
Thai government to MITM all internet communications - geomark
http://www.bangkokpost.com/opinion/opinion/993937/internet-laws-a-time-bomb
======
Animats
We need general, automatic MITM detection in HTTP.

It's quite possible. An MITM attack has a basic quality that makes it
detectable - each end is seeing different crypto bits for the same plaintext.
All they have to do is compare notes.

There are out-of-band ways to do this, such as certificate pinning and
certificate repositories. But these haven't achieved much traction.

Doing it in-band is difficult, but possible. An early system, for one of the
Secure Telephone Units (STU), displayed a 2-digit number to the user at each
end, based on the crypto bits. The users were supposed to compare these
numbers by voice, and if they matched, they were probably not having a MITM
attack. An MITM attacker would need to fake the voices of the participants to
break that.

This is the insight that makes MITM detection possible. You can force the MITM
to have to tell a lie to convince the endpoints. More than that, if you work
at it, you can force the MITM to have to tell an _arbitrarily complex_ lie.
You can even force the MITM to have to tell a lie about the future traffic on
the connection. That means they have to take over the entire conversation and
fake the other end.

As an example, suppose a server sending a page sends, at the beginning of the
page, a hash value which is based on the contents of the page about to be
sent, and also based on the first 64 bytes of the crypto bits of the
connection. The browser checks this. The MITM attacker now has a problem. If
they don't know about this, the MITM attack immediately sounds an alarm at the
browser. If the attacker does know about this, they can compute their own
hash. But they haven't seen the content the hash covers, because the page
hasn't been transmitted yet.

So the attacker either has to buffer up the entire page before they can send
any of it, or fake the page based on some source like a cache. Buffering up
the entire page adds delay. The server can add to that delay by deliberately
stalling for some seconds before sending the last few bytes of the page. If
the MITM attack adds 10 seconds before every page begins to load, it's obvious
what's happening. The browser could even check this; if the first byte of the
page doesn't appear within N seconds, don't display it.

Faking the page is a lot of work, especially if it's customized. A cache won't
be enough. Users will notice if they get a generic page instead of their
personal social network page.

This would be a good feature to add to HTTP2, because it has one persistent
connection which, once validated, is good for many pages.

Nobody seems to be doing enough with in-band MITM detection. There's [1], but
that requires "previously established user authentication credentials."
Facebook has a scheme which relies on MITM attackers not knowing how to MITM
Flash content.[2] That's a form of security through obscurity, but it does
detect most attacks at the proxy and hostile WiFi level.

[1] [http://www.cc.gatech.edu/~traynor/papers/dacosta-
esorics12.p...](http://www.cc.gatech.edu/~traynor/papers/dacosta-
esorics12.pdf) [2] [http://www.scmagazine.com/researchers-detect-ssl-mitm-
attack...](http://www.scmagazine.com/researchers-detect-ssl-mitm-attacks-
method-implemented-by-facebook/article/346994/)

------
Canada
In order to successfully pull off the MITM attack against TLS connections they
will need a rogue CA or cooperation from browsers. Fortunately Thailand is
completely dependent on foreign software and services, and I see no reason why
Google, Mozilla, Facebook, etc would cooperate.

The government will still be left with two options: Severely cripple
themselves by blocking entire services or remain unable to decrypt traffic.
Unlike China, Thailand is in no position to create their own search engines,
social media and messaging systems.

~~~
msbarnett
> In order to successfully pull off the MITM attack against TLS connections
> they will need a rogue CA or cooperation from browsers.

Well, "fortunately", Blue Coat Systems, leading manufacturer of intercept
devices for authoritarian regimes, now has an intermediate cert courtesy of
Symantec CA, so they're fully capable of issuing and installing MITM certs for
use on their clients' devices.

~~~
imglorp
Would it be hyperbolic to say vendors like Blue Coat have blood on their
hands?

Yeah it's just a tool and yeah your workplace or school might need one to
"keep the children safe", and yeah they're not responsible for what their
customers do with their products. But when they knowingly sell[1] to
repressive governments where bad things happen to dissenters, what does that
make them? And please spare us the "terrorist" and "criminal" barf, we've
heard it in the West.

Any Blue Coat care to comment?

1\. [https://www.eff.org/deeplinks/2011/10/blue-coat-
acknowledges...](https://www.eff.org/deeplinks/2011/10/blue-coat-acknowledges-
syrian-government-use-its-products)

------
hlandau
It was inevitable this would spread beyond Kazakhstan. I previously wrote
about this:
[https://www.devever.net/~hl/policymitm](https://www.devever.net/~hl/policymitm)

------
officialchicken
I just cancelled my ticket to Chiang Mai, I will find somewhere else to
digital nomad.

~~~
kilroy123
I was wondering what all the digital nomads there think of this.

~~~
technomancy
I live in Thailand; I'm extremely skeptical that it's going to happen. The
most likely explanation is that a few powerful generals feel like this must
happen and proudly announce their plans, and technical teams responsible for
actually doing it feel too intimidated to explain to the generals why it's
impossible, so they just agree to it hoping that the dictatorship will be out
of power before the implementation could happen.

As someone from /r/Thailand put it, "I'm hoping incompetence and indifference
would save the day once again, as it has many times in the past." They can't
withdraw it now without losing face, but they can let it just wither and
become forgotten over a few years.

~~~
geomark
I also live in Thailand and I hope you are correct. But the fact that they can
now easily buy the equipment and consulting to do this sort of thing means
they might very well try it. And like I said in another comment, they don't
care if it breaks the internet because they and the people they are serving
don't use it like everyone else. To them the internet is little more than a
major annoyance because it allows dissidents to communicate and engage in
speech they don't like.

~~~
joeguilmette
I also live in Thailand and think we should all get a beer.

firstname dot lastname at gmail

------
Create
SSL added and removed here

We begin therefore where they are determined not to end, with the question
whether any form of democratic self-government, anywhere, is consistent with
the kind of massive, pervasive, surveillance into which the Unites States
government has led not only us but the world.

This should not actually be a complicated inquiry.

[https://archive.org/details/EbenMoglen-
WhyFreedomOfThoughtRe...](https://archive.org/details/EbenMoglen-
WhyFreedomOfThoughtRequiresFreeMediaAndWhyFreeMedia)

Surveillance is not an end toward totalitarianism, it is totalitarianism
itself.

[https://www.washingtonpost.com/world/national-
security/nsa-i...](https://www.washingtonpost.com/world/national-security/nsa-
infiltrates-links-to-yahoo-google-data-centers-worldwide-snowden-documents-
say/2013/10/30/e51d661e-4166-11e3-8b74-d89d714ca4dd_story.html)

------
corv
Those who read Thai can find more information here:

[https://thainetizen.org/2016/05/single-gateway-back-ssl-
cens...](https://thainetizen.org/2016/05/single-gateway-back-ssl-censorship/)

------
TimPrice
I somehow feel this is good for any of those countries in between the western
capital based democracies and the extreme of North Korea: it will backfire
sooner or later, but without any of this silly measures trigging public
awareness, people would keep believing in their leaders and brainwashed
culture.

Maybe it is what it takes to move forward from a dictatorship to a (fake)
democracy these days.

~~~
GFK_of_xmaspast
Are you aware of the last 15-ish years of democracy in Thailand.

~~~
joeguilmette
Thailand had a coup two years ago and has been living under military
dictatorship ever since.

~~~
GFK_of_xmaspast
The 2014 coup was just the latest in a series of anti-Shinawat actions
(including the 2006 coup and the events of 2010).

~~~
joeguilmette
Do you spend much time in BKK? If so we should get a beer. @travlbum on
Twitter

------
cm2187
What about China? Does the great firewall also MITM the requests?

~~~
wodenokoto
China blocks a lot of https traffic out right.

the https everywhere movement was a pain-in-the-ass when I was in China,
because many websites would redirect me from http to blocked https.

~~~
intopieces
How was your access to VPNs, or did you have a chance to try them out? I used
to work for a VPN company and China was a constant challenge.

~~~
wodenokoto
I lived there before the big VPN crack-down. It is much harder to get working
VPN now then just a few years ago, according to my friends.

I switched from Gmail while I was there (and back) and just watched youku
instead of youtube, so I mostly didn't bother paying for a VPN.

------
karmicthreat
So unrelated to this, what are the best couple resources out there for
understanding the PKI system? I understand it in vague terms and I can use it.
I just don't know enough of the details of it to be comfortable with it.

It may be that I would be even less comfortable with it if I knew the details.

------
ommunist
Kazakhstan is doing this already.

