Wednesday, July 27, 2016

PAC Attacks When Using HTTPS!
VPN To The Rescue


Introduction: What I discuss below fits within the realm of computer networking. As such, it is complicated, has a learning curve and may require homework, time and patience to understand. However, as usual, I've tried to translate the technology into something reasonably easy to comprehend and I've provided some useful reference links.

Open Wi-Fi Hotspots Are Not Our Friend

Using open, no password required, hot spot Wi-Fi routers is dangerous. It's trivial for anyone also on the router to spy on all your Internet activity. There are several tools for the hack job on all computer platforms. So what do you do?

Using HTTPS on the Web is one generally reliable way to encrypt your connections, resulting in hacker spies seeing only gibberish pass between your computer and your destination. That's great, except a lot of servers still use old SSL (Secure Sockets Layer) protocols that are no longer secure, and there are older browser applications that still allow the use of SSL. The replacement technology is TLS (Transport Layer Security) and is considerably safer, albeit not perfect as of yet. For general Web access at a Wi-Fi hotspot, HTTPS via TLS should be adequate.

Except this happened:

New attack bypasses HTTPS protection on Macs, Windows, and Linux
Hack can be carried out by operators of Wi-Fi hotspots, where HTTPs is needed most.
- DAN GOODIN, Ars Technica - 7/26/2016, 1:14 PM
The most likely way the attack might be carried out is for a network operator to send a malicious response when a computer uses the dynamic host configuration protocol to connect to a network. Besides issuing addresses, DHCP can be used to help set up a proxy server that browsers will use when trying to access certain URLs. This attack technique works by forcing the browser to obtain a proxy autoconfig (PAC) file, which specifies the types of URLs that should trigger use of the proxy. Because the malicious PAC code receives the request before the HTTPS connection is established, the attackers obtain the entire URL in plaintext....
(Emphasis mine).

This is a fairly sophisticated attack for the moment. But again could be made trivial with proliferated hacking tools.

So now what do we do?

If you're a casual web browsing user who doesn't mind having your URL connections surveilled in public, you wait for web browser and server updates to solve this problem.


If you're a professional who must NOT be surveilled in your work online, you enroll into a VPN (Virtual Private Network) service. I won't go into the techy details. But a good VPN service allows you to encrypt every little thing you do on the Internet from wherever you are, on whatever router you're using, out to a server run by the VPS server somewhere else on the planet. You can typically choose your exit server from a list provided by the VPN service. After you exit the VPN server out to the actual Internet, no one can trace back who you are. None of your data is visible at your Wi-Fi router location. Everything is encrypted through the VPN service. Problem solved.

There are many VPN services available. Some of them offer 'Life Time Membership' for a reasonable price. There is typically one VPN service or another running a special offer via a one of the 'Deal' websites / email lists at any point in time.

As examples, I'm on the MacAppware and 9To5Toys 'Deal' lists, which are part of a network of 'Deal' services run through StackCommerce. They offer a variety of hardware, software and service 'Deals' at special discount prices, typically for a limited period of time. If you see something you like on the lists, you check it out. If you like it, you buy it. (Please note how I am deliberately not providing URLs as I am not selling or recommending any of these services. Do a search on their names and you'll find them).

Continuing these examples: 9To5Toys is currently offering both a 3-year subscription and full lifetime subscription to Tiger VPN for decent prices. MacAppware is currently featuring five different VPN service discounts. They include HideMyAss!, Hotspot Shield Elite, PureVPN, and VPN Unlimited.

The closest I'll come to a recommendation is to say that I have a friend who swears by HideMyAss! He regularly uses it to stream sports game video from Europe with great results. I have a lifetime membership with proXPN that works fine for my purposes.

One limiting factor with VPNs is speed, aka bandwidth. Obviously, you run into this factor when you're streaming a lot of data at once, for example when watching video. If that's what you want to do via VPN, it pays to shop around for the fastest service. Be sure to verify that what you read about a VPN service is real. For example, PureVPN calls itself "The World's Fastest VPN." Maybe it is or maybe it isn't. Check out a number of reviews to find out what users have experienced according to their usage of the VPN.

Another limiting factor is which VPN connection protocols the services offer. They may use OpenVPN and/or PPTP (Point-to-Point Tunneling Protocol). It's important to know what your hardware and OS can handle. Some cannot, for example, deal with OpenVPN. Therefore, in this case, you don't want a VPN service that only offers OpenVPN. You'll want one that offers PPTP. Many provide both.

From a security point of view, at the moment it is safer to use PPTP. OpenVPN has had a series of security compromises and was at one point assumed to be hackable. The OpenVPN has been good about patching known security flaws, but they have recently been discovered on a regular basis. Meanwhile, PPTP is considered by some to be 'broken'. Microsoft recommends using a more recent and superior alternative protocol called L2TP/IPSec, with which I am somewhat unfamiliar. If a VPN offers it, consider using it instead of PPTP.

I could link here to a comparison chart of these three protocols, but what I found online was not up-to-date and would therefore be misleading. From a fanatical security perspective, it may be that all three of these protocols are hackable IF someone wants to target specifically YOU.  VPN attacks are sophisticated and take time to enact. As such, for general professional use, any of these three VPN protocols is adequate. Open source advocates of course prefer OpenVPN because its protocol is entirely available for scrutiny and theoretically that means the security holes are found and patched more readily. Meanwhile, Microsoft has been involved with both PPTP and L2TP/IPSec, which may give users a reason to cringe. You decide.

Nice things about good VPN services: 

First, my VPN rates the quality/speed of their own servers day-to-day. I'm in New York. So you'd think connecting to their New York City server would be great! It used to be. Now it's rated on the bottom of their connection listing. IOW it's the last server I want to use. Instead, I typically use the Chicago server, which is in the top third of their connection list. I often visit sites within the UK, in which case I use their London server. Thankfully, that is also in the top third of their connection list at this time. 

Meanwhile, if I want to use an exit server in or near Japan, forget it! There aren't any. That could have killed my interest in their VPN service, if it mattered to me. The closest server is in Singapore, and its near the bottom of the connection list. IOW: It may be important to know what servers a VPN offers, according to your purposes.

Second, my VPN regularly changes its servers in cases where they are being blocked by ISPs. My VPN application grabs the latest list of available servers every day, which prevents me for connection to what amounts to a dead server. 

Why are VPN servers blocked? This gets into a controversy regarding copyright, marketing and costs. To give you at least a rough idea of how and why this can happen: Imagine you're the BBC in the UK. Someone uses VPN to connect to a London server. The IP address of that server is broadcast to every website to which you connect. It's obviously a British IP address, so you look to be British. Therefore, you can access all British web content as a British citizen. You have full access to all BBC web media, including any of their posted TV program streams. What can be 'bad' about that is that: (A) You may not actually be in Britain. You're using a VPN. (B) If you aren't British, you have no access to British copyrighted media. (C) BBC marketing people may go maniacal that you're breaking through an artificial marketing zone barrier to access media directly in the UK. (D) You haven't paid the taxes that support the BBC. Therefore, the BBC is motivated to find and have blocked all VPN servers within the UK.

Then there's that annoying totalitarianism issue where FAILed governments abuse their citizens, rather than serve them. Check this out:

Countries Where VPN Use is Prohibited
VPN is typically banned in countries that have authoritative laws, such as China, North Korea and Iran. With limited access to a majority of online content, in order to unblock blocked websites, citizens, tourists and expats in those countries typically resort to the use of proxy servers and VPN software. 
Some countries have banned the use of Virtual Private Networks so that they can maintain a bird’s eye view on all online movement made by their citizens, who the governments of these countries consider as nonconformists, as well as to control the information their citizens have access to by censoring websites with liberal or opposing views. VPNs allow to bypass censorship and keep all online activities confidential.
Such is our species. I thoroughly recommend deposing all such governments. That's what revolutions are for. We all deserve personal freedom and privacy, no exceptions (apart from the crooks and crazies).

So what about DNSCrypt?

I use DNSCrypt on all my Macs. I've had no trouble with it and it kindly encrypts all my DNS lookups for free. It works hella better than my IPS's DNS servers! (Time Warner Cable :-P). Thank you OpenDNS and Cisco! It prevents any open Wi-Fi hotspot hackers from seeing what websites I want to visit. It even prevents your ISP or anyone else from surveilling your DNS lookups.

Except DNSCrypt won't help with the PAC attacks on HTTPS. Sorry! The resulting IP address still ends up in-the-clear when using the PAC hack. Nonetheless, DNSCrypt is a great precaution and works extremely well. Finishing DNSCrypt took years of annoying betas. Now it's something approaching perfection. Highly recommended.

Questions? Further reference requests? Please drop me a comment below.



No comments:

Post a Comment