6

Use connection of A and B as an example. Their communications were encrypted by Public Key Encryption. Before they exchange their public key, ISP MITM attacked. A got "B"'s public key (ISP generated) B got "A"'s public key (ISP generated)

A send message X to B.

A->"B"'s public( (A's private(X) )->ISP

When ISP got that ciphertext(C), ISP decrypt it by "B"'s private( (A's public(C)) ) Then, ISP got the message.

After that, ISP encrypt message X for B.

ISP->B's public( "A"'s private(X) )->B

Then B decrypt ciphertext(C) by B's private( "A"'s public(C))

Then B got message X and they don't know ISP got the message.

Is it possible? Sorry for my poor English and explanation.

3 Answers3

8

When you connect to a site over HTTPS, your browser checks that the certificate was issued by a certificate authority that you trust (typically built into your OS or web browser) and that the certificate matches the domain of the website you are visiting.

So if your ISP can get you to install a certificate corresponding to fraudulent certificate authority they control OR compromises a certificate authority OR somehow obtains the secret private key of a random website, then yes they could surreptitiously do a MITM attack.

There is plenty of incentive for certificate authorities not to issue fraudulent certificates. If any fraudulent certificates are seen in the wild (which is easily verifiable as only the certificate authority can sign a fake certificate), the certificate authority would lose its trust and quickly go out of business.

Furthermore, for some sites and some web browsers there's the notion of certificate pinning, where the site can only be visited via HTTPS (using accomplished through HSTS) and only with a certificate issued by a pinned certificate authority.

dr jimbob
  • 38,936
  • 8
  • 92
  • 162
  • how about if it is on tor network? –  Jul 31 '14 at 03:59
  • 1
    At the exit node, tor traffic is very susceptible to eavesdropping. See: http://security.stackexchange.com/questions/34804/how-safe-is-tor-from-mitm-snooping-attacks and http://security.stackexchange.com/questions/31589/is-a-tor-router-really-safer-than-a-proxy – dr jimbob Jul 31 '14 at 04:04
  • 1
    I know that there is weakness in exit node, but will the rest(encrypted traffic) be MITM attacked like my question? –  Jul 31 '14 at 04:06
  • 2
    There is at least one firewall manufacturer I'm aware of that explicitly uses MITM certificate shenanigans in order to decrypt HTTPS -- ostensibly just for application-level intrusion scanning, but traffic interception is possible as well. – Shadur Jul 31 '14 at 06:54
4

Yes, ISPs can and do intercept traffic of users.

Plaintext communication, such as plain HTTP or FTP, can be intercepted, analyzed and modified by the ISP without anybody knowing. This is why you should never used plaintext communication if it is in any way possible.

Encrypted communication, such as HTTPS, FTPS, SFTP, etc., can also be intercepted, but the user will know that this is happening. For example, if a user wants to access https://example.com. An ISP intercepting that traffic would need to have a valid certificate for this website in order to not be detected.

This can be circumvented by ISPs telling their customers that they need to install their root certificate "to make the errors go away". Non-technical users will likely not understand the implications and follow the instructions (or have someone from the ISP come to "fix" it for them). The result is that "the error" - which righteously was displayed - goes away. Congratulations, your ISP is now stealthily spying on you.

  • 1
    Absent ESNI (which is not (yet) widely deployed), even with proper HTTPS, the ISP (or a Tor exit node) can tell that you're accessing `example.com` as opposed to some other hostname hosted on the same IP address, but they cannot see the request or response to `example.com` (which includes the specific page you're looking at, its contents, and any data sent via a form). The ISP (or again exit node) can also see how much data is transferred in each direction during the connection. This metadata can be incriminating even if the contents of the communication is still protected. Metadata *is* data. – user Aug 12 '19 at 11:41
  • @aCVn I...don't see how this is related to my answer. –  Aug 12 '19 at 11:42
  • It's related to your statement that "Encrypted communication ... can also be intercepted, but the user will know that this is happening". I can see how that might not have been obvious; to my defense, I ran out of space in the margin. – user Aug 12 '19 at 11:52
  • @aCVn I wrote a [question](https://security.stackexchange.com/questions/215162/how-can-i-protect-the-confidentiality-integrity-and-authenticity-of-my-communic) specifically because of this answer. Feel free to write an answer with all the space you need :D –  Aug 12 '19 at 12:00
3

There have been compromised certificate authorities - and the list of trusted authorities is very long and geographically dispersed. I would certainly consider nation states to potentially have the ability to orchestrate this sort of attack.

The only real solution to this problem is certificate pinning or using another layer of encryption on the payload with public/private keys, or a shared secret (symmetric encryption) exchanged out of band. Pinning in it's simplest form means you know what certificate to trust from the site and don't trust any other. This means you wouldn't trust a certificate inserted by your ISP. Perfect forward secrecy also helps in terms of reducing the impact of compromise or failure of other controls (also in the part of the Wikipedia article linked below). You could also consider reducing the number of certificate authorities your browser trusts.

Here's more information on certificate pinning: http://en.wikipedia.org/wiki/Certificate_pinning#Certificate_pinning

Andy Boura
  • 759
  • 3
  • 10