Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Not that this is going to help. The NSA is probably tapping the fiber at the ISP's backbone in front of Google.

Why do you think it is called PRISM? It's probably named for the way they are splitting the fiber and recording everything.



In the case of DDG, that would be difficult. DDG uses SSL. If you make a mistake and type "duckduckgo.com" instead of "https://duckduckgo.com", it will automatically redirect you to the secure page. Unfortunately, that redirect gives a man-in-the-middle and opportunity to hijack your connection, even with SSL; however, that's tricky enough that its hard to imagine anyone pulling it off without ever being noticed.


HSTS allows a site to indicate that in the future it should always be loaded over a secure connection, so you only have an interceptable connection the very first time you visit that site. Both Firefox and Chrome allow sites to add themselves to a list to "preload" HSTS enforcement, so even that initial connection which is man-in-the-middle-able doesn't happen.

I don't see them in the current lists, so DDG should contact Mozilla and Google to get added to their preloaded HSTS lists[1][2] so all connections will automatically happen only over HTTPS.

[1] http://dev.chromium.org/sts

[2] https://blog.mozilla.org/security/2012/11/01/preloading-hsts...


>Unfortunately, that redirect gives a man-in-the-middle and opportunity to hijack your connection, even with SSL

As long as the SSL cert isn't compromised, I don't see how this is possible.


The initial request/redirect response is insecure. So a MITM can intercept the redirect response and replace it with his own content. That content could be, for example, a 200 response status and HTML pulled from the attacker's HTTPS connection to the target site.

So rather than being redirected to a secure connection, I happily communicate with the attacker instead.


But a redirect would change the status bar, right? So presumably it would still be pretty noticeable.


If you have an hour to kill.

http://www.youtube.com/watch?v=MFol6IMbZ7Y


They don't need the existing SSL cert. The "beauty" of SSL is that they can use a cert generated by any CA trusted by your browser - or even a second one from the same CA -, even if there's already a cert issued by one.


You are assuming they are looking exactly at search requests. Email is unencrypted and so is DNS. The rest they store in case they can break it later.

They were doing this in 2007 at AT&T Worldcom I expect it only got better over the past 6 years.


http://www.wired.com/threatlevel/2010/03/packet-forensics/


It could also be named PRISM as a form of misdirection, to make people think that the codename referred to upstream-collection operations. (It's beyond doubt that upstream collection is still ongoing too, though.) Or it could be that spy organisations just like optical metaphors. FWIW the You Should Use Both slide seems to use PRISM to refer specifically to the "direct collection" and not the upstream collection capability.


Or it could be an API for issuing FISA warrants and collecting the requested data.

(The NSA may very well be doing both.)


They are probably doing both.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: