Feeds

Security firm in Tor Project 'mass surveillance' row responds

'We accept or reject, we do not store'

Using blade systems to cut costs and sharpen efficiencies

Cyberoam has responded to warnings that its security device open up traffic to inspection by third-parties.

Researchers affiliated to the anonymity-protecting Tor Project discovered that the skeleton key digital certificate on Cyberoam devices that permitted the inspection of SSL traffic was the same on every device.

"It is therefore possible to intercept traffic from any victim of a Cyberoam device with any other Cyberoam device - or, indeed, to extract the key from the device and import it into other DPI [deep packet inspection] devices, and use those for interception. Perhaps ones from more competent vendors," the researchers warn.

Runa Sandvik of the Tor Project and Ben Laurie began their investigation after a user in Jordan reported receiving a fake certificate upon visiting the torproject.org. Initially the researchers thought that cyberoam had been tricked into issuing a fake certificate for torproject.org, similar to the infamous DigiNotar and Comodo attacks, before realising something else was afoot.

In a blog post on Thursday, Cyberoam said tamper-protection measures meant it was not possible to export cryptographic keys from its devices. It argued that its https deep scan inspection technology was benign, and intended for network malware protection and not as a tool for "mass surveillance" as Tor researchers allege. Cyberoam said its technology followed industry best practices for SSL Bridging and didn't lend itself to man-in-the-middle attacks that the Tor researchers feared.

"Cyberoam’s private keys cannot be extracted even upon dissecting the box or cloning its hardware and software. This annuls any possibility of tampering with the existing certificates on appliance," the firm explained.

"Cyberoam UTM either accepts or rejects, but does not store HTTPS Deep Scan Inspection data, as processing is done in real-time. The possibility of data interception between any two Cyberoam appliances is hence nullified," it added.

Cyberoam specialises in making UTM security appliances which perform SSL inspection by generating their own certificates, via a mechanism similar to that used by other vendors. The technology is intended for use in small business or in the branches of larger businesses. Sys admins would install certificates from Cyberoam on devices on a network, allowing the traffic inspection technology to work without generating a warning.

The firm's UTM technology provides a bundle of functions including firewall, VPN (SSL VPN & IPSec), gateway anti-virus, anti-spam, Intrusion Prevention System (IPS), content filtering and load management. The SSL traffic inspection is only a small part of this bundle but it does mean the technology does lend itself to surveillance if deployed by ISPs and attached to the internet connections of consumers, as appears to have happened in the Jordanian case. The warning from the Tor Project remains relevant in this or similar cases.

Although Cyberoam devices are bundled with technology designed to perform HTTPS scanning for antivirus, this same technology might be use to peer into the contents of encrypted communications.

Victims should uninstall the Cyberoam CA certificate from their browsers and decline to complete any connection which gives a certificate warning, the Tor researchers advise consumers.

More discussion on the issue can be found in a blog post by the Tor Project here. ®

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.