[16477] in cryptography@c2.net mail archive
Re: SSL/TLS passive sniffing
daemon@ATHENA.MIT.EDU (Jerrold Leichter)
Tue Nov 30 20:31:09 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Tue, 30 Nov 2004 19:13:36 -0500 (EST)
From: Jerrold Leichter <jerrold.leichter@smarts.com>
To: cryptography@metzdowd.com
In-Reply-To: <20041130192236.GD26086@randombit.net>
By an interesting coincidence, the article below appeared in the on-line
Computerworld today.
-- Jerry
Universities grapple with SSL-busting spyware
Marketscore could be used to intercept sensitive
information, security experts say
News Story by Paul Roberts
NOVEMBER 30, 2004 (IDG NEWS SERVICE) -
U.S. universities are struggling with a flare-up of dangerous
spyware that can snoop on information encrypted using
Secure Sockets Layer (SSL). Experts are warning that the
stealthy software, called Marketscore, could be used to
intercept a wide range of sensitive information, including
passwords and health and financial data.
In recent weeks, IT departments at a number of
universities issued warnings about problems caused by the
Marketscore software, which promises to speed up Web
browsing. The program, which routes all user traffic
through its own network of servers, poses a real threat to
user privacy, security experts agree.
Columbia University, Cornell University, Indiana
University, the State University of New York (SUNY) at
Albany and Pennsylvania State University are among those
noting an increase in the number of systems running
Marketscore software in recent weeks. Each institution
warned its users about Marketscore and posted instructions
for removing the software.
The software is bundled with iMesh peer-to-peer software,
and may have made it onto university networks that way,
said David Escalante, director of computer security at
Boston College.
The company that makes the software, Marketscore Inc., has
headquarters in Reston, Va., at the same mailing address
as online behavior tracking company ComScore Networks Inc.
ComScore Networks did not respond to repeated requests for
comment.
Reports of infected systems on campuses ranged from a
handful to as many as 200 on one large campus network,
Escalante said.
Marketscore is the latest incarnation of a spyware program
called Netsetter, which first appeared in January, said
Sam Curry, vice president of eTrust Security Management at
Computer Associates International Inc.
"Basically it takes all your Web traffic and forces it
through its own proxy servers," he said.
The redirection speeds up Web surfing, because pages
cached on Marketscore's servers load faster than they
would if they were served directly from the actual Web
servers for sites such as Google or Yahoo. However, those
performance benefits have been elusive.
"People who have installed the software complain to us
that they're not getting any improvement," Curry said.
Richard Smith, an independent software consultant in
Boston, is also skeptical of performance improvement
claims made by Marketscore and others, especially since
many Internet service providers already offer Web caching
for their dial-up customers, he said in an e-mail message.
Cornell's IT security office blocked connections between
the university's network and the Marketscore servers,
according to a message posted on the university's Web
site. Administrators at SUNY Albany took similar steps,
according to a message posted on that school's Web site.
While other legal software programs make similar claims
about improving Web browsing speed as Marketscore,
Internet security experts are troubled that the software
creates its own trusted certificate authority on
computers. That certificate authority intercepts Web
communications secured using SSL, decrypting that traffic,
then sending it to the Marketscore servers before
encrypting the traffic and passing it along to its final
destination. That traffic could include sensitive
information, including passwords, credit card and Social
Security numbers, Curry said.
Marketscore should be a big concern for companies, such as
banks, with employees who handle sensitive data, Escalante
said.
"I don't know how good it is for parties on either end of
a transaction to have a third party listening in," he
said.
If nothing else, all the extra decrypting and encrypting
slows down SSL traffic, casting doubt on Marketscore's
claims to be an Internet accelerator, Smith said.
CA's eTrust antivirus software labeled Marketscore as
"spyware" up until June of this year but stopped doing so
after Marketscore appealed that designation using an
established vendor appeal process, he said. CA is
currently re-evaluating the spyware designation using a
complicated, multifactor scoring system. The software is
less repugnant than its predecessor, Netsetter, which did
not clearly disclose to users what it did when installed
and made itself difficult to remove.
Marketscore is better on both those counts, clearly
stating both in the end-user license agreement and during
the installation process what the product does, and
providing users with an easy uninstall program. CA
considers Marketscore an example of a new breed of
software that lies in the gray area between spyware and
legitimate software, Curry said.
"Under the old definition, [Marketscore] clearly qualified
as spyware. But there are new categories emerging," he
said.
While Marketscore clearly tracks user behavior, it doesn't
hijack Web browser home pages, spew pop-up advertisements
or conceal its presence, like earlier generations of
spyware did, Curry said.
"There's more granularity. Companies have responded and
... are adding benefits and value to these programs. We're
looking at ways to more accurately identify this," he
said.
Perhaps trying to increase its appeal, Marketscore is
advertising itself as an e-mail protection service, in
addition to an Internet accelerator. According to
Marketscore.com, members will receive Symantec Corp.'s
CarrierScan Server antivirus technology at no cost.
However, that promise doesn't sit well with Symantec,
which said it has no relationship with Marketscore and, in
fact, considers the software spyware, said Genevieve
Haldeman, a company spokeswoman.
"We don't have relationships with companies that make
software we consider malicious," she said. Symantec is
considering legal action to force Marketscore to stop
using its name and logo on Marketscore.com, she said.
Spyware or not, the lesson of Marketscore is that "if it
sounds too good to be true, it probably is," Curry said.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
