Feeds

Security firm in Tor Project 'mass surveillance' row responds

'We accept or reject, we do not store'

Next gen security for virtualised datacentres

Cyberoam has responded to warnings that its security device open up traffic to inspection by third-parties.

Researchers affiliated to the anonymity-protecting Tor Project discovered that the skeleton key digital certificate on Cyberoam devices that permitted the inspection of SSL traffic was the same on every device.

"It is therefore possible to intercept traffic from any victim of a Cyberoam device with any other Cyberoam device - or, indeed, to extract the key from the device and import it into other DPI [deep packet inspection] devices, and use those for interception. Perhaps ones from more competent vendors," the researchers warn.

Runa Sandvik of the Tor Project and Ben Laurie began their investigation after a user in Jordan reported receiving a fake certificate upon visiting the torproject.org. Initially the researchers thought that cyberoam had been tricked into issuing a fake certificate for torproject.org, similar to the infamous DigiNotar and Comodo attacks, before realising something else was afoot.

In a blog post on Thursday, Cyberoam said tamper-protection measures meant it was not possible to export cryptographic keys from its devices. It argued that its https deep scan inspection technology was benign, and intended for network malware protection and not as a tool for "mass surveillance" as Tor researchers allege. Cyberoam said its technology followed industry best practices for SSL Bridging and didn't lend itself to man-in-the-middle attacks that the Tor researchers feared.

"Cyberoam’s private keys cannot be extracted even upon dissecting the box or cloning its hardware and software. This annuls any possibility of tampering with the existing certificates on appliance," the firm explained.

"Cyberoam UTM either accepts or rejects, but does not store HTTPS Deep Scan Inspection data, as processing is done in real-time. The possibility of data interception between any two Cyberoam appliances is hence nullified," it added.

Cyberoam specialises in making UTM security appliances which perform SSL inspection by generating their own certificates, via a mechanism similar to that used by other vendors. The technology is intended for use in small business or in the branches of larger businesses. Sys admins would install certificates from Cyberoam on devices on a network, allowing the traffic inspection technology to work without generating a warning.

The firm's UTM technology provides a bundle of functions including firewall, VPN (SSL VPN & IPSec), gateway anti-virus, anti-spam, Intrusion Prevention System (IPS), content filtering and load management. The SSL traffic inspection is only a small part of this bundle but it does mean the technology does lend itself to surveillance if deployed by ISPs and attached to the internet connections of consumers, as appears to have happened in the Jordanian case. The warning from the Tor Project remains relevant in this or similar cases.

Although Cyberoam devices are bundled with technology designed to perform HTTPS scanning for antivirus, this same technology might be use to peer into the contents of encrypted communications.

Victims should uninstall the Cyberoam CA certificate from their browsers and decline to complete any connection which gives a certificate warning, the Tor researchers advise consumers.

More discussion on the issue can be found in a blog post by the Tor Project here. ®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New twist as rogue antivirus enters death throes
That's not the website you're looking for
ISIS terror fanatics invade Diaspora after Twitter blockade
Nothing we can do to stop them, says decentralized network
prev story

Whitepapers

A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.