Feeds

Security firm in Tor Project 'mass surveillance' row responds

'We accept or reject, we do not store'

Security for virtualized datacentres

Cyberoam has responded to warnings that its security device open up traffic to inspection by third-parties.

Researchers affiliated to the anonymity-protecting Tor Project discovered that the skeleton key digital certificate on Cyberoam devices that permitted the inspection of SSL traffic was the same on every device.

"It is therefore possible to intercept traffic from any victim of a Cyberoam device with any other Cyberoam device - or, indeed, to extract the key from the device and import it into other DPI [deep packet inspection] devices, and use those for interception. Perhaps ones from more competent vendors," the researchers warn.

Runa Sandvik of the Tor Project and Ben Laurie began their investigation after a user in Jordan reported receiving a fake certificate upon visiting the torproject.org. Initially the researchers thought that cyberoam had been tricked into issuing a fake certificate for torproject.org, similar to the infamous DigiNotar and Comodo attacks, before realising something else was afoot.

In a blog post on Thursday, Cyberoam said tamper-protection measures meant it was not possible to export cryptographic keys from its devices. It argued that its https deep scan inspection technology was benign, and intended for network malware protection and not as a tool for "mass surveillance" as Tor researchers allege. Cyberoam said its technology followed industry best practices for SSL Bridging and didn't lend itself to man-in-the-middle attacks that the Tor researchers feared.

"Cyberoam’s private keys cannot be extracted even upon dissecting the box or cloning its hardware and software. This annuls any possibility of tampering with the existing certificates on appliance," the firm explained.

"Cyberoam UTM either accepts or rejects, but does not store HTTPS Deep Scan Inspection data, as processing is done in real-time. The possibility of data interception between any two Cyberoam appliances is hence nullified," it added.

Cyberoam specialises in making UTM security appliances which perform SSL inspection by generating their own certificates, via a mechanism similar to that used by other vendors. The technology is intended for use in small business or in the branches of larger businesses. Sys admins would install certificates from Cyberoam on devices on a network, allowing the traffic inspection technology to work without generating a warning.

The firm's UTM technology provides a bundle of functions including firewall, VPN (SSL VPN & IPSec), gateway anti-virus, anti-spam, Intrusion Prevention System (IPS), content filtering and load management. The SSL traffic inspection is only a small part of this bundle but it does mean the technology does lend itself to surveillance if deployed by ISPs and attached to the internet connections of consumers, as appears to have happened in the Jordanian case. The warning from the Tor Project remains relevant in this or similar cases.

Although Cyberoam devices are bundled with technology designed to perform HTTPS scanning for antivirus, this same technology might be use to peer into the contents of encrypted communications.

Victims should uninstall the Cyberoam CA certificate from their browsers and decline to complete any connection which gives a certificate warning, the Tor researchers advise consumers.

More discussion on the issue can be found in a blog post by the Tor Project here. ®

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.