Comment by yupyupyups

Comment by yupyupyups 10 months ago

5 replies

View on Hacker News

>Wonder what has replaced “Xkeyscore” given the wide adoption of TLS.

Cloudflare is a US-based company that does MITM attacks on all traffic of the websites that it protects. It's part of how their DDoS mitigation works.

Many people still use large US-based mail providers such as Outlook or Gmail.

Many large services use AWS, GCP or Azure. Perhaps there are ways for the NSA to access customers' virtual storage or MITM attack traffic between app backends and the load balancer where TLS is not used.

sophacles 10 months ago

It is MITM, but is it an attack? Literally the website owner hires Cloudflare explicity to decrypt and filter the traffic. Attack implies that it's unwanted behavior, yet the reality seems to imply that its wanted behavior by the site owner at a minimum, although continued use of the site by visitors also suggests that they want that behavior (or they'd go elsewhere).

Reply View 1 reply
  • EasyMark 10 months ago

    Isn’t the attack assuming that NSA/FBI/TLO has full access to the MITM connection at will? I mean that doesn’t seem too far fetched does it give various revelations over the years and things like The Patriot Act actually passing when it’s obviously unconstitutional

    Reply View 0 replies
itscrush 10 months ago

Load Balancing && WAF or CDN enablement usually suggests at least a decrypt step or two in the HTTP(s) chain. WAF for layer7 payload inspection, or the default wildcard cert'ing your Cloudflare site for instance.

There's also significant aggregation of traffic at handfuls of service providers amongst service categories, all generally HTTP(s) type services too ... Mail, CDN, Video, Voice, Chat, Social, etc. Each of these are still likely to employ Load Balancing & WAF.

Most WAF/Load Balancing providers have documentation about when/where to perform decrypt in your architecture.

How many Cloudflare sites are just using the Cloudflare wildcard cert?

From there, plenty of 3 letter agency space to start whiteboarding how they might continue to evolve their attack chain.

Reply View 0 replies
snewman 10 months ago

Often the connection between the load balancer and app backend also uses TLS. I've operated a large / complex service on AWS and all internal communications at each level were encrypted.

Of course, in principle, a cloud provider could tap in anywhere you're using their services – ELB (load balancer), S3, etc. I presume they could even provide backdoors into EC2 instances if they were willing to take the reputational risk. But even if you assume the NSA or whoever is able to tap into internal network links within a data center, that alone wouldn't necessarily accomplish much (depending on the target).

Reply View 0 replies
tonetegeatinst 10 months ago

Worse is how most email providers require SMS confirmation or a secondary email.

Reply View 0 replies