True Proxies

[clokwise]

Pretty much all of us here know that True uses a transparent proxy. But what IS that proxy and how does it really work?

First of all, if you have your own website, check your access logs and you may see several proxy references from True users:

REMOTE_HOST=caching2-pnc2.asianet.co.th

REMOTE_ADDR=203.144.143.3

HTTP_X_BLUECOAT_VIA=72B0575E363E142A

HTTP_X_FORWARDED_FOR=58.9.x.x

Many of you will be familiar with these codes, basically they indicate to the web server your IP address and the proxy's IP address. Also, you can see True are using the Blue Coat proxy. But what is the Blue Coat proxy? After checking their website I found out the following information:

Blue Coat can limit bandwidth per connection or by protocol (we sure know thatl!!)

Blue Coat can also block sites based on a list of URLs (most of have seen that 'Access Denied' web page at one time or another).

Ok, nothing new. So it turns out that Blue Coat is a popular, though not highly rated, corporate proxy server (it tends to choke when too many users are hitting it.... hmm... sound familiar?). A proxy server such as Blue Coat makes perfect sense in a corporation where they need to monitor and restict employees net usage. But place it in an ISP and you have a totally different ball of wax! Here's a little bit more info. Maybe more than True would like you to know:

Blue Coat can generate a detailed report of everyone who is trying to access blocked sites.

Blue Coat can report on any particular user's P2P usage.

Blue Coat can intercept and log all instant messages.

Blue Coat can take action on keywords in the datastream and perform functions such as blocking, rerouting, replacing data, removing data, reporting.

Blue Coat can cache SSL transactions, and in fact it acts as a middleman and can log all SSL transactions in plain text before passing them along. In fact this was the reason I started digging up more details about the True proxy, after learning my overseas internet banking account had been shut down by the bank after too many suspicious transactions. The best reason for this, I figure, would be if it had been cached.

You can learn more from the Blue Coat website: http://www.bluecoat.com/products/

So, these functions can be used for good or evil. In a corporation, for example, automatically removing viruses and spam, or blocking spyware or zombies could be considered a good thing. And the reporting functions can be very handy to uncover corporate espionage. And simply letting employees know that those functions are there, whether or not they are actually used, should keep most employees quite paranoid and make them save their personal net usage for home. I have no problem with this as long as it's clearly spelled out in the employment contract.

But do we trust our ISP to have these same capabilities? I'm not saying True uses all these functions. But they certainly seem to have the capability to do so if they wished -- or if they were pressured to by the authorities or under a legal threat.

I checked the True website (http://www.asianet.co.th/) and there is no indication of any privacy policy. I'm guessing they probably don't even have one. Which means that we as their customers, have no rights covering our personal information or any transactions we may make using their service. They have the right to use the information they collect on us for any purpose they choose, such as passing information about our movie downloads on to the MPAA, or pass a record of our failed attempts to view a so-called objectionable website on to the police. If an unscupulous employee of True were to collect our online banking passwords, he could make off with millions of dollars, possbily without ever getting caught.

Feel comfortable now? I don't. I'm cutting off True this Weds (no kidding!). Although I personally go to great lengths to secure my personal information whenever possible, I don't appreciate their lack of a privacy policy, and I almost don't feel any safer browsing at home than from a cyber cafe. Of course True's bandwidth allocation is notoriously awful, that really is the main reason I'm leaving. Are the other ISPs any better options? I guess I'll find out soon enough.

[stumonster]

BlueCoat SSL Proxy Solution

Blue Coat is solving this problem for IT today with its ProxySG family of secure content appliances. By positioning a ProxySG inside the corporate firewall – in the session path between the internal user and external application – the appliance can act as a secure intermediary between the remote application server and local Web client.  In this type of deployment, the ProxySG will automatically set up a trusted SSL session on behalf of the browser and perform the necessary steps for authentication.  Just as important, the ProxySG will terminate the session containing encrypted data coming into the enterprise.  At that point, data is converted to “clear text” and automatically inspected by the ProxySG.  Decisions on how to handle the data can be based on ProxySG’s advanced session control policies, which enable IT to set policies based on the who, what, where, when, and how of each user/application interaction. Any potentially malicious traffic is automatically blocked at that point, preventing any security breaches in the enterprise. Valid traffic is safely passed on to the Web browser to complete the session.

http://www.bluecoat.com/solutions/ssl-proxy.html

yes it iis quite a worry - though they have enclosed clear text in quotation marks , so I wonder exactly what is its interpretation of the phrase.

[bangbuathong]

does this forum have a voice? can we object collectively? or are we just minor in this?

[lopburi3]

Just as important, the ProxySG will terminate the session containing encrypted data coming into the enterprise.  At that point, data is converted to “clear text” and automatically inspected by the ProxySG.

I see nothing to indicate anything can be manually read or logged at the proxy location during the SSL inspection process. It appears to be an automatic check for malicious code and deletion of such code. I do not believe this is a threat on SSL connections and am very sure international banking would never allow connections to a bluecoat proxy if that were the case.

[yeti]

I'm sure you'll find out that all ISP here are using this kind of proxies. Not necessarily the same, but the same kind.

Just because they have to, if only to block websites with illegal content.

And ISP in most countries (including this one) have to keep log files of the websites you're visiting, usually for so called antiterrorist laws.

Thailand restricts freedom on some points, we all know this and don't have anything to say about it...

[SMS]

Feel comfortable now? I don't. I'm cutting off True this Weds (no kidding!). Although I personally go to great lengths to secure my personal information whenever possible, I don't appreciate their lack of a privacy policy, and I almost don't feel any safer browsing at home than from a cyber cafe. Of course True's bandwidth allocation is notoriously awful, that really is the main reason I'm leaving. Are the other ISPs any better options? I guess I'll find out soon enough.

<{POST_SNAPBACK}>

that SSL thingy totally got me off guard.....

didnt know how vulnerable i actually am....

now going to set up a highly encrypted proxy VPN on my server....(not in thailand)....atleast would be much more secure than what i currently am....

i should have dont this ages ago caus i travel a lot and i normally dont bother what i am accessing while on hotels network....some unencrypted WIFI i get my paws on....etc etc...

time to go googling now........

[clokwise]

I see nothing to indicate anything can be manually read or logged at the proxy location during the SSL inspection process.  It appears to be an automatic check for malicious code and deletion of such code.

Don't forget you are reading the marketing material here, not the actual functionality. How do you define 'malicious code'? Somebody, somewhere, has to manually enter this information into the proxy. But the proxy doesn't ever know it's 'malicious code'. In fact, who says data has to be malicious to be singled out? Sure, the intention may be to use the proxy to block malicious code, but that does not mean it can't be used for myriad other purposes. If I was a baddie at True, I'd log ALL the traffic and grep the login/passwords out of the logs, and then at the appropriate moment, I'd execute my plans for world domination. Dead simple.

I do not believe this is a threat on SSL connections and am very sure international banking would never allow connections to a bluecoat proxy if that were the case.

Banks all have Privacy Policies and Terms of Usage to cover their ass if anything happens to a customer's account. Besides, where do you draw the line as to what traffic you allow and what you don't allow, and how do you go about detecting these things, it's not easy, and how do you explain to your customers they are not allowed because their ISP or their employer uses such and such hardware? Once you get on, it's a slippery slope.

Clearly, the usage of this proxy is intended for corporate environments where the LAN users are all fully aware of the systematic monitoring/flow control of traffic in and out. In which case, monitoring of SSL traffic is perfectly within the employers rights. However, this proxy should not be used by an ISP, which has no stated privacy policy, on it's unwitting customers.

Further, I believe most here would agree that True does not have a reputation as being a very competent or trustworthy company.

[clokwise]

now going to set up a highly encrypted proxy VPN on my server....(not in thailand)....atleast would be much more secure than what i currently am....

i should have dont this ages ago caus i travel a lot and i normally dont bother what i am accessing while on hotels network....some unencrypted WIFI i get my paws on....etc etc...

Check out hamachi www.hamachi.cc. Works on linux and windows, tunnels through multiple NATs and AES-256-SHA1 encrypts all traffic. Painless to setup. And free!!! We use it in my company to connect to the email server, our file and database servers, and we use the built in messaging function to chat. We also proxy our web browsing through it when we connect remotely. We can feel totally safe to use even unsecured wireless networks with Hamachi. It's a godsend.

[TAWP]

Been using hamachi for some traffic too, for some time. Fast, easy and free.

Have to check with a couple of technicians to getmore opinions on the SSL-'reading' above. AFAIK it shouldn't be so easy to do, but then again, the SSL-project has no security-through-obscurity and the proxy to get all the data the client is getting to compile the key...

[AlexLah]

Oh my god the OP is in serious danger now and so are you who mentioned hamachi www.hamachi.cc. Expect a visit from the men in black soon. I had it and now have brain implants that are impossible to remove. How about your cellphone na, they can track you wherever you are while it is switched on. Your passwords are put in a database together with your preassigned IP number all traffic is monitored and scanned on suspicious communication or websites you visit.

The next step will be implanting RFID chips so you do not need to carry your passport all the time in the name of the fight against terror. Population control, there is only place for about 1 billion people on this earth (economically) so bird Flu is created to whipe out most of us.

KR,

Alex

[autonomous_unit]

The part about SSL sounds like marketing fluff. If you check your security properties when going to banking sites, you can prevent a man-in-the-middle attack (which is what this proxy is accomplishing according to the blurb). They cannot transparently proxy your banking session if they do not hold a copy of the private certificate data for your bank's web hosts, unless they have acheived a breakthrough in cryptographic research that has thus far eluded the international computer science community!

To do what they claim without science fiction, hey would have to either:

1. try to issue bogus certificates and hope you click past all the browser-issued warnings about certificates not matching; or

2. find a dishonest certificate authority who would issue bogus certs in the bank's name for the proxy owner, AND get that dishonest certificate authority into your browser's "trusted CAs" list; or

3. deny SSL connections by clients so you have no choice but to go through the non-transparent proxy in "plain text" or have no web access at all.

The last one seems plausible in some highly controlled corporate environments, where you can block all non-sanctioned traffic and effectively control the software on the user's side of the fence too. It is critical to note that this would not be hidden from the user. Your browser would not indicate a secure page.

I think the people worried about SSL safety should read up on the basic "security properties" and other information available from their browser and learn how to use it. This, in my opinion, will serve you better than trying to download some other magic cure-all from another proprietary source and blindly trusting that it helps you.

But if you really need a cure-all, get yourself a bootable "live CD" of Linux and learn how to use that for your web-banking sessions.

[RDN]

does this forum have a voice? can we object collectively? or are we just minor in this?

<{POST_SNAPBACK}>

A flea on an elephant's bum springs to mind.

[Crushdepth]

I think the people worried about SSL safety should read up on the basic "security properties" and other information available from their browser and learn how to use it. This, in my opinion, will serve you better than trying to download some other magic cure-all from another proprietary source and blindly trusting that it helps you.

There is a nice book occasionally available in SE-ED, 'Secrets and Lies' by Bruce Schneier, which gives a good consumer-level overview of computer security, cryptography, certificates etc. Despite the title it is not overly paranoid and quite entertaining. A read will prevent a lot of basic mistakes (like failing to check the certificate of a 'secure' site to see who you are actually securely connected to).

BTW: I think CAT is far more likely to do evil things than True.

Banks all have Privacy Policies and Terms of Usage to cover their ass if anything happens to a customer's account.

I read the fine print on Siam Commercial Bank's terms of use a while back, their policy is that anything unhappy that happens to your bank account is 100% your problem. I asked why, they said 'we have to protect ourselves if something goes wrong'. Idiots.

Edited November 14, 2005 by Crushdepth

[TAWP]

The proxy, as read on their site, will set up an external and one internal SSL-connection. However, TRUE doesn't seem to use this ability or will only use it on specific customers that would like to investigate.

As been mentioned above, dbl-click the SSL-icon in most browsers brings up certificate-info. Look there if anything looks dodgy.

Edited November 14, 2005 by TAWP

[lunatic69]

But if you really need a cure-all, get yourself a bootable "live CD" of Linux and learn how to use that for your web-banking sessions.

<{POST_SNAPBACK}>

What is the point of using Linux? You will always have to pass true the Bluecoat proxy. The Bluecoat is made to make your SSL transactions more secure not more vunerable but ofcourse in the wrong hands anything is possible. If you would know how other providers observe there users you would be very surprised. Big brother is always watching you and that is something that whe have to learn to live with

[meadish_sweetball]

I read the fine print on Siam Commercial Bank's terms of use a while back, their policy is that anything unhappy that happens to your bank account is 100% your problem. I asked why, they said 'we have to protect ourselves if something goes wrong'. Idiots.

Bangkok bank are doing the same thing. I can't stress how irritated it makes me. We should not let them get away with it.

It totally stands to reason that if f their system fails or proves to be unsafe, they should be responsible, not the users of the service.

TIT. But it's not ok.