back to article US DoD, Brit ISP BT reverse proxies can be abused to frisk internal systems – researcher

Minor blunders in reverse web proxies can result in critical security vulnerabilities on internal networks, the infosec world was warned this week. James Kettle of PortSwigger, the biz behind the popular Burp Suite, has taken the lid off an “almost invisible attack surface” he argues has been largely “overlooked for years.” …

  1. Anonymous Coward
    Anonymous Coward

    Think of the children

    The interception system is related to CleanFeed, which was built by BT in the mid-2000s to block access to images and videos of children being sexually abused. This technology was repurposed to target pirates illegally sharing movies, music, software and other copyrighted stuff.

    A government-mandated, country-wide man-in-the-middle attack. Who could have ever imagined it might be a security and privacy problem?

    1. Lee D Silver badge

      Re: Think of the children

      But it's not, not really.

      If you want security, you never do plain HTTP.

      And that thing can't fake HTTPS no matter what it does, without flagging up browser warnings and making you perfectly aware it's in place.

      It's like saying "Who would imagine that leaving all your doors and windows open might be a security problem?" Just about everyone.

      I'm more surprised that they think that such a reverse proxy is in any way a good way of catching people doing anything. Hell, you can't wipe your nose on the Internet without going via an SSL secured-by-default website (e.g. Google). And with Let'sEncrypt, self-signed certs and other free certs it literally costs nothing to avoid.

      If you are doing illegal things, and have anywhere near half a brain, you don't log onto your home Wifi and just connect straight out to HTTP websites to do it, surely?

      1. Dan 55 Silver badge
        Black Helicopters

        Re: Think of the children

        If we're going to go full tinfoil, BT Trustwise have an agreement with Symantic (née Verisign), so that's a CA on everyone's machine.

        Just throwing that out there.

        (I didn't downvote.)

      2. Suricou Raven

        Re: Think of the children

        The government is already on the verge of demanding all encryption have a back door to allow snooping, though.

        It's really just a matter of claiming pedophiles are using https to bypass filters designed to block child abuse images. The Mail will love it, and few MPs will dare to protest for fear of being denounced as supporting child abuse.

        1. Anonymous Coward
          Anonymous Coward

          Re: Think of the children

          > "The government is already on the verge of demanding all encryption have a back door to allow snooping, though."

          Well, legal encryption anyway.

          1. Sir Runcible Spoon

            Re: Think of the children

            Have a look at the SSL Visibilty Appliances for those who think https is inviolate.

            1. Anonymous Coward
              Childcatcher

              Re: Think of the children

              "Have a look at the SSL Visibilty [sic] Appliances for those who think https is inviolate."

              Blow that - they are just one MitM method. If you want to really get to grips with what you can do to SSL, using software that you *can* get access to, then get hold of Squid and investigate "SSL bump".

              At home I have a THINGS VLAN (and another one called SEWER for things that I trust even less than an IP camera). I really must get around to putting things like my Samsung telly through SSL bump to see what is going on. It may verify its other end's CA but given the quality of the rest of its programming - I doubt it. I do watch its connectivity when I'm bored. It port scans its LAN occasionally and chats a lot to AWS, no doubt for my benefit.

    2. Orv Silver badge

      Re: Think of the children

      Taking a page from China, from the sounds of it. The Great Firewall of Britain?

  2. ISP
    Black Helicopters

    Tip

    I hope the researcher isn't planning any US trips anytime soon, otherwise his stay is likely to be protracted.

  3. Nick Kew

    Um, the title says reverse proxy, but the substance of the article describes something different: a transparent proxy.

    A reverse proxy is, from a Client PoV, an origin server, in that it *is* the hostname and IP address of the requested URL. It doesn't involve intercepting anything, because it's precisely where the traffic is routed. The proxy part is merely that it delegates the request to a backend server.

    The reverse proxy is when you ring a company and get the receptionist to put you through to an extension. BT's proxy is a spooks' wiretap on the line.

    1. Suricou Raven

      He was studying reverse proxy hacking. In the process he inadvertently triggered a response from BT's transparent proxy.

    2. Anonymous Coward Silver badge

      It actually talks about both.

      DoD issue was a reverse proxy. BT issue was a transparent (forward) proxy.

  4. NonSSL-Login

    Random Thursdays

    Revealed his findings on Thursday? Suggests Thursday just gone when it fact it was over 3 weeks ago as I read it back then and the article also has the date of 27th July.

    Minor nitpick.

  5. Aitor 1

    Proxy, etc

    What he describes is essentially a MiM attack by ISPs and governments.. and also some proxies.. but I dont care much about the proxies, I care about the Gvt mandated spionage.

    1. Martin-73 Silver badge

      Re: Proxy, etc

      These things are the reason I dumped virgin years ago. Caught them MITM'ing my http get requests ... they first denied it, then when presented with evidence, said they were caching proxies to speed up the web and no i couldn't bypass them. So i told them to feck off

  6. M7S
    Black Helicopters

    Investigating anything related to or hosted by BT? Risky at best

    Did he by any chance dare to type ../../../ anywhere?

    https://www.theregister.co.uk/2005/10/11/tsunami_hacker_followup/

    Oh what short memories we have as an industry, TPTB may feel that current sentences are not enough of a deterrent.

  7. Will Godfrey Silver badge
    Unhappy

    A little rhyme

    Oh what a tangled web we weave,

    when first we practice to deceive.

    1. Mark 110

      Re: A little rhyme

      Not sure there's any deception involved. BTs use of filters for inappropriate content has been well documented. They publicised it rather than tried to be deceptive about it.

      Though I take your point. Tangling communications makes things more difficult. Which was the point of Scott's original quote iirc.

  8. John Smith 19 Gold badge
    Thumb Up

    He sounds like he's done most people quite a service.

    Of course it should not have been necessary. But in the UK it is.

    "Clean feed" my a***.

  9. Andre Carneiro

    Speaking as a non IT industry professional, I do get the impression that if a Proxy is all Cleanfeed is, then circumventing it is trivial to say the least.

    I would imagine that anyone willing to look at kiddy porn will certainly have the motivation and, after a simple Google search, the knowledge to bypass it in 30 seconds.

    Why even bother running it unless for other nefarious government-mandated purposes?

    1. Korev Silver badge
      Childcatcher

      Or maybe it's mandated by non-tech savvy politicians or executives because "Something must be done"

  10. Anonymous Coward
    Anonymous Coward

    Man...

    I've known about ISP reverse proxies for ages.

    Im shocked to find that an astonishing number of tech folk are unaware of them.

    They stick out like a sore cock when you do DNS diagnostics or try and access sites with invalid domains

    Especially on mobile networks.

    Its also how ISPs are able to deliver their custom 404 messages etc.

    Fortunately, they are pretty easy to identify and circumvent using some tunnelling and encryption.

    I keep saying this here but...DNSCrypt and an SSH tunnel to an ISP you can 'trust' is a winner every time.

  11. Alan Brown Silver badge

    Your challenge Mr Phelps....

    "putting subscribers behind proxies is bad because if one of the boxes ends up on a black list, every gets blocked"

    I can imagine some people going "challenge accepted"

  12. Jessy89

    I JUST REALLY DON'T UNDERSTAND WHY OUR STATE DOESN'T SUPPORT WHITE HACKING?!

    WHY AREN'T HUGE FUNDS BEING SPONSORED FOR DIGITAL HYGIENE AND PROGRAMMING LESSONS IN SCHOOLS????!!

    America is a really backward country in terms of IT security, compared to Russia, which intervenes every election!

    Why the hell do we have a proxy and VPN so expensive, and people are afraid of it like fire?! Why can't you just use it for your own safety? Corny you will not be tracked by criminals.

    Isn't that true?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon