Feeds

Security firm in Tor Project 'mass surveillance' row responds

'We accept or reject, we do not store'

Top 5 reasons to deploy VMware with Tegile

Cyberoam has responded to warnings that its security device open up traffic to inspection by third-parties.

Researchers affiliated to the anonymity-protecting Tor Project discovered that the skeleton key digital certificate on Cyberoam devices that permitted the inspection of SSL traffic was the same on every device.

"It is therefore possible to intercept traffic from any victim of a Cyberoam device with any other Cyberoam device - or, indeed, to extract the key from the device and import it into other DPI [deep packet inspection] devices, and use those for interception. Perhaps ones from more competent vendors," the researchers warn.

Runa Sandvik of the Tor Project and Ben Laurie began their investigation after a user in Jordan reported receiving a fake certificate upon visiting the torproject.org. Initially the researchers thought that cyberoam had been tricked into issuing a fake certificate for torproject.org, similar to the infamous DigiNotar and Comodo attacks, before realising something else was afoot.

In a blog post on Thursday, Cyberoam said tamper-protection measures meant it was not possible to export cryptographic keys from its devices. It argued that its https deep scan inspection technology was benign, and intended for network malware protection and not as a tool for "mass surveillance" as Tor researchers allege. Cyberoam said its technology followed industry best practices for SSL Bridging and didn't lend itself to man-in-the-middle attacks that the Tor researchers feared.

"Cyberoam’s private keys cannot be extracted even upon dissecting the box or cloning its hardware and software. This annuls any possibility of tampering with the existing certificates on appliance," the firm explained.

"Cyberoam UTM either accepts or rejects, but does not store HTTPS Deep Scan Inspection data, as processing is done in real-time. The possibility of data interception between any two Cyberoam appliances is hence nullified," it added.

Cyberoam specialises in making UTM security appliances which perform SSL inspection by generating their own certificates, via a mechanism similar to that used by other vendors. The technology is intended for use in small business or in the branches of larger businesses. Sys admins would install certificates from Cyberoam on devices on a network, allowing the traffic inspection technology to work without generating a warning.

The firm's UTM technology provides a bundle of functions including firewall, VPN (SSL VPN & IPSec), gateway anti-virus, anti-spam, Intrusion Prevention System (IPS), content filtering and load management. The SSL traffic inspection is only a small part of this bundle but it does mean the technology does lend itself to surveillance if deployed by ISPs and attached to the internet connections of consumers, as appears to have happened in the Jordanian case. The warning from the Tor Project remains relevant in this or similar cases.

Although Cyberoam devices are bundled with technology designed to perform HTTPS scanning for antivirus, this same technology might be use to peer into the contents of encrypted communications.

Victims should uninstall the Cyberoam CA certificate from their browsers and decline to complete any connection which gives a certificate warning, the Tor researchers advise consumers.

More discussion on the issue can be found in a blog post by the Tor Project here. ®

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.