very bad. (and it opens the question what else is analyzed by the proxy. maybe all your http connections? https seems to be unaffected, as the certificates there were still fine, at least in my case.) luckily, i was able to circumvent this by using the vpn of my university. but not everyone has access to a vpn, or knows how to use that. (and another thing which made me worry is that i don’t have a certificate for my vpn server. so in theory the proxy could also try a man-in-the-middle attack here, and circumvent my use of the vpn. but apparently they don’t, or at least not so easily: when i used the vpn, the email servers returned their “correct” certificates.
well. so what’s the morale of this story? certificates are important! be vigilant when using unknown networks, such as hotel wlans, and use vpn in case you don’t trust it. and use software which correctly checks certificates! and in case you get a warning that a certificate changed, be alert! don’t just click on “accept new certificate” to make your life easier!
posts for 2012. (page 4.)
after some years of using it, i finally decided to leave facebook. i was never a huge fan of facebook, even though during some times, i used it rather intensely. over time, facebook changed. most of the time, not for good. facebook tried to create a own sub-internet, trying to convince users to only use this sub-net, ignoring the rest of the net. a recent peak was their (again, forced) introduction of email addresses for all their user, replacing user specified email addresses on the users’ profiles by the facebook one. besides that, facebook is spying on their users. a lot, in many regards. facebook is tracking their users while they use the web (using many websites which use the “like” button “correctly”). facebook evaluates all communication done over facebook. facebook is trying to keep track on how we live, offline and online, by keeping track of our position. facebook is trying to obtain information about us by trying to convince our friends to add stuff about us – for example revealing our correct name. and worst of all, facebook is trying to undermine many basic principles of data protection, including european data protection laws.
for me, there is almost no reason left to stay with facebook – except that it allows to keep track of people from all around the world, stay in contact with them; people i met at conferences, at places where i was living, during school, etc.
this is quite important, as it is not very easy to keep track of many people who don’t have a (permanent) blog, website, or email address. which is the case for the vast majority of people. for that reason, i will keep my account – at least for some time, maybe until a better alternative comes around. but i will not feed it with any information. i will only use it as a kind of “business card”, which points to spielwiese, and contains a working email address of mine. i might use it to retrieve contact data of other people, or see what they are doing, in case they still actively use facebook. but i won’t add any more content to facebook. no more posts, no more comments, no more photos, no more “like”s.
and in case you want to contact me, send me an email. or comment in my blog. but please avoid sending me messages via facebook :-)
yesterday, when flying back from spain via frankfurt airport, we noticed a microphone dangling from the ceiling near to our gate, a38. i guess big brother is not (only) watching, but listening… (maybe it is related to this?)
last week, i was in castro urdiales, a small costal town in northern spain. there, two conferences were held, namely the third workshop on mathematical cryptology and the third international conference on symbolic computation and cryptography. i attended both conferences and stayed a little longer over the weekend. after the first impressions i’ve uploaded last weekend, after arriving in castro, i gathered some more photos during this weekend. these were all taken in the city boundaries of castro urdiales, most of them close to the coast. castro is a really beautiful place, mainly crowded by spanish and french tourists and people living there (well, and conference attendants). the weather is pretty neat, especially for someone who doesn’t like heat too much as i do. also, swimming in the atlantic ocean is just great. it’s definitely a nice place to visit!
yesterday, we visited three kittens for the second time. this time, i had my camera with me. they grew older, and start to play around and to explore their surroundings. their mother was not around this time, and they were a bit sleepy, but we still had a lot of fun. kittens are so cute!
yesterday we went on an excursion. first, we visited an old ehgraben in züri niederdorf, which is a small trench between rows of houses which was used to dispose of feces during the middle ages. nowadays one can visit it and read the provided information panels. afterwards, we proceeded to the lindenhofkeller, containing celtic, roman and medieval remains.
afterwards, we continued to the sewage treatment center in werdhölzli, zürich. we had a guided tour through the process of treating waste water from the zürich region and its conversion into “clean” water. certainly very interesting! it is also interesting to see what kind of stuff the mechanic filtering finds. among toys, dentures and mobile phones one can find base stations for mobile phones, credit cards, cash, id cards, remotes, pocket calculators, etc. quite amazing.
finally, in the evening, we had a barbecue.
on saturday, we visited bern. we visited the sapperlot! exhibition on swiss dialects, walked around town, had icecream at the gelateria di berna, saw the bärengraben, walked along the aar. the weather was great, almost too hot. here are some impressions:
less clouds. less zoom. still red. still beautiful.