This proxy stands between you and the internet, scanning your web traffic passively and even saving some of it for later use, hence "caching proxy". It uses some advanced technology to stay invisible but still able to collect and reconstruct files from the traffic passing by, namely DPI. While DPI has recently got a bad vibe in Israel, i don't believe in inherently evil technology. Technology is neither good nor evil. It's the application that may or may not violate the moral boundaries. Quite common analogy to be used while explaining DPI is the post office example. All the information post worker needs to deliver your mail is on the envelope, sending and receiving address. DPI is akin to opening the letter and inspecting its content. Mind you, this analogy is not without defects. Mail packages a routinely screened, etc. I, myself, deployed and used DPI tech in my line of work. It helps to classify traffic prior shaping, detect malicious intent, gather statistics and forensic information. All this has been done for years by private enterprises in order to better control and protect their networks.
My research shows that all three major Israeli providers (BezeqInt, Netvision, 012 Smile) reroute a usual web traffic through their DPI systems. I didn't contact Netvision, but both BezeqInt and 012 Smile refused to even acknowledge the existence of the system claiming that they abandoned such practices years ago. This is not satisfactory and in my book constitutes lying or support stuff is just as ignorant as i was prior my discovery. Even appeal to security, since the way it is done looks awfully similar to man-in-the-middle attack, produced no results. So i stopped wasting my time and money on useless phone calls and emails. Instead, having some free time lately, i concentrated on researching a bit more. The result was my "Tale of a sneaky proxy" post. Since then i made some progress and some of the findings are quite alarming.
As any other software proxies are not exempt from bugs or miscofiguration. Moreover HTTP protocol wasn't build with any kind of transparent proxies in mind, that's why your browser has proxy settings. That is especially true for caching proxies. The Internet Engineering Task Force (IETF) even has a RFC document detailing some of the common problems and workarounds (RFC3143). Given a clever implementation of the proxy at hand i guess it does avoid some of the problems but may introduce others. Most of my experiments were done using BezeqInt ADSL line so the following results and conclusions may or may not be pertinent to other ISPs.
During the exploration i had a feeling that BezeqInt proxy was quite frivolous about what content it's caching. It had no problem caching files that require authentication before downloading. Let me elaborate. You are given a link to a file that asks for username and password to download. You provide your authentication and download the file. Now guess how many copies of the file were made during transmission. Two! One for you and one for BezeqInt proxy cache. I don't think that someone's trying to steal your data. My guess would be - a plain negligence in proxy configuration. That doesn't comfort me either, though. I'd think that many BezeqInt customers would prefer to be aware of such intricacies.
But that's not the worst part of my findings. After looking at all the data i decided to run a simple "cache poisoning" scenario for one of my domains. To my dismay i've succeeded! I was able to force the proxy to cache my version of the file from my other domain. Now imagine this coupled with malicious intent. One can use BezeqInt caching proxy as distribution network for a viruses, trojans, you name it. You think you are downloading some .exe file from a trusted site, nope. It's hackers modified version of the same file that he forced the proxy to cache. You wouldn't know any better. I notified BezeqInt about my findings and i hope it will be fixed soon.
After doing all this research i find myself in a peculiar situation. I can't opt out of the system that "doesn't exist". Changing providers wont help either (may be there are other, smaller ISPs that don't do this kind of traffic surveillance). I have no idea how many customers are affected and the secrecy that this system is surrounded with doesn't give any opportunity to know exactly what has being done with all this surfing data that has being collected or not.
I still have questions that no one seems to have answers for. Should BezeqInt be allowed forcibly reroute its customers through a system like that with no opt-out mechanism? Is there any other purpose besides caching? Should be there any oversight or regulations over this system? I don't know and I'd be happy to hear from someone with insight.
My research shows that all three major Israeli providers (BezeqInt, Netvision, 012 Smile) reroute a usual web traffic through their DPI systems. I didn't contact Netvision, but both BezeqInt and 012 Smile refused to even acknowledge the existence of the system claiming that they abandoned such practices years ago. This is not satisfactory and in my book constitutes lying or support stuff is just as ignorant as i was prior my discovery. Even appeal to security, since the way it is done looks awfully similar to man-in-the-middle attack, produced no results. So i stopped wasting my time and money on useless phone calls and emails. Instead, having some free time lately, i concentrated on researching a bit more. The result was my "Tale of a sneaky proxy" post. Since then i made some progress and some of the findings are quite alarming.
As any other software proxies are not exempt from bugs or miscofiguration. Moreover HTTP protocol wasn't build with any kind of transparent proxies in mind, that's why your browser has proxy settings. That is especially true for caching proxies. The Internet Engineering Task Force (IETF) even has a RFC document detailing some of the common problems and workarounds (RFC3143). Given a clever implementation of the proxy at hand i guess it does avoid some of the problems but may introduce others. Most of my experiments were done using BezeqInt ADSL line so the following results and conclusions may or may not be pertinent to other ISPs.
During the exploration i had a feeling that BezeqInt proxy was quite frivolous about what content it's caching. It had no problem caching files that require authentication before downloading. Let me elaborate. You are given a link to a file that asks for username and password to download. You provide your authentication and download the file. Now guess how many copies of the file were made during transmission. Two! One for you and one for BezeqInt proxy cache. I don't think that someone's trying to steal your data. My guess would be - a plain negligence in proxy configuration. That doesn't comfort me either, though. I'd think that many BezeqInt customers would prefer to be aware of such intricacies.
But that's not the worst part of my findings. After looking at all the data i decided to run a simple "cache poisoning" scenario for one of my domains. To my dismay i've succeeded! I was able to force the proxy to cache my version of the file from my other domain. Now imagine this coupled with malicious intent. One can use BezeqInt caching proxy as distribution network for a viruses, trojans, you name it. You think you are downloading some .exe file from a trusted site, nope. It's hackers modified version of the same file that he forced the proxy to cache. You wouldn't know any better. I notified BezeqInt about my findings and i hope it will be fixed soon.
After doing all this research i find myself in a peculiar situation. I can't opt out of the system that "doesn't exist". Changing providers wont help either (may be there are other, smaller ISPs that don't do this kind of traffic surveillance). I have no idea how many customers are affected and the secrecy that this system is surrounded with doesn't give any opportunity to know exactly what has being done with all this surfing data that has being collected or not.
I still have questions that no one seems to have answers for. Should BezeqInt be allowed forcibly reroute its customers through a system like that with no opt-out mechanism? Is there any other purpose besides caching? Should be there any oversight or regulations over this system? I don't know and I'd be happy to hear from someone with insight.
1 comment:
Back in 2000, I came to a realization that privacy doesn't exist on the internet. Since then, my security solution to enforce privacy is: "I don't care".
What you're saying is, however, very disturbing to say the least.
Let's hope that one day, we'll be able to have some privacy in our own homes.
Post a Comment