A serious security flaw has been discovered in Cyberoam Deep packet Inspection (DPI) devices, which Cyberoam uses to intercept SSL packets. The device functions in a simple manner. It cloaks its presence by forcing users to install a fake CA in their browsers, and then using this CA to issue fake certificates for websites. The certificate contains a public key, and is quite easy to spoof. furthermore, the user’s consent to install the certificates makes the handshake possible. Cyberoam is extremely popular in corporate organizations, educational institutions and government agencies for varied reason, ranging from blocking access to websites to spying on users.
Cyberoam subverts the original CA and plants its own faux CA instead. But what are the implications of this? A TOR user in Jordan has found something interesting. Cyberoam uses the same fake CA across all devices, but the problem with their implementation, is that there is no intermediate key which the CA signs. Thus, all Cyberoam devices have the same private key and this opens a wide array of possibilities for tinkerers.
But the worst part is yet to come. The key from one device can be extracted, and can be used to intercept traffic from any other Cyberoam client. This is embarrasing for Cyberoam, and it has not responded publicly on this matter yet.
The Tor media page reports this, saying,
It is therefore possible to intercept traffic from any victim of a Cyberoam device with any other Cyberoam device – or, indeed, to extract the key from the device and import it into other DPI devices, and use those for interception. Perhaps ones from more competent vendors.
When Iran blocking country wide access to many commonly used services, it also apparently blocked a large amount of secured traffic movement inside the country. This was done for two effects – to stop Iranians from using SSL technology that may make the Government’s “monitoring” job difficult, and secondly to stop some more tech savvy Iranians from using TOR. TOR, as we know, is a free Internet anonymizing proxy network that works by routing data from the client software to a network of relays and bridges into an exit node somewhere outside the censored country via secured channels. With the blockade of these channels, the usual bunch of 50,000 to 60,000 active TOR connections in Iran plummeted down to 20,000 and eventually to near zero. To counter this, the TOR project’s Jacob Applebaum outlined a new plan that might enable these users to regain access to TOR.
Applebaum, who had also more or less predicted this event a few days back, talked about a “new weapon” that TOR has in the “arms race” that might enable these users from Iran to start using TOR. The technology in operation is the TOR Obfuscated Proxy (obfsproxy) which “camouflages” the traffic entering and exiting the TOR client as being unsecure and thus being usable in a country with a strict censor such as Iran.
The TOR project website has detailed technical instructions on setting up a TOR obfsproxy, which Applebaum admits, is a little rough around the edges. However, nothing is ever useful unless it is applied where it is most needed. This technology is manna from heaven for the Iranian Internet democracy fighters. If you have the technical know-how to apply this technology in your TOR bridge or relay, please do so to help out these people in oppressed regimes!