

Ask HN: Am I allowed to reverse engineer an Internet service and blog about it? - nicothieb

I've been working lately with a reverse proxy to pen test our own app and I actually see some very interesting network traffic on both my laptop and my phone. I would like to investigate services I use and blog about how they work. I find it being very instructive but fear potential legal consequences.<p>Examples of such services are iCloud, Dropbox, Facebook, etc..
======
rogerbinns
Most of these services have public documentation about how they work in terms
of network oriented APIs, or failing that some sort of SDK whose structure
will typically be representative of the network traffic. For example this is
what Dropbox say <https://www.dropbox.com/developers/core/api>

You can reverse engineer protocols for the purposes of interoperability in
Europe. However there are various fine print details that matter and changes
in the last few years. The wikipedia page has a summary and references to the
legislation
[http://en.wikipedia.org/wiki/Reverse_engineering#European_Un...](http://en.wikipedia.org/wiki/Reverse_engineering#European_Union)

However if those services have been written correctly they will be using SSL
and you shouldn't be able to see what is going on with network sniffers (other
than DNS names and traffic analysis).

That means reverse engineering the software which is hard and time consuming
(eg you need to know assembly and using debuggers at that level). Some like
Skype use anti-reverse engineering techniques. Tools like IDA help as a
starting point.

However chances are that all that software you downloaded had some sort of
click agreement that you agreed to saying you won't reverse engineer the
software. That adds another layer of legal issues you need to address.

~~~
nicothieb
You can actually analyse most ssl traffic with a man in the middle proxy. All
you need to do is to reencrypt the the data with your own certificate and
accept to signing certificate as trusted on your computer.

SSL is not obfuscation, it is about maintaining a chain of trust.

~~~
rogerbinns
I've written one of those before(1). For general browser traffic it isn't
problem since you can add the proxy cert to the browser or whatever it uses.
For apps (ie non-browser) it will depend on their certificate checking code,
which for best practise should _not_ accept any old gunk the OS/browser does.

(1) For a test I used my bank which had all sorts of RSA checked and similar
logos all over the "secured" pages. Needless to say those logos remained even
though I was going through a man in the middle.

------
mipapage
Interesting, how do folks who find security holes and blog about it get around
this type of thing? I imagine you are worried about this, or IP issues?

~~~
nicothieb
I don't plan in exposing security issues. I'm just worried that if you write a
post on how iCloud backs up your device on S3 someone might feel offended.

~~~
mipapage
FWIW I'd be into these posts.

------
lutusp
> Am I allowed to reverse engineer an Internet service and blog about it?

Possibly and in some cases, however this might run afoul of the laws that
prohibit defeating computer security schemes.

My point is that the answer is not simple, and a behavior that may be
completely acceptable for case A might be a felony in case B.

Source: <http://www.law.cornell.edu/uscode/text/18/2701>

Quote: "(a) Offense.— Except as provided in subsection (c) of this section
whoever—

(1) intentionally accesses without authorization a facility through which an
electronic communication service is provided; or

(2) intentionally exceeds an authorization to access that facility; and
thereby obtains, alters, or prevents authorized access to a wire or electronic
communication while it is in electronic storage in such system shall be
punished as provided in subsection (b) of this section."

