Re: Best secure surfing solution

From: *Vanguard* (no-email_at_bogus.nix)
Date: 01/31/04 

Date: Sat, 31 Jan 2004 00:53:18 -0600

"Lawrence Rodis" said in
news:k2ESb.3993$F23.1146@newsread2.news.pas.earthlink.net:
> George,
>
> To prevent your ISP, what Flag said is correct. For your Company,
> they could have access to everything you do in minutes. Look at
> spectorsoft.com and their spector professional edition. I'm using it
> on PC for several clients. And have caught folks doing things they
> should not. Best to keep your private stuff off of other peoples
> PC's.
>
>
>
> "George" <lgst036@hotmail.com> wrote in message
> news:f86efd4e.0401301646.3729e776@posting.google.com...
>> Hi,
>>
>> I would be grateful if someone could give me some advice.
>> Not wanting my ISP or employer to see confidential emails and
>> surfing, I have set up a service with companies providing secure web
>> browsing (Idzap, the cloak, etc). So my web browser is using https
>> using certificates from the company offering this service.
>> I have read about possibilities of intercepting the https with "man
>> in the middle" or maybe other techniques.
>> How difficult it is for an ISP or my company&#8217;s network
>> administrator to do that. Translated in money, how much would they
>> need to spend to do that.
>> Are there any better solutions, maybe a VPN service, Kerberos setup
>> or anything else possible.
>> Of course the above assumes that the secure service provider is
>> trusted on which I would be keen to find any of their commonly known
>> policies. (maybe suggestions)
>>
>> Many thanks
>>
>> George

But since the connection is SSL secured, why would the user care that you
could sniff out their encrypted HTTP datastream? It'll look like a bunch of
garbage to you, the sniffer. You can still see *where* they are navigating
but you cannot see *what* they are sending and receiving.

The only way that spectorsoft.com could be determining what the user is
sending (but not what they are receiving) is to install a client on that
user's computer. That is, the product would have to install a keylogger.
That appears to be what the product does since it states, "..., Spector Pro
contains seven integrated tools that record: ..., keystrokes typed, ...".

You had better make sure that you have permission from each department to do
this sniffing and keylogging. Our department, for example, sometimes has
highly sensitive data between us and a partner that no one else in the
company should see (and anyone else seeing the data is a severe breach in
security). We even have to be in a separate section of the building, all
papers must be discarded in our wastebaskets and not outside our locked room
(because it gets handled separately and securely from the other trash),
recording devices are definitely taboo, and so on. If we caught anyone in
IS or elsewhere in our company sniffing our communications, even if they
were encrypted, they'd get laid off or, at least, suspended. Just like
there are laws prohibited unauthorized wire tapping, there are always
internal policies and politics that dictate if anyone can go sniffing just
because they are curious. You need to establish well written and understood
policies and make sure all departments are educated (and you, too, about
what you are NOT allowed to do regarding communications from some
departments).

As far as the keylogger client, that wouldn't survive very long on my hosts.
By going through an intermediary but external anonymizer service using SSL,
all you could see is that I was connecting to that service but not where I
was actually connecting to past that service. If e-mails are sensitive then
the sender should be using encryption. You can see in your mail server logs
(and don't need SpectorSoft) where the e-mail went but not its content. Of
course, if anyone from IS installed anything on our alpha lab hosts, they
would get their ass royally kicked for corrupting our known configurations
used for testing. 

-- 
____________________________________________________________
*** Post replies to newsgroup.  E-mail is not accepted. ***
____________________________________________________________

Relevant Pages

  • Re: Best secure surfing solution
    ... > To prevent your ISP, ... I have set up a service with companies providing secure web ... IS or elsewhere in our company sniffing our communications, ...
    (sci.crypt)
  • Re: Best secure surfing solution
    ... I have set up a service with companies providing secure web ... the product would have to install a keylogger. ... If we caught anyone in> IS or elsewhere in our company sniffing our communications, even if they> were encrypted, they'd get laid off or, at least, suspended. ... If e-mails are sensitive then> the sender should be using encryption. ...
    (sci.crypt)
  • Re: Best secure surfing solution
    ... I have set up a service with companies providing secure web ... the product would have to install a keylogger. ... If we caught anyone in> IS or elsewhere in our company sniffing our communications, even if they> were encrypted, they'd get laid off or, at least, suspended. ... If e-mails are sensitive then> the sender should be using encryption. ...
    (alt.computer.security)
  • Re: Live USB wireless connection
    ... fact you do: it's called your ISP. ... secure than wired in this sense because they only affect the local ... We've had encryption schemes for mail logons for a long time, ...
    (Fedora)
  • Re: [Full-Disclosure] Wireless ISPs
    ... > serverand from there to the ISPs insecure ...oops ... Secure transactions through a web interface ... Inherent insecurity on the Wireless leg of these transactions. ... > mail ..point being there it wouldnt matter if the ISP ...
    (Full-Disclosure)