Writing

Software, technology, sysadmin war stories, and more. Feed
Thursday, January 31, 2019

Deliberately skipping encryption for business purposes

There's something in the news this week about a "VPN/proxy" service being used to spy on people, then Apple dropping the hammer on the company responsible, and all sorts of fun following. It's pretty interesting if you're outside the blast radius and can sit back with a box of popcorn and just watch.

One thing I don't understand, though: let's say you are operating this proxy service not out of the goodness of your heart, but to collect telemetry on what sort of apps people are using. You can do that just by looking at the traffic they generate. You don't need to know who they are or how old they are. Just pass their traffic along to the Internet and see what it is. Maybe you spy on their actual suite of installed apps. It's wacky, but it's still relatively anonymous.

So, given that, why would you associate it with their social media accounts, unless you were actively trying to glue it all together and possibly target specific individuals? Like, say, the really young ones who keep slipping through the company's fingers because old people have no idea what's cool? Yeah, them.

How would you know if this is going on? Look for things deliberately forced to not be HTTPS. You make them talk to service B in the clear over the VPN/proxy, and then they can see who they are on B just by inspecting the traffic.

An analogy of it would go like this: I normally encrypt all of my communications with my friend, so you can't see what we're talking about, including the nickname the friend uses for me. You'd really like to find out that nickname, so you find a way to get me to call the friend without encryption and wait for them to say the nickname over the line. Once that happens, you know who I am.

Now, actually doing this requires cooperation from B, naturally. I mean, who would deliberately run HTTP connections just so they could be sniffed, right?